Using Burp with Selenium

Selenium is a portable tool for automating browsers in the testing of web applications. You can use Burp Suite to check for vulnerabilities in the run of Selenium tests. This article demonstrates how to proxy Selenium test traffic through Burp Suite and how to passively and actively scan the traffic for vulnerabilities.

Using_Burp_Selenium_1

There are two ways to ensure that traffic from your Selenium tests proxies via Burp Suite.

Firstly, you can configure the Selenium driver to proxy via your instance of Burp Suite.

 

 
InstallingandConfiguring_ConfiguringyourBrowser_Chrome_2

Or secondly, you can configure your proxy at the OS level.

When you configure the browser associated with the Selenium tests to use Burp, the proxy settings will be respected and traffic from the tests will pass through Burp Suite.

 
Proxy_UsingBurpProxy_3

Before running your Selenium tests, go to the "Proxy Intercept" tab, and ensure that interception is off (if the button says “Intercept is on" then click it to toggle the interception status).

 
Using_Burp_Selenium_4

With your proxy configuration set, run your Selenium tests in the normal manner.

 
Using_Burp_Selenium_2

Traffic from the tests will now be captured in Burp Suite.

While the Selenium tests are running, Burp will passively report various issues that it observes.

 
Using_Burp_Selenium_3

After the Selenium tests have run, you can then carry out active scanning on the captured requests.

For example, you can select everything in the Proxy history and choose "Do an active scan" from the context menu.