Check if e-mail has loophole through have I been Pwned (Selenium/Python)

Question

Check if e-mail has loophole through have I been Pwned (Selenium/Python)

Asked 4 years, 7 months ago

Viewed 71 times

-2

Good afternoon! I’m using Selenium for automated testing. The goal is to verify, through a list of institutional emails, if the email is in some loophole and send a standard email requesting password update;

The problem arose when I searched for an e-mail with a gap and the body of the site is exactly the same for an email that is not in any breach;

I tried class name, id, page source and nothing seems to work in this case.

As you can see in the section below. The first email is on a leaked website and the second email did not fall into any data leak, but both fall into the first condition.

Any suggestions?

Wouldn’t it be better to use the API that they provide?

– fernandosavio

2019/11/25 at 19:47

1 answer

Browser other questions tagged python selenium selenium-webdriver

You are not signed in. Login or sign up in order to post.

by jsbueno • **30,668** points · Answer 1 · 2019-11-25T19:46:10+00:00

You are checking whether the content Oh no - pwned is in the page source code, not on the screen.

If you look at the source code of the page (as it is always good to do if it is developing with Selenium), it will that this string is always there - it is there as well as the counterpart Good news — no pwnage found!.

In other words: the text for the two answers - whether the email was leaked or not, is present on the page - is the Javascript of the page that makes one or the other visible.

What’s more, the page has an API, and an API is usually something more conducive to use than a query by Selenium - for several reasons, but the main thing about it is that an API will always be well documented and will bring you answers by moving far less data and using fewer server-side resources - and on the customer side, you have the guarantee that the answer will not change because of an aesthetic redesign of the page.

The only cases where you would prefer to use Selenium to make a query, if there is an API are: (1) the app already does several other things with Selenium, and this query would be just one more simple thing to do, without having to multiply the application’s logic to include the API query, in addition to Selenium already used for other pages; (2) API access is restricted by login and/or paid account, and you want to use Selenium to try a free query.

Good - in the case of this issue, it seems that you fall exactly in the two cases above - both have part of the app already using Selenium ready, and use of the API requires a subscription.

The problem is that - if the API requires a subscription, it means that for various reasons the authors of the site do not want or cannot provide the information to an automated application free of charge - then insist on using Selenium to query around the api is to misappropriate the portal service.

Here is the haveibeenpwned page explaining why he had to close the service and go on to charge for using the API (it’s cheap, suddenly you can buy an API key for your project: https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/

If you want to insist on trying to use the service without having an API token, and with Selenium, of course no one will break because of it, and a lot of the things we do on a day-to-day basis, even in corporate work, sometimes have some outlines of these=- but technically it will be challenging: you will have to use something that identifies which of the two messages is visible on the page, not only present in the source code of the page in this case.

I see three ways to do this, and as a matter of time and resources I have no way to give you an entire answer: Check in the active page CSS (with developer tools), which properties are active/inactive to pop one or another answer on the screen, and check those properties by Selenium - maybe it is the visibility of div <div id="pwnedWebsitesContainer"> and the div with id noPwnage - but you’ll have to check it yourself.

If by checking the CSS properties for the visible elements you cannot locate, you will have to use some Selenium API to see if an element is visible on the page, and not simply "present" - it looks like the so-called ". isDisplayed" from Selenium, in the above classes, may be enough - either way, you’ll have to look at the documentation - https://developers.perfectomobile.com/display/T/isDisplayed%28%29+and+Nosuchelementerror+Exception

Last but not least: welcome to stackoverflow in Portuguese. Please, when asking questions, nay use images to paste your code, error messages or data representations. Always paste your code, printed error messages, and your data as text (format the code using the interface buttons or markdown markdown) -- Images do not allow a search, do not allow indexing of snippets of your code by the stackoverflow banks, do not allow people answering your question to copy and paste snippets of your code to give examples - -in this case even, I had to go back and forth to play the message you expect on the screen "Yo’ve been pwned"when it would have been so much more comfortable for me to copy and paste this little