Security testing using Selenium and OWASP ZAP

OWASP ?

OWASP Top Ten — 2021

Install OWASP ZAP

Maven dependencies

<dependency>
<groupId>org.seleniumhq.selenium</groupId>
<artifactId>selenium-java</artifactId>
<version>3.141.59</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>7.3.0</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>io.github.bonigarcia</groupId>
<artifactId>webdrivermanager</artifactId>
<version>5.1.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.zaproxy</groupId>
<artifactId>zap-clientapi</artifactId>
<version>1.10.0</version>
<scope>test</scope>
</dependency>

Selenium Sample Test Class

public class SecurityTest {

static final String ZAP_PROXY_ADDRESS = "localhost";
static final int ZAP_PROXY_PORT = 8080;
static final String ZAP_API_KEY = "<--ZAP-PROXY-KEY-->";

WebDriver driver;

ClientApi api;

@BeforeMethod
public void setup() {
String proxyStr = ZAP_PROXY_ADDRESS + ":" + ZAP_PROXY_PORT;
Assert.assertTrue(isOnline("http://" + proxyStr));

Proxy proxy = new Proxy();
proxy.setHttpProxy(proxyStr);
proxy.setSslProxy(proxyStr);

ChromeOptions options = new ChromeOptions();
options.setAcceptInsecureCerts(true);
options.setProxy(proxy);

driver = WebDriverManager.chromedriver().capabilities(options).create();

api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);
}

@AfterMethod
public void teardown() throws ClientApiException {
if (api != null) {
String title = "My ZAP report";
String template = "traditional-html";
String description = "This is a sample report";
String reportfilename = "zap-report.html";
String targetFolder = new File("").getAbsolutePath();
ApiResponse response = api.reports.generate(title, template, null, description, null, null, null, null, null, reportfilename, null, targetFolder, null);
System.out.println("ZAP report generated at: " + response.toString());
}
if (driver != null) {
driver.quit();
}
}

@Test
public void testSecurity() {
driver.get("https://juice-shop.herokuapp.com/");
Assert.assertTrue(driver.getTitle().contains("OWASP Juice Shop"));
}
}

How to get ZAP Proxy API Key

ZAP Proxy API Key

ZAP Report

IDE console
sample zap report

Analysis of Found Vulnerabilities

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CREATING OPENSOCIAL GADGETS

Localization — Laravel Localization Example

Localization — Laravel Localization Example

Agile and the Fog of War

An example map from Far Cry showing the fog of war

Live streaming Covid-19 tweets using Kafka and Spark.

Calculate week of month in R

Learning PHP by examples: Data Types, Variables and Instructions

OpenCV Basic and Useful Tools: Video Feeds (Python)

But the absence of these responsibilities doesn’t mean you

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nigel Mulholland

Nigel Mulholland

More from Medium

Run Selenium tests in parallel with singletone Driver

Parallel Execution of Tests using Selenium Grid 4 with Docker Compose

WebDriverManager in Selenium

Getting Started on Playwright-Java with TestNg and Gradle (Part-1)