Automate ZAP Security Tests With Selenium WebDriver
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular web application security testing tools. It is made available for free as an open source project and is contributed to and maintained by OWASP. It is intended to be used by both those new to application security as well as professional penetration testers. It helps you find the security vulnerabilities in your application.
Why use OWASP Zed Attack Proxy?
Security testing is a vital part of web application testing. Here are the OWASP top 10 security threats that your website/application might face:
- SQL injection
- Broken authentication and session management
- Cross-site scripting (XSS)
- Broken access control
- Security misconfiguration
- Sensitive data exposure
- Insufficient attack protection
- Cross-site request forgery (CSRF)
- Using components with known vulnerabilities.
- Underprotected APIs
OWASP Zed Attack Proxy provides you with the ability to detect these threats. And it’s open-source, so you can use it free of charge.
Other than that, ZAP is an easy-to-use tool. Following are some more reasons for using ZAP:
- Ideal for both beginners and professionals
- Cross-platform — works across all OS (Linux, Mac, Windows)
- Reusable
- Can generate reports of the results
How does it work?
ZAP creates a proxy server and makes your website traffic pass through that server. It comprises of auto scanners that help you intercept the vulnerabilities in your website.
Additionally, the OWASP community has exposed ZAP APIs, which allows ZAPs to integrate with other tools/frameworks.
Installation and Pre-Requisites:
- Eclipse IDE
- Download the latest Chrome driver for browser automation from https://sites.google.com/a/chromium.org/chromedriver/downloads
- Download and Install OWASP ZAP from https://github.com/zaproxy/zaproxy/wiki/Downloads
- ZAP API jar files from https://github.com/continuumsecurity/zap-webdriver/tree/master/libs
Please note: It is not legal to perform penetration testing on publicly hosted applications. Please do not perform security scans on applications without appropriate permissions.
For testing purposes, use sample test applications, deploy them in local environments, and perform security scans.
Steps :
- In Eclipse, create a new Maven project with the name: ZapSeleniumIntegration
- Create packages and classes as given below:
3. Download the ZAP API jar files (harlib-1.1.1.jar, proxy-2.4.2-SNAPSHOT.jar, zap-api-2.4-v6.jar) and place jar files in libs folder.
4. log4j.properties
Configured to capture log messages in the Eclipse console. It can also be modified to capture log messages in external files.
5. pom.xml
Configured plugins and dependencies that are required by Selenium and the ZAP integration project.
6. objectRepository.properties
An object repository is a centralized storage of locators in the form of objects. The property file stores information in a key-value pair format.
7. Locator.java
Read data from objectRepository.properties
8. BrowserDriverFactory.java
The below code represents creation and configuration of chrome driver with proxy, driver path, and SSL certificates access.
9. Login.java
The below code represents methods used to automate business functionalities in the test application.
10. ZapLoginTest.java
The below code represents utility methods and test methods used to perform security tests with ZAP APIs.
11. Open ZAP stand-alone interface and verify the settings mentioned below
- Proxy details in the ZapSecurityTest.java class must match proxy details in ZAP stand-alone interface with the Options as highlighted:
- The API key must be disabled:
12. Execute the project
Note : Before executing the project, open the ZAP stand-alone interface in the background
13. Console Output
14. Zap interface result
All the security vulnerabilities are listed.
15. HTML Report
