Blog

Selenium Security Testing: OWASP ZAP Integration

How can we test possible security vulnerabilities of a website while running automated functional tests?  Is my software functional if it has a security issue? In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.

Selenium Security Testing

Before we dive into the integration to perform security testing with Selenium, we would like to stop for a moment to talk about OWASP. And specifically about OWASP ZAP (Zed Attack Proxy).

What is OWASP ZAP and How Does it Help to Achieve Security Testing?

OWASP is a leading organization and community in web security, and now also mobile securityIt proposes an open-source and collaborative methodology for security audits. This ensures the regular review of a project to minimize errors and risks.

OWASP’s work is critical in an era when it is becoming increasingly urgent to get IT security right. According to the World Economic Forum’s Global Risks Report 2023, technology will “exacerbate inequalities” while “cybersecurity risks will remain a constant concern” over the next 10 years.

Global risks ranked by severity over the short and long term. Image: World Economic Forum

Security testing with Selenium, thanks to the integration with OWASP ZAP, is a great step that will allow us to save time since we will be able to take advantage of the automated functional tests to detect possible vulnerabilities.

OWASP ZAP is an open-source web application security testing tool used to identify vulnerabilities and provide a comprehensive security assessment.

Selenium Security Testing – OWASP ZAP features include:

✅Automated Vulnerability Scanning

This type of automated testing process can help you detect issues such as SQL injection, XSS, session vulnerabilities, authentication vulnerabilities, and more.

Multi-Protocol Support

Supports HTTP, HTTPS, and TCP.

✅Proxy Interceptor

Acts as a proxy between the browser and the web application. This allows for intercepting and modifying requests and responses.

✅Manual Browse Mode  

Allows you to manually browse web applications. This mode is particularly useful when performing functional testing on specific and custom functionality.

✅Detailed Reports

Provides detailed reports on detected vulnerabilities. This includes information on the severity of the vulnerability and suggestions on how to fix it.

✅Integration with Other Systems

Can integrate with other security testing and test automation systems, such as Jenkins, Selenium, etc.

✅Multiplatform Support

It is compatible with Windows, Linux, and Mac OS X.

✅Customization and Extensibility

It is highly customizable and extensible. This allows users to add their own test scripts and adjust the tool to meet their specific needs.

OWASP ZAP – Selenium Integration

This project aims to achieve security testing with Selenium. To combine ZAP with Selenium, you must first have a Selenium project. You need to configure the ZAP proxy in the Selenium project scripts so that all HTTP requests that our site under test makes are sent through ZAP.

Below, we share a step-by-step guide on how to achieve this integration, to achieve security testing with Selenium:

1. Install OWASP ZAP (version 2.10.0 or higher)  

The easiest way is to install the ZAP GUI but it can be done by raising the proxy with Docker.

2. Get OWASP ZAP Started

Configure the port and IP address for Selenium to connect to. By default, the IP will be localhost and the port will be 8080. To get the API KEY, open the GUI, and go to Tools > Options > API, and copy the string found in the API Key input.

3. Configure Selenium to Use the ZAP Proxy

Stop a Selenium project created with its dependencies configured correctly and add the proxy with the following code:

@BeforeMethod
public void setup(){ 
   String proxyServerUrl = ZAP_PROXY_ADDRESS + ":" + ZAP_PROXY_PORT; 
   Proxy proxy = new Proxy();
   proxy.setHttpProxy(proxyServerUrl); 
   proxy.setSslProxy(proxyServerUrl); 

   ChromeOptions co = new ChromeOptions(); 
   co.setAcceptInsecureCerts(true); 
   co.setProxy(proxy); 
   WebDriverManager.chromedriver().setup(); 
   driver = new ChromeDriver(co); 

   api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);
}

4. Generate a Report

After running the tests, you can generate a detailed report of the vulnerabilities detected by ZAP in the tearDown method (or whatever it is called in each case.)

@AfterMethod
public void tearDown() throws Exception{ 
   if (api != null) { 
      String title = "POC ZAP Selenium - Abstracta"; 
      String template = "traditional-html"; 
      String description = "This is a ZAP test report"; 
      String reportfilename = "abstracta-web-security-report.html"; 
      String targetFolder = System.getProperty("user.dir"); 
      try { 
         ApiResponse res = api.reports.generate(title, template, null, 
         description, null, null, null,null, null, reportfilename,null, 
         targetFolder,null); 
         System.out.println("ZAP report generated here: " + res.toString());
      } catch (ClientApiException ex) { 
         throw new Exception(ex);
      } 
   }
}

To have a quick demo of its operation and test the integration of ZAP with Selenium (Selenium test), we share a proof of concept in our GitHub. Don’t hesitate to try it and contact us if you have any questions!

How to Take The Security of Your Mobile Apps to the Next Level of OWASP? Don’t miss this article!

In need of help with security testing?

We are quality partners! Learn more about our solutions here! Contact us to discuss how we can help you grow your business.

Contact us

Follow us on Linkedin & X to be part of our community!

391 / 463

Leave a Reply

Required fields are marked