Security Testing using Selenium & ZAP

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

API Details: https://github.com/zaproxy/zaproxy/wiki/ApiDetails

GitHub Repo: https://github.com/vinay-qa/zap-webdriver

Setup:

Overview

 

 Steps:

  1. Download ZAP and install.
  2. It generally runs on port 8080. Change your browsers proxy settings to localhost and 8080
  3. You can also use tools like foxyproxy to do the same
  4. Test a web app and see if ZAP is able to see your navigations on the History tab.
5. Create a new firefox profile and make sure the proxy settings are working on the profile
6. Launch the browser with the profile
ProfilesIni pf = new ProfilesIni();
FirefoxProfile profile = pf.getProfile(“default”);
driver = new FirefoxDriver(profile);
driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
driver.navigate().to(testData);
driver.manage().window().maximize();
((JavascriptExecutor) driver).executeScript(“window.focus()”);
7. Run your tests with ZAP working in the background
8. Finally here is your security report in JSON format:
Access all of the alerts via the ZAP API in JSON and XML format. If you enable the API (via the options) you can then access a URL like:
To get all of the alerts reported on http://www.example.com
9. Use a http://codebeautify.org/jsonviewer to view all the alerts that you need.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s