Skip to main content

Security Testing and Selenium

I have come across many articles which talk of carrying out security testing with selenium however I found it very cumbersome to set up such tests. This is what this tutorial is going to make easy for you. My next Security Testing and Selenium YouTube video covers following -

  • Importance of having security testing on CI
  • What is dynamic application security testing
  • Project setup 
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap-clientapi</artifactId>
   <version>1.9.0</version>
</dependency>
<dependency>
   <groupId>org.zaproxy</groupId>
   <artifactId>zap</artifactId>
   <version>2.10.0</version>
</dependency>
  • Start ZAP daemom (headless) mode 

./zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.addrs.addr.regex=true -config api.disablekey=true

  • Start Chrome with ZAP 
public WebDriver getDriver() {
    if (driver == null) {
        ChromeOptions chromeOptions = new ChromeOptions();
        WebDriverManager.chromedriver().setup();

        // ZAP proxy config
        String zapProxyHost = "127.0.0.1";
        String zapProxyPort = "8080";

        //set the proxy to use ZAP host and port
        String proxyAddress = zapProxyHost + ":" + zapProxyPort;
        Proxy zap_proxy = new Proxy();
        zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
        log.info("Set proxy to host:{} and port:{}", zapProxyHost, zapProxyPort);

        chromeOptions.addArguments("--ignore-certificate-errors");
        chromeOptions.setCapability(CapabilityType.PROXY, zap_proxy);
        driver = new ChromeDriver(chromeOptions);
    }
    return driver;
}
  • BaseSecurityClass set up
@Slf4j
public class BaseSecurity extends BaseClassOnDemandDriverSetupWithProxy {

    private static final String SECURITY_RISK_HIGH = "High";
    private static final String SECURITY_RISK_MEDIUM = "Medium";
    private static final String SECURITY_RISK_LOW = "Low";
    private static final String SECURITY_RISK_INFORMATIONAL = "Informational";
    private static ClientApi clientApi = new ClientApi("127.0.0.1", 8080);
    private static String securityTestReportPath = "target/zap-security-report.html";


    @AfterMethod(alwaysRun = true)
    public static void waitForPassiveScanToComplete() throws ClientApiException {
        log.info("--- Waiting for passive scan to finish --- ");
        try {
            // Passive scanner run by default: https://stackoverflow.com/a/35944273/270835
            clientApi.pscan.enableAllScanners(); // enable passive scanner.
  •  Sample test
@Slf4j
public class SampleSecurityTest extends BaseSecurity {

    private static final String REG_URL = "https://juice-shop.herokuapp.com/";

    @Test()
    public void scanRegPage() throws ClientApiException {
        getDriver().get(REG_URL);
        // some more logic using page object goes here
        checkRiskCount(REG_URL);
    }

And run reports :)

java.lang.IllegalStateException: Page https://juice-shop.herokuapp.com/
High Risk count: 0
Medium Risk count: 41
Low Risk count: 53
Informational Risk count: 17
please check: target/zap-security-report.html 


Head over to Security Testing and Selenium YouTube video to see this in action :)

Ref:

https://saucelabs.com/blog/discovering-security-vulnerabilities-with-selenium

https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6

https://www.securify.nl/blog/using-owasp-zap-selenium-and-jenkins-to-automate-your-security-tests 

 

 

Labels:

Comments

Post a Comment

No spam only genuine comments :)

Popular posts from this blog

Distributed Load Testing with JMeter

Distributed Testing with JMeter When one JMeter client is not able to offer amount of threads required for load testing then distributed testing is used. In distributed testing - One instance of JMeter client can control number of JMeter instances and collect data from them Test plan does not need to be copied to each server, the client sends it to all servers note - JMeter will run all the threads on all the servers, hence 100 threads on 5 JMeter server would pump 500 threads in total. If many server instances are used, the client JMeter can become overloaded and so the client network connection. This has been improved in latest versions of JMeter by switching to Stripped modes, but you should always check that your client is not overloaded When Client (master) and Server (slave) nodes are on same network (no SSH required) Configure Client Node Herein client is referred as the machine controlling test execution on other JMeter nodes. This is also referred
Read more

Appium and android mobile app automation

Next appium and Android mobile app automation video tutoria l is live. If you are new to appium then please check - appium-tutorial This video tutorial covers - Start vysor (Just for this session and not mobile automation :)) Start appium and start appium inspector Desired Capabilities platformName - Android deviceName - L2N0219828001013 (as seen on "adb devices") Saved Capability Sets Start Session Scan app elements using appium inspector Get appPackage and appActivity using "APK info" app Install "APK info" app and open app whose appPackage and appActivity are required i.e. calculator Check top section of app icon com.android.calculator2 is app package com.android.calculator2.Calculator is app activity testng.xml file settings for running Android app tests Test details com.seleniumtests.tests.mobile.AndroidAppTest and CalculatorScreen class View beautiful STF test report  
Post a Comment
Read more

Verify email confirmation using Selenium

Note: If you are new to java and selenium then start with selenium java training videos .     Email confirmation seems to be integral part of any registration process. I came across an application which lets you provide your email address. You can follow the sign up link in you mail and then complete the registration process. Lets consider we provide GMail address for it. Now if were to use only Selenium then we would have to follow following steps - Launch GMail using Selenium; Some how search for new mail in the list of available mails; Some how click on it; Parse the mail message; Get the registration link; Follow up with registration process What do you think of an approach in which you can
13 comments
Read more