Security Testing + Test Automation using Selenium and ZAP



Problem:  How to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications?


A good friend of mine who is a security tester introduced me to this concept and tool called ZAP from  OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security.

The OWASP Zed Attack Proxy (ZAP)https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.


If you are an automation engineer it's as easy as this diagram illustrates:
  1. Download ZAP and install.
  2. It generally runs on port 8080. Change your browsers proxy settings to localhost and 8080
  3. You can also use tools like foxyproxy to do the same
  4. Test a web app and see if ZAP is able to see your navigations on the History tab.




5. Create a new firefox profile and make sure the proxy settings are working on the profile
6. Launch the browser with the profile
ProfilesIni pf = new ProfilesIni();
FirefoxProfile profile = pf.getProfile("default");
driver = new FirefoxDriver(profile);
driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
driver.navigate().to(testData);
driver.manage().window().maximize();
((JavascriptExecutor) driver).executeScript("window.focus()");
7. Run your tests with ZAP working in the background
8. Finally here is your security report in JSON format:
Access all of the alerts via the ZAP API in JSON and XML format. If you enable the API (via the options) you can then access a URL like:
http://zap/JSON/core/view/alerts/?baseurl=http%3A%2F%2Fwww.example.com%2F&start=&count= to get all of the alerts reported on www.example.com
9. Use a http://codebeautify.org/jsonviewer to view all the alerts that you need.

Link for some code:

Happy Security Testing!

Update:   Zap has moved from SVN to github: https://github.com/zaproxy/zaproxy

Comments

  1. Awesome25/2/15

    Loved this article and thanks for sharing few awesome tools like http://codebeautify.org/jsonviewer

    ReplyDelete
    Replies
    1. Aditya Kalra (Ady)25/2/15

      @Awesome - Thanks for the awesomeness in your comment :)

      Cheers,
      Ady

      Delete
  2. Unknown10/10/16

    Hi Ady, could you please show me how to do step 6? I already created new profile but didn't know how to launch the website with the profile. Where should I insert that code?

    ReplyDelete
  3. yanmaneee30/1/21

    pandora jewelry official site
    off white nike
    supreme
    kobe sneakers
    off white hoodie
    supreme clothing
    golden goose sneakers
    pandora jewelry
    yeezy boost 350 v2
    supreme clothing

    ReplyDelete
  4. Allen Marry15/4/21

    This blog will help to get more ideas. This is very helpful for Software Testing learners. Thank you for sharing this wonderful site. If someone wants to know about Software QA services this is the right place for you Software QA Companies.

    ReplyDelete
  5. James Zicrov7/10/21

    Thanks for the nice blog. It was very useful for those who want to learn penetration testing automation. I'm happy I found this blog. Thank you for sharing with us, I too always learn something new from your post.

    ReplyDelete
  6. whanou5/6/22

    allez ici Source ici Goyard Dolabuy mon entreprise sacs de répliques de Chine

    ReplyDelete
  7. networkguide25/11/22

    I really appreciate the kind of topics post here. Thanks for sharing us a great information that is actually helpful.External Network Penetration Testing

    ReplyDelete
  8. Anonymous27/11/23

    "Your insightful perspective truly resonates! The depth of your thoughts showcases a profound understanding of the subject matter. Your articulate expression captivates and enlightens. Keep sharing your unique viewpoint; it's invaluable and enriching to engage with such thoughtful insights. Well done!"





    ReplyDelete
  9. Technical SEO28/11/23

    I was wondering to find blog commenting sites but finally got the unique collection of blog commenting sites. It’s a very much advantageable to everyone.. thanks for providing such kinds of valuable info
    Digital Era

    ReplyDelete
  10. MBA education28/11/23

    This MACHINE LEARNING
    blog sites was amazing and such a wonderful. I am glad this informative post. thanks for sharing this amazing ideas.

    ReplyDelete
  11. Digital era FM28/11/23


    Cyber testing is the bedrock of digital security. It encompasses a myriad of assessments, from vulnerability scans to penetration testing, ensuring systems remain resilient against cyber threats. Its meticulous approach identifies weaknesses, fortifying defenses and preserving the integrity of digital infrastructure in an ever-evolving threat landscape.<a href targetblank relalternate

    ReplyDelete

Post a Comment

Popular posts from this blog

Software Testing @ Microsoft

Image
In continuation from my previous  series of posts  targeting testing in top few companies from the technology space. After  Software Testing @Facebook  and @Google  we shall now look at Microsoft: Testing@Microsoft Software Development Engineers in Test (SDETs) are usually just called Test and sometimes Software Testing. SDETs are responsible for maintaining high testing and qualityassurance standards for all Microsoft products. Software Development Engineers (SDEs) are often referred to as Software Development. SDEs write the code that drives Microsoft products and upgrades. Very few teams in Microsoft are still using SDETs to do significant amount of manual testing. Manual testing is mainly outsourced. Actually, as early as in 2004, for example, most of the manual testing of MSN Explorer was outsourced. Think about it this way: it just doesn't make sense for test manager to spend their headcount (SDETs) on something can be easily outsourced....
Read more

Trim / Remove spaces in Xpath?

Image
If you are wondering how you can trim the spaces in your xpath, this is how: The normalize-space function strips leading and trailing white-space from a string, replaces sequences of white-space characters by a single space, and returns the resulting string. Example : Which one is better? //td[starts-with(normalize-space(),'Text to Trim')] //td[starts-with(normalize-space(text()),' Text to Trim ')] The second option is better as it targets at the specific nodes More string functions in XPATH: Functions Description starts-with( string1 ,  string2 ) Returns true if the first string starts with the second string. contains( string1 ,  string2 ) Returns true if the first string contains the second string. substring( string offset length ) Returns a section of the string. The section starts at  offset (which is a number), and is as long as the value provided at  length. substring-before( string1 ,  string2 ) Returns the part of...
Read more