Skip to main content

Security Testing and Selenium

I have come across many articles which talk of carrying out security testing with selenium however I found it very cumbersome to set up such tests. This is what this tutorial is going to make easy for you. My next Security Testing and Selenium YouTube video covers following -

  • Importance of having security testing on CI
  • What is dynamic application security testing
  • Project setup 
<dependency>
<groupId>org.zaproxy</groupId>
<artifactId>zap-clientapi</artifactId>
<version>1.9.0</version>
</dependency>
<dependency>
<groupId>org.zaproxy</groupId>
<artifactId>zap</artifactId>
<version>2.10.0</version>
</dependency>
  • Start ZAP daemom (headless) mode 

./zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.addrs.addr.regex=true -config api.disablekey=true

  • Start Chrome with ZAP
public WebDriver getDriver() {
if (driver == null) {
ChromeOptions chromeOptions = new ChromeOptions();
WebDriverManager.chromedriver().setup();

// ZAP proxy config
String zapProxyHost = "127.0.0.1";
String zapProxyPort = "8080";

//set the proxy to use ZAP host and port
String proxyAddress = zapProxyHost + ":" + zapProxyPort;
Proxy zap_proxy = new Proxy();
zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
log.info("Set proxy to host:{} and port:{}", zapProxyHost, zapProxyPort);

chromeOptions.addArguments("--ignore-certificate-errors");
chromeOptions.setCapability(CapabilityType.PROXY, zap_proxy);
driver = new ChromeDriver(chromeOptions);
}
return driver;
}
  • BaseSecurityClass set up
@Slf4j
public class BaseSecurity extends BaseClassOnDemandDriverSetupWithProxy {

private static final String SECURITY_RISK_HIGH = "High";
private static final String SECURITY_RISK_MEDIUM = "Medium";
private static final String SECURITY_RISK_LOW = "Low";
private static final String SECURITY_RISK_INFORMATIONAL = "Informational";
private static ClientApi clientApi = new ClientApi("127.0.0.1", 8080);
private static String securityTestReportPath = "target/zap-security-report.html";


@AfterMethod(alwaysRun = true)
public static void waitForPassiveScanToComplete() throws ClientApiException {
log.info("--- Waiting for passive scan to finish --- ");
try {
// Passive scanner run by default: https://stackoverflow.com/a/35944273/270835
clientApi.pscan.enableAllScanners(); // enable passive scanner.
  •  Sample test
@Slf4j
public class SampleSecurityTest extends BaseSecurity {

private static final String REG_URL = "https://juice-shop.herokuapp.com/";

@Test()
public void scanRegPage() throws ClientApiException {
getDriver().get(REG_URL);
// some more logic using page object goes here
checkRiskCount(REG_URL);
}

And run reports :)

java.lang.IllegalStateException: Page https://juice-shop.herokuapp.com/
High Risk count: 0
Medium Risk count: 41
Low Risk count: 53
Informational Risk count: 17
please check: target/zap-security-report.html 


Head over to Security Testing and Selenium YouTube video to see this in action :)

Ref:

https://saucelabs.com/blog/discovering-security-vulnerabilities-with-selenium

https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6

https://www.securify.nl/blog/using-owasp-zap-selenium-and-jenkins-to-automate-your-security-tests 

 

 

Comments

Popular posts from this blog

Selenium Tutorial: Ant Build for Selenium Java project

Ant is a build tool which could be used to have your tests running either from command line or from Hudson CI tool. There is detailed documentation available for ant here but probably you need to know only a little part of it for you selenium tests. The essentials which are needed to know are: Project Target (ant execution point and collection of tasks) Tasks (could be as simple as compilation) And there would usually be following targets for Selenium tools - setClassPath - so that ant knows where you jar files are loadTestNG - so that you could use testng task in ant and use it to execute testng tests from ant init - created the build file clean - delete the build file compile - compiles the selenium tests run - executes the selenium tests Here is my project set up for ant -

Verify email confirmation using Selenium

Note: If you are new to java and selenium then start with selenium java training videos .     Email confirmation seems to be integral part of any registration process. I came across an application which lets you provide your email address. You can follow the sign up link in you mail and then complete the registration process. Lets consider we provide GMail address for it. Now if were to use only Selenium then we would have to follow following steps - Launch GMail using Selenium; Some how search for new mail in the list of available mails; Some how click on it; Parse the mail message; Get the registration link; Follow up with registration process What do you think of an approach in which you can

Real Time JMeter Result Using Backend Listener

Since JMeter 2.13 Backend Listener has been available to create real time graph of JMeter Test. Following tutorial explain the entire process in detail. At the end of this tutorial you would be able to create JMeter Live Test Result dashboard similar to following - This tutorial borrows information from many sources and my own experiments with JMeter live reporting dashboard. I have added source of information wherever applicable But before we can build such a snazzy JMeter Live Reporting dashboard we need to understand two more components - influxDB (a time series database) and Grafana Dashboard This is a big tutorial, so take deep breath :-) and follow on. Once you complete set up specified in this tutorial then you can watch JMeter Training Video Tutorial to watch this in action. What is Time Series Database? A time series is a sequence of data points , typically consisting of successive measurements made over a time interval . Examples of time ...