![Proxy proxy = new Proxy();
proxy.setHttpProxy("localhost:8081");
proxy.setSslProxy("localhost:8081");
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability("proxy", proxy);
[Selenium Tests here]
[Optionally, Security Tests here]
Proxying Selenium requests through ZAP
ZAP is run on localhost:8081](https://image.slidesharecdn.com/seleniumzap-200423014914/75/Automating-security-test-using-Selenium-and-OWASP-ZAP-Practical-DevSecOps-13-2048.jpg)
![Proxy proxy = new Proxy();
proxy.setHttpProxy("localhost:8081");
proxy.setSslProxy("localhost:8081");
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability("proxy", proxy);
[Selenium Tests here]
[Optionally, Security Tests here]
Proxying Selenium requests through ZAP
ZAP is run on localhost:8081](https://crownmelresort.com/image.slidesharecdn.com/seleniumzap-200423014914/75/Automating-security-test-using-Selenium-and-OWASP-ZAP-Practical-DevSecOps-13-2048.jpg)
Uploaded byMohammed A. Imran
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
The document introduces Srinivasarao Kotipalli, a cybersecurity expert with 8 years of experience, discussing the integration of OWASP ZAP with Selenium for automated security testing of web applications. It highlights the importance of using Selenium scripts for authentication in vulnerability scanning and outlines the process of proxying Selenium requests through ZAP in a CI/CD pipeline. Key takeaways include leveraging existing functional tests for security scans and the capabilities of OWASP ZAP as a trusted tool for discovering vulnerabilities.
More Related Content
![Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]](https://cdn.slidesharecdn.com/ss_thumbnails/zedattackproxy-171001165040-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
![[DevSecOps Live] DevSecOps: Challenges and Opportunities](https://cdn.slidesharecdn.com/ss_thumbnails/20200316dsochallengesopportunities-200416111818-thumbnail.jpg?width=640&height=640&fit=bounds)
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
- 2. • I amSrinivasarao Kotipalli • Lives in Singapore • 8 years of experience in Cyber Security • Authored Hacking Android – Packt Pub • OSCP & OSCE whoami
- 3. • Introduction toautomated vulnerability scans and their limitations. • How functional tests can be useful in performing powerful security tests. • Introduction to selenium and OWASP ZAP. • Proxying selenium tests through OWASP ZAP. • Invoking authenticated active scans using OWASP ZAP. • Obtaining scan reports. Agenda
- 4. OWASP ZAP (shortfor Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It can also run in a daemon mode which is then controlled via a REST API. Source: https://en.wikipedia.org/wiki/OWASP_ZAP Introduction to OWASP ZAP
- 5. • Many commercialtools are available • Maximum crawling and an active session are crucial for better coverage • They come with two most important features : 1. An option to record the login sequence 2. Manually explore the Web Application • Why are these features important? • DEMO Automated vulnerability scans
- 6. • Selenium automatesbrowsers. • Selenium comes in different flavors and we are specifically talking about Selenium Web Driver. • Commonly used for automation testing. • After the product is fully integrated, these tests are run to make sure that the application is working as expected. Introduction to Selenium
- 7. Commit Trigger Build Build Test Server Run Tests Security Tests StagingProduction CICD PIPELINE
- 8. So, what problemare we solving? • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. • QA teams are already writing scripts to properly crawl through the web apps. • Security teams may not leverage these QA automation scripts in security testing.
- 9. So, what problemare we solving? • knows how to login and crawl through important features. • knows how to find security issues in crawled pages. • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. Use them together to achieve better DAST
- 10. Commit Trigger Build Build Test Server Run Tests Security Tests StagingProduction CICD PIPELINE 1
- 11. Commit Trigger Build Build Test Server Run Tests + Security Tests StagingProduction CICD PIPELINE 2
- 12. Integrating Selenium andZAP in CICD pipeline • Launch ZAP – listens on a port • Proxy Selenium traffic through ZAP • Run functional tests (Passive scan is automatically done) • Invoke ZAP Active scan: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium • Get the results: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium https://www.zaproxy.org/docs/api/#introduction
- 13. Proxy proxy =new Proxy(); proxy.setHttpProxy("localhost:8081"); proxy.setSslProxy("localhost:8081"); DesiredCapabilities capabilities = DesiredCapabilities.chrome(); capabilities.setCapability("proxy", proxy); [Selenium Tests here] [Optionally, Security Tests here] Proxying Selenium requests through ZAP ZAP is run on localhost:8081
- 14. curl "http://localhost:8081/JSON/ascan/action/scan/?apikey=<ZAP_API_KEY>&url=<TARGET_URL>&r ecurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=" Start ZAP ActiveScan from command line ZAP is run on localhost:8081
- 15. curl "http://localhost:8081/JSON/ascan/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>" Start ZAP ActiveScan from command line ZAP is run on localhost:8081
- 16. curl "http://localhost:8081/OTHER/core/other/htmlreport/" -ozap.html curl "http://localhost:8081/OTHER/core/other/jsonreport/" -o zap.json curl "http://localhost:8081/OTHER/core/other/xmlreport/" -o zap.xml Get HTML/XML report from command line ZAP is run on localhost:8081 XML/JSON formats can be useful if you want to import the findings into a Vulnerability Management tool
- 17. Commit Trigger Build Build Test Server Run Tests Security Tests StagingProduction CICD PIPELINE 1 DEMO
- 18. Commit Trigger Build Build Test Server Run Tests + Security Tests StagingProduction CICD PIPELINE 2 DEMO
- 19. • You canpossibly take advantage of any functional testing framework to perform security scans. • If you have existing Selenium test cases written for your web apps, use them to drive security scans. • If you already spent time and efforts on writing Selenium scripts, you already explored the website for your scanner. Proxy the Selenium traffic through ZAP. • OWASP ZAP comes with the best and easy to use REST APIs, use them for DAST. • ZAP is an OWASP project, you can trust its abilities to discover common vulnerabilities. Key takeaways
- 20.