I have come across many articles which talk of carrying out security testing with selenium however I found it very cumbersome to set up such tests. This is what this tutorial is going to make easy for you. My next Security Testing and Selenium YouTube video covers following -
- Importance of having security testing on CI
- What is dynamic application security testing
- Recommended tools from https://owasp.org/www-community/Vulnerability_Scanning_Tools
- What is https://owasp.org/ ?
- Using https://www.zaproxy.org/
- Project setup
<dependency>
<groupId>org.zaproxy</groupId>
<artifactId>zap-clientapi</artifactId>
<version>1.9.0</version>
</dependency>
<dependency>
<groupId>org.zaproxy</groupId>
<artifactId>zap</artifactId>
<version>2.10.0</version>
</dependency>
- Start ZAP daemom (headless) mode
./zap.sh -daemon -host 127.0.0.1 -port 8080 -config api.addrs.addr.regex=true -config api.disablekey=true
- Start Chrome with ZAP
public WebDriver getDriver() {
if (driver == null) {
ChromeOptions chromeOptions = new ChromeOptions();
WebDriverManager.chromedriver().setup();
// ZAP proxy config
String zapProxyHost = "127.0.0.1";
String zapProxyPort = "8080";
//set the proxy to use ZAP host and port
String proxyAddress = zapProxyHost + ":" + zapProxyPort;
Proxy zap_proxy = new Proxy();
zap_proxy.setHttpProxy(proxyAddress).setSslProxy(proxyAddress);
log.info("Set proxy to host:{} and port:{}", zapProxyHost, zapProxyPort);
chromeOptions.addArguments("--ignore-certificate-errors");
chromeOptions.setCapability(CapabilityType.PROXY, zap_proxy);
driver = new ChromeDriver(chromeOptions);
}
return driver;
}
- BaseSecurityClass set up
@Slf4j
public class BaseSecurity extends BaseClassOnDemandDriverSetupWithProxy {
private static final String SECURITY_RISK_HIGH = "High";
private static final String SECURITY_RISK_MEDIUM = "Medium";
private static final String SECURITY_RISK_LOW = "Low";
private static final String SECURITY_RISK_INFORMATIONAL = "Informational";
private static ClientApi clientApi = new ClientApi("127.0.0.1", 8080);
private static String securityTestReportPath = "target/zap-security-report.html";
@AfterMethod(alwaysRun = true)
public static void waitForPassiveScanToComplete() throws ClientApiException {
log.info("--- Waiting for passive scan to finish --- ");
try {
// Passive scanner run by default: https://stackoverflow.com/a/35944273/270835
clientApi.pscan.enableAllScanners(); // enable passive scanner.
- Sample test
@Slf4j
public class SampleSecurityTest extends BaseSecurity {
private static final String REG_URL = "https://juice-shop.herokuapp.com/";
@Test()
public void scanRegPage() throws ClientApiException {
getDriver().get(REG_URL);
// some more logic using page object goes here
checkRiskCount(REG_URL);
}
And run reports :)
java.lang.IllegalStateException: Page https://juice-shop.herokuapp.com/
High Risk count: 0
Medium Risk count: 41
Low Risk count: 53
Informational Risk count: 17
please check: target/zap-security-report.html
Ref:
https://saucelabs.com/blog/discovering-security-vulnerabilities-with-selenium
https://medium.com/datadriveninvestor/automated-security-tests-with-owasp-zap-c5326c9970a6
https://www.securify.nl/blog/using-owasp-zap-selenium-and-jenkins-to-automate-your-security-tests
Comments
Post a Comment
No spam only genuine comments :)