Security Testing + Test Automation using Selenium and ZAP

Problem:  How to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications?

A good friend of mine who is a security tester introduced me to this concept and tool called ZAP from  OWASP – The Open Web Application Security.

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

If you are an automation engineer it's as easy as this diagram illustrates:
  1. Download ZAP and install.
  2. It generally runs on port 8080. Change your browsers proxy settings to localhost and 8080
  3. You can also use tools like foxyproxy to do the same
  4. Test a web app and see if ZAP is able to see your navigations on the History tab.

5. Create a new firefox profile and make sure the proxy settings are working on the profile
6. Launch the browser with the profile
ProfilesIni pf = new ProfilesIni();
FirefoxProfile profile = pf.getProfile("default");
driver = new FirefoxDriver(profile);
driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
((JavascriptExecutor) driver).executeScript("window.focus()");
7. Run your tests with ZAP working in the background
8. Finally here is your security report in JSON format:
Access all of the alerts via the ZAP API in JSON and XML format. If you enable the API (via the options) you can then access a URL like:
http://zap/JSON/core/view/alerts/? to get all of the alerts reported on
9. Use a to view all the alerts that you need.

Link for some code:

Happy Security Testing!

Update:   Zap has moved from SVN to github:


  1. Loved this article and thanks for sharing few awesome tools like

    1. @Awesome - Thanks for the awesomeness in your comment :)


  2. Hi Ady, could you please show me how to do step 6? I already created new profile but didn't know how to launch the website with the profile. Where should I insert that code?


Post a Comment

Popular posts from this blog

XPATH for IE / internet explorer

RPA - Blue Prism, OpenSpan, Automation Anywhere vs UIPath