Security Testing + Test Automation using Selenium and ZAP



Problem:  How to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications?


A good friend of mine who is a security tester introduced me to this concept and tool called ZAP from  OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security.

The OWASP Zed Attack Proxy (ZAP)https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


If you are an automation engineer it's as easy as this diagram illustrates:
  1. Download ZAP and install.
  2. It generally runs on port 8080. Change your browsers proxy settings to localhost and 8080
  3. You can also use tools like foxyproxy to do the same
  4. Test a web app and see if ZAP is able to see your navigations on the History tab.




5. Create a new firefox profile and make sure the proxy settings are working on the profile
6. Launch the browser with the profile
ProfilesIni pf = new ProfilesIni();
FirefoxProfile profile = pf.getProfile("default");
driver = new FirefoxDriver(profile);
driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
driver.navigate().to(testData);
driver.manage().window().maximize();
((JavascriptExecutor) driver).executeScript("window.focus()");
7. Run your tests with ZAP working in the background
8. Finally here is your security report in JSON format:
Access all of the alerts via the ZAP API in JSON and XML format. If you enable the API (via the options) you can then access a URL like:
http://zap/JSON/core/view/alerts/?baseurl=http%3A%2F%2Fwww.example.com%2F&start=&count= to get all of the alerts reported on www.example.com
9. Use a http://codebeautify.org/jsonviewer to view all the alerts that you need.

Link for some code:

Happy Security Testing!

Update:   Zap has moved from SVN to github: https://github.com/zaproxy/zaproxy

Comments

  1. Loved this article and thanks for sharing few awesome tools like http://codebeautify.org/jsonviewer

    ReplyDelete
    Replies
    1. @Awesome - Thanks for the awesomeness in your comment :)

      Cheers,
      Ady

      Delete
  2. Hi Ady, could you please show me how to do step 6? I already created new profile but didn't know how to launch the website with the profile. Where should I insert that code?

    ReplyDelete
  3. This blog will help to get more ideas. This is very helpful for Software Testing learners. Thank you for sharing this wonderful site. If someone wants to know about Software QA services this is the right place for you Software QA Companies.

    ReplyDelete
  4. Thanks for the nice blog. It was very useful for those who want to learn penetration testing automation. I'm happy I found this blog. Thank you for sharing with us, I too always learn something new from your post.

    ReplyDelete
  5. I really appreciate the kind of topics post here. Thanks for sharing us a great information that is actually helpful.External Network Penetration Testing

    ReplyDelete
  6. Anonymous27/11/23

    "Your insightful perspective truly resonates! The depth of your thoughts showcases a profound understanding of the subject matter. Your articulate expression captivates and enlightens. Keep sharing your unique viewpoint; it's invaluable and enriching to engage with such thoughtful insights. Well done!"





    ReplyDelete
  7. I was wondering to find blog commenting sites but finally got the unique collection of blog commenting sites. It’s a very much advantageable to everyone.. thanks for providing such kinds of valuable info
    Digital Era

    ReplyDelete
  8. This MACHINE LEARNING
    blog sites was amazing and such a wonderful. I am glad this informative post. thanks for sharing this amazing ideas.

    ReplyDelete
  9. Digital era FM28/11/23


    Cyber testing is the bedrock of digital security. It encompasses a myriad of assessments, from vulnerability scans to penetration testing, ensuring systems remain resilient against cyber threats. Its meticulous approach identifies weaknesses, fortifying defenses and preserving the integrity of digital infrastructure in an ever-evolving threat landscape.<a href targetblank relalternate

    ReplyDelete

Post a Comment

Popular posts from this blog

Software Testing @ Microsoft

Trim / Remove spaces in Xpath?