Apart from all the manual pentest efforts let me traverse all the readers regarding how we had successfully integrated automated security scanning of the websites with our CI integrated selenium test cases, through this blog. So…It was a month back when we thought to integrate our selenium test cases with the OWASP ZAP security scan.
If some of the readers are not aware what is OWASP ZAP let me brief you about the same. OWASP ZAP is the most popular free security tool. It can help you to automatically find security vulnerabilities in your web applications and also a great tool for manual security testing.
At first let’s start by understanding the manual security test process that we had integrated with the selenium. So there is active scanning of the web applications functionality provided by ZAP tool. You can simply enter the web application URL and then start the scanning manually from the OWASP ZAP tool. Basically OWASP ZAP is working with the proxy settings. So all scanning process is done through the proxy settings. This is all about the manual process for the security scan.
Next task is how to integrate scanning with our existing selenium test suite. First thing was to run the selenium test case through the browser proxy. So we did that by applying some driver capabilities in the selenium test case code. Please note that with the execution of test case you must have ZAP tool running in background. Refer below sample code for that:
As you can see the driver capabilities is set with the ip address and port number which are same as that in ZAP which is running. And the last part of this integration was to generate the PDF file containing the results of security scan of the selenium test cases. For that we have used the ZAP api to export the results in PDF file. These PDF files are attached with the daily selenium test case results in slack.
As it was a new/different kind of task for me, I was not aware about how can we achieve this in any CI because in local machine you can easily run the ZAP interface. Then I asked some of the volunteers around the globe and found that we just need to run the ZAP instance using .bat or .sh file in the build step.
So that’s all about my workaround during integration of ZAP security scan with selenium test cases. Thanks for reading.