0
0
Testing Fundamentalstesting~15 mins

Security testing basics in Testing Fundamentals - Build an Automation Script

Choose your learning style9 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame
Verify login form resists SQL Injection attack
Preconditions (1)
Step 1: Enter 'admin' in the username field
Step 2: Enter "' OR '1'='1" in the password field
Step 3: Click the Login button
✅ Expected Result: Login should fail and an error message 'Invalid username or password' should be displayed
Automation Requirements - Selenium with Python
Assertions Needed:
Verify the error message 'Invalid username or password' is displayed
Verify the URL remains on the login page after the attempt
Best Practices:
Use explicit waits to wait for elements to be visible
Use descriptive locators like By.ID or By.NAME
Avoid hardcoded sleeps
Use Page Object Model to separate page structure from test logic
Automated Solution
Testing Fundamentals
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC

class LoginPage:
    def __init__(self, driver):
        self.driver = driver
        self.username_input = (By.ID, 'username')
        self.password_input = (By.ID, 'password')
        self.login_button = (By.ID, 'loginBtn')
        self.error_message = (By.ID, 'errorMsg')

    def enter_username(self, username):
        WebDriverWait(self.driver, 10).until(EC.visibility_of_element_located(self.username_input)).clear()
        self.driver.find_element(*self.username_input).send_keys(username)

    def enter_password(self, password):
        WebDriverWait(self.driver, 10).until(EC.visibility_of_element_located(self.password_input)).clear()
        self.driver.find_element(*self.password_input).send_keys(password)

    def click_login(self):
        WebDriverWait(self.driver, 10).until(EC.element_to_be_clickable(self.login_button)).click()

    def get_error_message(self):
        return WebDriverWait(self.driver, 10).until(EC.visibility_of_element_located(self.error_message)).text


def test_sql_injection_login():
    driver = webdriver.Chrome()
    driver.get('https://example.com/login')

    login_page = LoginPage(driver)
    login_page.enter_username('admin')
    login_page.enter_password("' OR '1'='1")
    login_page.click_login()

    error_text = login_page.get_error_message()
    assert error_text == 'Invalid username or password', f"Expected error message not found, got: {error_text}"

    assert driver.current_url == 'https://example.com/login', "URL changed after failed login attempt"

    driver.quit()

if __name__ == '__main__':
    test_sql_injection_login()

This test script uses Selenium with Python to automate the manual test case.

We define a LoginPage class to hold locators and actions, following the Page Object Model. This keeps the test clean and easy to maintain.

Explicit waits ensure the script waits for elements to be ready before interacting, avoiding flaky tests.

The test function test_sql_injection_login opens the login page, enters the username 'admin' and the SQL injection string in the password field, then clicks login.

It asserts that the error message is exactly 'Invalid username or password' and that the URL remains on the login page, confirming the injection attempt failed.

Finally, the browser closes cleanly.

Common Mistakes - 4 Pitfalls
Using time.sleep() instead of explicit waits
Using brittle XPath locators that rely on full paths
Not verifying the error message text
Hardcoding URLs without verifying current URL after action
Bonus Challenge

Now add data-driven testing with 3 different SQL injection payloads in the password field

Show Hint