使用Selenium自动填写带有敏感信息的表格有多安全 [英] How safe is it to use Selenium to auto-fill forms with sensitive information
问题描述
硒通常用于测试.但是,如果有人决定使用它在网站上的表单中自动填写个人数据(用户名,密码,信用卡号).那有多安全?
我的意思是调用驱动程序对象并将其传递给所有安全信息的实际部分.假设信息已经安全存储,直到您将其传递给驱动程序为止.
我想知道那是不是用于汇总您的信用卡和银行帐户的网站,而不是使用api调用(在后端运行无头浏览器以登录个人资料).
使用安全性" 部分所述href ="https://w3c.github.io/webdriver/" rel ="nofollow noreferrer"> WebDriver-W3C建议唯一的安全问题是:
依赖于命令行标志或配置选项来测试是否启用 解决方案
While using Selenium as mentioned in the Security section within WebDriver - W3C Recommendation the only security concern is that:
A user agent that rely on a command-line flag or a configuration option to test whether to enable WebDriver, or alternatively make the user agent initiate or confirm the connection through a privileged content document or control widget, in case the user agent does not directly implement the HTTP endpoints.
It is strongly suggested that user agents require users to take explicit action to enable WebDriver, and that WebDriver remains disabled in publicly consumed versions of the user agent.
To prevent arbitrary machines on the network from connecting and creating sessions, it is suggested that only connections from loopback devices are allowed by default.
The remote end can include a configuration option to limit the accepted IP range allowed to connect and make requests. The default setting for this might be to limit connections to the IPv4 localhost CIDR range
127.0.0.0/8and the IPv6 localhost address::1.
The generic solution was to distinguish the user agent session that is under control of WebDriver from those used for normal browsing sessions. Snapshot of visually distinguishable WebDriver driven user agent:
这篇关于使用Selenium自动填写带有敏感信息的表格有多安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
