Security Testing + Test Automation using Selenium and ZAP



Problem:  How to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications?


A good friend of mine who is a security tester introduced me to this concept and tool called ZAP from  OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security.

The OWASP Zed Attack Proxy (ZAP)https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


If you are an automation engineer it's as easy as this diagram illustrates:
  1. Download ZAP and install.
  2. It generally runs on port 8080. Change your browsers proxy settings to localhost and 8080
  3. You can also use tools like foxyproxy to do the same
  4. Test a web app and see if ZAP is able to see your navigations on the History tab.




5. Create a new firefox profile and make sure the proxy settings are working on the profile
6. Launch the browser with the profile
ProfilesIni pf = new ProfilesIni();
FirefoxProfile profile = pf.getProfile("default");
driver = new FirefoxDriver(profile);
driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
driver.navigate().to(testData);
driver.manage().window().maximize();
((JavascriptExecutor) driver).executeScript("window.focus()");
7. Run your tests with ZAP working in the background
8. Finally here is your security report in JSON format:
Access all of the alerts via the ZAP API in JSON and XML format. If you enable the API (via the options) you can then access a URL like:
http://zap/JSON/core/view/alerts/?baseurl=http%3A%2F%2Fwww.example.com%2F&start=&count= to get all of the alerts reported on www.example.com
9. Use a http://codebeautify.org/jsonviewer to view all the alerts that you need.

Link for some code:

Happy Security Testing!

Update:   Zap has moved from SVN to github: https://github.com/zaproxy/zaproxy

Comments

  1. Loved this article and thanks for sharing few awesome tools like http://codebeautify.org/jsonviewer

    ReplyDelete
    Replies
    1. @Awesome - Thanks for the awesomeness in your comment :)

      Cheers,
      Ady

      Delete
  2. Hi Ady, could you please show me how to do step 6? I already created new profile but didn't know how to launch the website with the profile. Where should I insert that code?

    ReplyDelete

Post a Comment

Popular posts from this blog

XPATH for IE / internet explorer

All time good software testing books!

Website's underlying technology for automation