Page tree
Skip to end of metadata
Go to start of metadata

Last updated: May 18, 2021 11:23

Perfecto provides user credentials/password hashing functionality to allow users of banking/financial services to use production data during their testing with Perfecto. The following options are available:

  • Add string encryption/decryption to your Selenium-based mobile testing framework using the existing StringEncrypt() class 
  • Hash strings in Perfecto reports using a Smart Reporting SDK addition

This article walks you through both options.

StringEncrypt() class

Out of the box, there is no inherent ability to mask passwords within the base Selenium framework, or even within the Eclipse IDE. To help control the visibility of sensitive data within the testing framework, it might be of interest to create a utility class that can encrypt or decrypt a string value during the execution of a test class. The StringEncrypt() class utilizes Base64 encoding together with a simple XOR cipher to encrypt a string using another supplied string as a key. The decryption of the encrypted string will require the same key used to encrypt it... so don't lose it!

As stated, the StringEncrypt() class is dependent on BASE64 encoding and as such needs to have the sun.misc.BASE64Encoder and sun.misc.BASE64Decoder classes available. This class provides access to both the encryption and decryption methods from within the eclipse project in which is included. As a convenience, the EncryptString.jar executable is offered as a standalone string encryption tool that uses the same methodology. A string encrypted with the standalone tool can be decrypted by the included class.

On this page:

Add the StringEncrypt() class

Follow these steps to add this class to your Selenium project within an Eclipse IDE.

  1. Download the StringEncrypt() class from the Github link here: https://github.com/brianhclark/StringEncrypt/raw/master/StringEncrypt.java
  2. Add it as-is as a new class within your Eclipse project. Alternatively, the required methods could be extracted and added to a Utility class if one exists. These are static methods so they don’t require a class instance to be referenced.
  3. Make sure to reference the correct package once added.

Use the StringEncrypt() class methods

There are two methods included in the StringEncrypt() class:

  1. encryptXOR (String message, String key): This method takes the message to be encrypted and the encryption key as arguments and returns the encrypted string.

    public static String encryptXOR(String message, String key){        
    try {
            if (message==null || key==null ) return null;        
            char[] keys=key.toCharArray();
            char[] mesg=message.toCharArray();            
            int ml=mesg.length;
            int kl=keys.length;
            char[] newmsg=new char[ml];            
            for (int i=0; i<ml; i++){
           newmsg[i]=(char)(mesg[i]^keys[i%kl]);
            }
            mesg=null; 
            keys=null;
            return new String(new BASE64Encoder().encodeBuffer(new String(newmsg).getBytes()));
    } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
  2. decryptXOR(String message, String key): This method takes the encrypted message and the encryption key as arguments and returns the decrypted string.

    public static String decryptXOR(String message, String key){
        try {
          if (message==null || key==null ) return null;          
          BASE64Decoder decoder = new BASE64Decoder();
          char[] keys=key.toCharArray();
          char[] mesg=new String(decoder.decodeBuffer(message)).toCharArray();
          int ml=mesg.length;
          int kl=keys.length;
          char[] newmsg=new char[ml];
          for (int i=0; i<ml; i++){
            newmsg[i]=(char)(mesg[i]^keys[i%kl]);
          }
          mesg=null; keys=null;
          return new String(newmsg);
        }
        catch ( Exception e ) {
          return null;
            }  
          }

Expected use

The anticipated use for this class is to use the encryptXOR method to encrypt sensitive values, either within the code or stored as parameters to be read at runtime. The decryptXOR method would then be leveraged during execution to decrypt any encrypted data at runtime, thereby essentially hiding from visibility any stored sensitive data.

***The encryption key must be saved as there is no mechanism to retrieve or reset a key value if it is lost. ***

Example test case

The following is a simple example highlighting the use of this class within a test case.

public class PasswordDecoderTest {
    public static void main(String[] args) {
        String strToEncode = "excellentPassword";
        String key = "lockUnlock";
        String strEncryptedString = StringEncrypt.encryptXOR(strToEncode, key);
        System.out.println("Encrypted string: " + strEncryptedString);
        String decodedPwd = StringEncrypt.decryptXOR(strEncryptedString, key);
        System.out.println("Decrypted string: " + decodedPwd);
    }    
}

Running this test class produces the following output:

 

stringEncryptTool.jar

As mentioned previously, a utility was created to work as a standalone tool to more easily facilitate the encryption of strings that does not require the creation and execution of an executable java class to generate the encrypted string. This tool can be launched and run independent of eclipse, and only requires a standard JRE installation on Windows machines.

The stringEncryptTool.jar can be downloaded from Github here: https://github.com/brianhclark/StringEncrypt/blob/master/stringEncryptTool.jar?raw=true

Running the jar file will present the user with a small form on which to enter the string to encrypt and the key.

Clicking the button reveals the encrypted string. Click Run Again to encrypt another string, or Copy to Clipboard to load the encrypted string onto the clipboard.

Note: These tools are not intended as impenetrable security, but as a means to help hide passwords and other such data from unnecessarily being exposed in plain sight to test personnel or others who may have access to stored data.

Smart Reporting SDK

The following example code shows how you can hash strings in a Perfecto report using the Smart Reporting SDK:


// encoded string:

private static final String SECURED_STRING ="secured.3P2+pRD6nCxirDRYTBX2m5wAg3c8Vb/N7WT1AV2H2C4=";

...

reportiumClient.stepStart("Set secured string in google search");

driver.get("http://google.com");

driver.findElementByName("q").sendKeys(SECURED_STRING);

String text = driver.findElementByName("q").getAttribute("text");

assert(text == "Secured string sample");

reportiumClient.stepEnd();

The following images show the before and after view in the Singe Test Report view:

Non-Secure string:                                            

Secure string: