Automating with Python Selenium

Platform

Python

Year

Autumn 2022

I really enjoyed making the Metrics parser using the selenium libraries to compensate for the lack of an API. As i read more about it, and how it could handle iframes and can be used to implement logic like waiting on elements and stuff, i really felt inspired to leverage this for the day-to-day use.

I could see it before me, a "ribbon" on the top-right side of the screen, using encrypted data (like urls, usernames, passwords, ..) to just open my common tools by the simple press of a button. And all of this, of course, security-wise sound while still being convenient.

Requirements:

Easy to use. It must be that a single mouseclick can open the desired tool
It must be safe. The data must be stored encrypted. The data may be in memory but only upon use and be cleared right away. I can assume that memory dumps would not take place, so i just need to secure myself against filecopy from the logical filesystem.
It must be unintrusive. No unneeded icons, not taking up any space on the screen.

Prelude

20/10/2022

I had learned a great deal with my previous project. Especially on using selenium dynamically to wait on events, more efficiently identify tags, classes and ID's and use XPATH lookups. My Security Incidents Metrics tool had been well received and adopted, still i wanted to do one last thing with selenium. Namely, to improve of some of my own manual burdens and automate my authentication to some common intranet web applications.

This meant putting some credentials in an encrypted file, and while i don't store my passwords in e.g. browsers for this purpose, i did consider that in a secure environment that does not surf outside of the perimeter, the benefits far outweigh the risks. But I will come to prove why i believe this solution is secure as well as it's design.

Why did i need this?

Say i got an alert in my SIEM that might justify looking in Microsoft Defender for Identity for additional context. Great idea! Except: to get to MS MDI i need to open an HPA management solution, find a specific functional account, need to provide a specific justification (no typos allowed & too complicated to remember) and then do a bunch of clicks.

And there are at least a handful of other tools in similar yet different positions.

This would end right here, right now. And my new friend, Mister Selenium here, would help me out

Tkinter: GUI

I'm still bad at GUI's, but in a minimalistic design i can't go wrong. I wanted a ribbon that is always visibile, cannot be resized, with standardized icons and that handle the authenication in a single click. It must be simple, it must be something you'd tolerate on the side of your screen. And i came to the gui you see here ===============>

Not claiming to be winning prizes with this, but it is something i can tolerate. It's just 50px wide, neglible therefore on a modern screen.

I also do need to foresee the ability for people to specify their "secrets" and handle some configuration, like specifying with functional accounts that should be used as values in intermediate webclients (like a password vault).

The screens are nothing to brag about, but they get the job done:

Below - to enter your secrets.

Below that - to specify configurations (non-sensitive)

Selenium

I really got the hang of selenium, and while i spend days to get a stable automation script going for the ITSM platform used at my client, i managed to pump out integrations to at least 6 webclients in a day. Granted, none of these proved as complicated as the ITSM platform, still some introduced some nifty challenges like using iframes.

They varied in complexity. Some of these were basic authentications to a webclient by providing a username & password.

Another category involved pushing some buttons first, then entering configuration data to lauch searches... wait for the output, select one of the values, enter some additional texts and select a few properties before finally hitting a "connect "button.

My prize in this is really this part:

This little button has 2 textfields associated with it. When dealing with Alerts in a SIEM, you typically have a title (i.e. a use case TTP for example) and a description (i.e. the data of the alert). You can copy paste these in the textfields, press the icon that represents the company ITSM tool and.... the tool is opened, a new ticket created, all the mandatory fields filled in including the title & description... all that is left is to review and press submit. How easy it that compared to doing it manually.... 2 seconds of work versus 2 minutes.... and these 1'58" second gains really add up after a while.

For discretion, i show an automation that is not bound to my client here. The Pluralsight icon is pressed, what follows is a an automated web authentication.

Is it Secure? - PyCryptoDome

Yes, mostly.

The workstation is secure: First, let's consider the environment this tool is running in. Namely a tightly controlled non-HPA user context in a network segment not directly exposed to the internet. Only intranet. Surfing activity, like the visit to the pluralsight learning platform, would pass a reverse proxy for example.

Memory grabs unlikely: Being a non-HPA usercontext, elevated permissions are required in order to obtain any values from memory. And because the tool only keeps the secrets in memory at the time of use (& cleared afterwards), there is no purpose in somehow being able to get a memory dump after the tool has run. Evidently, if HPA is obtained via an exploit, one will not care about this.

Encryption at rest: The most vulnerable aspect is storage. As such, i used PyCryptoDome to encrypt the secrets when stored on the disk. Using an AES256 encryption algorithm based on a 16 bytes key, i'm pretty sure my (in this example: fake) credentials are sitting nicely here:

Any copies from the logical filesystem will therefore give nothing. Decrypting *this* should be unfeasible until the rise of quantumcomputers and AI overlords.

No storage of the (synchronous) encryption key: It is never stored anywhere. The user needs to remember a 4 to 16 alphanumerical character string that is used to derive a 16 bytes key. The key is constructed, in memory, when needed (& cleared when it's not needed).

No bruteforce possible: Say, the user left his workstation unlocked and the inquisitive wandered passes by. He won't know the pincode, but lets assume he thinks a 4 digit pin is used. So he could start with 0001 and press a button? Next 0002, 0003, etc... until it works, right?

Ofcourse, the tool will know that a provided pin is wrong because the derived key used to decode the secrets will fail. But instead of alerting the user, the tool will allow an authentication to take place but with false credentials. Which a monitoring tool would pick up.

Of course, one is never 100% at ease. Vulnerabilities in Python or the web applications themselves might cause problems. But tbh, one already needs to be one the inside to exploit it. And when already in, my little automation tool won't be of great interest.

But myself? I just love this little thing!