Test login form for authentication vulnerabilities

Preconditions (2)

Step 1: Open the login page URL in a browser

Step 2: Enter a valid username in the username field

Step 3: Enter an incorrect password in the password field

Step 4: Click the login button

Step 5: Verify that the login fails with an error message

Step 6: Enter a valid username in the username field

Step 7: Leave the password field empty

Step 8: Click the login button

Step 9: Verify that the login fails with an error message

Step 10: Enter a valid username in the username field

Step 11: Enter a SQL injection string "' OR '1'='1" in the password field

Step 12: Click the login button

Step 13: Verify that the login fails and no unauthorized access is granted

Step 14: Enter a valid username in the username field

Step 15: Enter a very long string (e.g., 1000 characters) in the password field

Step 16: Click the login button

Step 17: Verify that the login fails gracefully without crashing the application

✅ Expected Result: The login form should reject invalid credentials, empty passwords, SQL injection attempts, and overly long inputs without granting access or crashing.

Automation Requirements - Selenium with Python

Assertions Needed:

Verify error message is displayed on invalid login

Verify no access is granted on SQL injection input

Verify application does not crash on long input

Best Practices:

Use explicit waits to wait for elements

Use meaningful locators (id or name attributes)

Use assertions to check error messages and page state

Keep test steps clear and modular

Automated Solution

Testing Fundamentals

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import unittest

class TestAuthenticationVulnerabilities(unittest.TestCase):
    def setUp(self):
        self.driver = webdriver.Chrome()
        self.driver.get('https://example.com/login')
        self.wait = WebDriverWait(self.driver, 10)

    def tearDown(self):
        self.driver.quit()

    def login(self, username, password):
        username_field = self.wait.until(EC.presence_of_element_located((By.ID, 'username')))
        password_field = self.driver.find_element(By.ID, 'password')
        login_button = self.driver.find_element(By.ID, 'loginBtn')

        username_field.clear()
        username_field.send_keys(username)
        password_field.clear()
        password_field.send_keys(password)
        login_button.click()

    def test_invalid_password(self):
        self.login('validUser', 'wrongPass')
        error = self.wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))
        self.assertIn('Invalid credentials', error.text)

    def test_empty_password(self):
        self.login('validUser', '')
        error = self.wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))
        self.assertIn('Password cannot be empty', error.text)

    def test_sql_injection(self):
        self.login('validUser', "' OR '1'='1")
        error = self.wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))
        self.assertIn('Invalid credentials', error.text)
        # Also verify URL did not change to dashboard
        self.assertNotIn('/dashboard', self.driver.current_url)

    def test_long_password(self):
        long_password = 'a' * 1000
        self.login('validUser', long_password)
        error = self.wait.until(EC.visibility_of_element_located((By.ID, 'errorMsg')))
        self.assertTrue(error.is_displayed())
        # Verify page is still responsive
        self.assertIn('/login', self.driver.current_url)

if __name__ == '__main__':
    unittest.main()

The setUp method opens the browser and navigates to the login page before each test.

The login helper method fills the username and password fields and clicks the login button, making tests cleaner.

Each test method covers one vulnerability scenario: invalid password, empty password, SQL injection, and long input.

Explicit waits ensure elements are ready before interacting or asserting.

Assertions check that error messages appear and no unauthorized access occurs.

The tearDown method closes the browser after each test to keep tests isolated.

Common Mistakes - 4 Pitfalls

Using hardcoded sleeps instead of explicit waits

Using brittle XPath locators that break easily

Not clearing input fields before sending keys

Not verifying that unauthorized access is prevented

Bonus Challenge

Now add data-driven testing with 3 different invalid username and password combinations

Show Hint