Skip to main content

Security Testing and Selenium

I have come across many articles which talk of carrying out security testing with selenium however I found it very cumbersome to set up such tests. This is what this tutorial is going to make easy for you. My next Security Testing and Selenium YouTube video covers following -

  • Importance of having security testing on CI
  • What is dynamic application security testing
  • Project setup 
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap-clientapi</artifactId>
   <version>1.9.0</version>
</dependency>
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap</artifactId>
   <version>2.10.0</version>
</dependency>
  • Start ZAP daemom (headless) mode 

./zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.addrs.addr.regex=true -config api.disablekey=true

  • Start Chrome with ZAP 
public WebDriver getDriver() {
    if (driver == null) {
        ChromeOptions chromeOptions = new ChromeOptions();
        WebDriverManager.chromedriver().setup();

        // ZAP proxy config
        String zapProxyHost = "127.0.0.1";
        String zapProxyPort = "8080";

        //set the proxy to use ZAP host and port
        String proxyAddress = zapProxyHost + ":" + zapProxyPort;
        Proxy zap_proxy = new Proxy();
        zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
        log.info("Set proxy to host:{} and port:{}", zapProxyHost, zapProxyPort);

        chromeOptions.addArguments("--ignore-certificate-errors");
        chromeOptions.setCapability(CapabilityType.PROXY, zap_proxy);
        driver = new ChromeDriver(chromeOptions);
    }
    return driver;
}
  • BaseSecurityClass set up
@Slf4j
public class BaseSecurity extends BaseClassOnDemandDriverSetupWithProxy {

    private static final String SECURITY_RISK_HIGH = "High";
    private static final String SECURITY_RISK_MEDIUM = "Medium";
    private static final String SECURITY_RISK_LOW = "Low";
    private static final String SECURITY_RISK_INFORMATIONAL = "Informational";
    private static ClientApi clientApi = new ClientApi("127.0.0.1", 8080);
    private static String securityTestReportPath = "target/zap-security-report.html";


    @AfterMethod(alwaysRun = true)
    public static void waitForPassiveScanToComplete() throws ClientApiException {
        log.info("--- Waiting for passive scan to finish --- ");
        try {
            // Passive scanner run by default: https://stackoverflow.com/a/35944273/270835
            clientApi.pscan.enableAllScanners(); // enable passive scanner.
  •  Sample test
@Slf4j
public class SampleSecurityTest extends BaseSecurity {

    private static final String REG_URL = "https://juice-shop.herokuapp.com/";

    @Test()
    public void scanRegPage() throws ClientApiException {
        getDriver().get(REG_URL);
        // some more logic using page object goes here
        checkRiskCount(REG_URL);
    }

And run reports :)

java.lang.IllegalStateException: Page https://juice-shop.herokuapp.com/
High Risk count: 0
Medium Risk count: 41
Low Risk count: 53
Informational Risk count: 17
please check: target/zap-security-report.html 


Head over to Security Testing and Selenium YouTube video to see this in action :)

Ref:

https://saucelabs.com/blog/discovering-security-vulnerabilities-with-selenium

https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6

https://www.securify.nl/blog/using-owasp-zap-selenium-and-jenkins-to-automate-your-security-tests 

 

 

Labels:

Comments

Post a Comment

No spam only genuine comments :)

Popular posts from this blog

Using chrome console to test xPath and css selectors

Note: If you are new to java and selenium then start with selenium java training videos .       Since the advent of selenium there have been many plugin to test xPath / css selectors but you don’t need any of them if you have chrome browser. Using Chrome console you can test both xPath and css selectors. Launch website to be tested in chrome browser and hit F-12 and you would see chrome console opened in lower pane of application - Hit escape key and console would open another pane to write element locators - And now you can start writing xPath or css selectors in chrome console and test them - The syntax for writing css id - $$(“ ”) And hit the enter key. If your expression is right then html snippet of the application element corresponding to the css selector would be displayed - If you mouse over the html snippet in chrome console then it would highlight the corresponding element in application - If you want to clean console of previously wri
Read more

XPath and single quotes

I had tough time dealing with XPath and single quote. Though W3C recommends using ' to escape it but I never got it working, let me know if any of you get through. Came across this blog and found that “concat” could be used in this situation. So original XPath expression is – //meta[@name=’DESCRIPTION’][@content=’Tester’s Test’] This is some thing which certainly fails as single quote in “Tester’s” marks it at end of string and then XPath blows up, next trial was – //meta[@name=’DESCRIPTION’][@content=’Tester''s Test’] This does not work despite w3c recommendation! And then I used concat function and split the string as – concat(‘Tester’,”’”,’s Test’) NOTICE that single quote is kept in double quote while other characters are kept in single quotes. So XPath looks as – //meta[@name=’DESCRIPTION’][@content=concat(‘Tester’,”’”,’s Test’)] And this works charm.
2 comments
Read more

Return only first or last element from webelements collection

Note: If you are new to java and selenium then start with selenium java training videos .     We often come across situation when there are multiple elements on a page and we probably like to exercise only a few of them using selenium webdriver. May be just first and last element. For example on a search result page we may like to click on only first and last link and not all. This is when Iterables API comes handy. (By the way I am assuming that you have already completed watching selenium training videos :)). Once we have collection of web element then we can use Iterables to get only first or last element as following - Consider that we fetch collection of element as - List< WebElement > webElements = getDriver().findElements(By. id ( "htmlID" ));   Now we can get the first web element from this collection as -  WebElement firstElement = Iterables. getFirst (webElements,  getDriver().findElement(By. id ( "defaultElement" )));   Herein second
2 comments
Read more