使用 Selenium 自动填写包含敏感信息的表单有多安全 [英] How safe is it to use Selenium to auto-fill forms with sensitive information
问题描述
Selenium 通常用于测试.但是,如果有人决定使用它在网站上自动填写包含个人数据(用户名、密码、信用卡号)的表格怎么办.那会有多安全?
我指的是调用驱动程序对象并将所有这些安全信息传递给它的实际部分.让我们假设在您将信息传递给驱动程序之前,信息是安全存储的.
我想知道汇总您的信用卡和银行帐户的网站是否使用这种方式来代替 api 调用(在后端运行无头浏览器以登录个人资料).
在使用
Selenium is usually used for testing. But what if someone decided to use it to autofill forms on websites with personal data(username, password, credit card number). How safe would that be?
I mean the actual part where you call the driver object and pass it all this secure information. Let's assume the information is securely stored until the moment you pass it to the driver.
I wonder if that's what websites that aggregate your credit card and bank accounts use instead of api calls(running a headless browser in the backend to log in to personal profiles).
While using Selenium as mentioned in the Security section within WebDriver - W3C Recommendation the only security concern is that:
A user agent that rely on a command-line flag or a configuration option to test whether to enable WebDriver, or alternatively make the user agent initiate or confirm the connection through a privileged content document or control widget, in case the user agent does not directly implement the HTTP endpoints.
It is strongly suggested that user agents require users to take explicit action to enable WebDriver, and that WebDriver remains disabled in publicly consumed versions of the user agent.
To prevent arbitrary machines on the network from connecting and creating sessions, it is suggested that only connections from loopback devices are allowed by default.
The remote end can include a configuration option to limit the accepted IP range allowed to connect and make requests. The default setting for this might be to limit connections to the IPv4 localhost CIDR range
127.0.0.0/8and the IPv6 localhost address::1.
The generic solution was to distinguish the user agent session that is under control of WebDriver from those used for normal browsing sessions. Snapshot of visually distinguishable WebDriver driven user agent:
这篇关于使用 Selenium 自动填写包含敏感信息的表单有多安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
