Skip to main content

Security Testing and Selenium

I have come across many articles which talk of carrying out security testing with selenium however I found it very cumbersome to set up such tests. This is what this tutorial is going to make easy for you. My next Security Testing and Selenium YouTube video covers following -

  • Importance of having security testing on CI
  • What is dynamic application security testing
  • Project setup 
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap-clientapi</artifactId>
   <version>1.9.0</version>
</dependency>
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap</artifactId>
   <version>2.10.0</version>
</dependency>
  • Start ZAP daemom (headless) mode 

./zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.addrs.addr.regex=true -config api.disablekey=true

  • Start Chrome with ZAP 
public WebDriver getDriver() {
    if (driver == null) {
        ChromeOptions chromeOptions = new ChromeOptions();
        WebDriverManager.chromedriver().setup();

        // ZAP proxy config
        String zapProxyHost = "127.0.0.1";
        String zapProxyPort = "8080";

        //set the proxy to use ZAP host and port
        String proxyAddress = zapProxyHost + ":" + zapProxyPort;
        Proxy zap_proxy = new Proxy();
        zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
        log.info("Set proxy to host:{} and port:{}", zapProxyHost, zapProxyPort);

        chromeOptions.addArguments("--ignore-certificate-errors");
        chromeOptions.setCapability(CapabilityType.PROXY, zap_proxy);
        driver = new ChromeDriver(chromeOptions);
    }
    return driver;
}
  • BaseSecurityClass set up
@Slf4j
public class BaseSecurity extends BaseClassOnDemandDriverSetupWithProxy {

    private static final String SECURITY_RISK_HIGH = "High";
    private static final String SECURITY_RISK_MEDIUM = "Medium";
    private static final String SECURITY_RISK_LOW = "Low";
    private static final String SECURITY_RISK_INFORMATIONAL = "Informational";
    private static ClientApi clientApi = new ClientApi("127.0.0.1", 8080);
    private static String securityTestReportPath = "target/zap-security-report.html";


    @AfterMethod(alwaysRun = true)
    public static void waitForPassiveScanToComplete() throws ClientApiException {
        log.info("--- Waiting for passive scan to finish --- ");
        try {
            // Passive scanner run by default: https://stackoverflow.com/a/35944273/270835
            clientApi.pscan.enableAllScanners(); // enable passive scanner.
  •  Sample test
@Slf4j
public class SampleSecurityTest extends BaseSecurity {

    private static final String REG_URL = "https://juice-shop.herokuapp.com/";

    @Test()
    public void scanRegPage() throws ClientApiException {
        getDriver().get(REG_URL);
        // some more logic using page object goes here
        checkRiskCount(REG_URL);
    }

And run reports :)

java.lang.IllegalStateException: Page https://juice-shop.herokuapp.com/
High Risk count: 0
Medium Risk count: 41
Low Risk count: 53
Informational Risk count: 17
please check: target/zap-security-report.html 


Head over to Security Testing and Selenium YouTube video to see this in action :)

Ref:

https://saucelabs.com/blog/discovering-security-vulnerabilities-with-selenium

https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6

https://www.securify.nl/blog/using-owasp-zap-selenium-and-jenkins-to-automate-your-security-tests 

 

 

Labels:

Comments

Post a Comment

No spam only genuine comments :)

Popular posts from this blog

Verify email confirmation using Selenium WebDriver

Note: If you are new to java and selenium then start with selenium java training videos .   How to Verify Email Confirmation Using Selenium 4 and JavaMail (2026 Guide) Email confirmation is a critical part of most registration flows — account activation, password reset, multi-factor authentication, and onboarding. Every automation engineer eventually faces the same challenge: How do you verify an email confirmation link inside a Selenium test without making it slow and flaky? The wrong instinct is to automate Gmail's UI with Selenium. It's fragile, slow, and breaks constantly. The right approach: Use Selenium for browser automation Use JavaMail (IMAP) to read the email directly Extract the confirmation link Continue the test in Selenium Why Not Automate Gmail UI With Selenium? Automating the Gmail UI means logging in, searching, clicking a message, and parsing content from a third-party interface that changes frequently. This leads to: Flaky...
13 comments
Read more

Selenium Tutorial: Ant Build for Selenium Java project

Ant is a build tool which could be used to have your tests running either from command line or from Hudson CI tool. There is detailed documentation available for ant here but probably you need to know only a little part of it for you selenium tests. The essentials which are needed to know are: Project Target (ant execution point and collection of tasks) Tasks (could be as simple as compilation) And there would usually be following targets for Selenium tools - setClassPath - so that ant knows where you jar files are loadTestNG - so that you could use testng task in ant and use it to execute testng tests from ant init - created the build file clean - delete the build file compile - compiles the selenium tests run - executes the selenium tests Here is my project set up for ant -
8 comments
Read more

Recording curl request with JMeter Recorder

Just use https://jmeter.apache.org/usermanual/curl.html and no JMeter proxy etc needed : )   Though it is quite east to convert curl requests to corresponding JMeter request. At times you might be stuck with issue like I faced when uploading a file with  JMeter HTTP request In a gist I kept getting 404 error when using REStful service to upload a file. After days of investigations I found it that I should be using HTTP request implementation java and not HttpClient4. JMeter HTTPs Test Script recorder was of great help to debug this issue. This post describes the process of recording curl request through JMeter HTTPs Test Script recorder. If you have never used JMeter HTTPs Test Script recorder then create a new JMeter Plan and under WorkBench > Add > Non Test Element > HTTP(s) Test Script Recorder.  Specify Global Setting > Port as 8090 If we were using browser to record web application then we would configure its proxy to 127.0.0.1 (Since http...
Read more