How can we test possible security vulnerabilities of a website while running automated functional tests? Is my software functional if it has a security issue? In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.
Before we dive into the integration to perform security testing with Selenium, we would like to stop for a moment to talk about OWASP. And specifically about OWASP ZAP (Zed Attack Proxy).
What is OWASP ZAP and How Does it Help to Achieve Security Testing?
OWASP is a leading organization and community in web security, and now also mobile security. It proposes an open-source and collaborative methodology for security audits. This ensures the regular review of a project to minimize errors and risks.
OWASP’s work is critical in an era when it is becoming increasingly urgent to get IT security right. According to the World Economic Forum’s Global Risks Report 2023, technology will “exacerbate inequalities” while “cybersecurity risks will remain a constant concern” over the next 10 years.
Security testing with Selenium, thanks to the integration with OWASP ZAP, is a great step that will allow us to save time since we will be able to take advantage of the automated functional tests to detect possible vulnerabilities.
OWASP ZAP is an open-source web application security testing tool used to identify vulnerabilities and provide a comprehensive security assessment.
Selenium Security Testing – OWASP ZAP features include:
✅Automated Vulnerability Scanning
This type of automated testing process can help you detect issues such as SQL injection, XSS, session vulnerabilities, authentication vulnerabilities, and more.
✅Multi-Protocol Support
Supports HTTP, HTTPS, and TCP.
✅Proxy Interceptor
Acts as a proxy between the browser and the web application. This allows for intercepting and modifying requests and responses.
✅Manual Browse Mode
Allows you to manually browse web applications. This mode is particularly useful when performing functional testing on specific and custom functionality.
✅Detailed Reports
Provides detailed reports on detected vulnerabilities. This includes information on the severity of the vulnerability and suggestions on how to fix it.
✅Integration with Other Systems
Can integrate with other security testing and test automation systems, such as Jenkins, Selenium, etc.
✅Multiplatform Support
It is compatible with Windows, Linux, and Mac OS X.
✅Customization and Extensibility
It is highly customizable and extensible. This allows users to add their own test scripts and adjust the tool to meet their specific needs.
OWASP ZAP – Selenium Integration
This project aims to achieve security testing with Selenium. To combine ZAP with Selenium, you must first have a Selenium project. You need to configure the ZAP proxy in the Selenium project scripts so that all HTTP requests that our site under test makes are sent through ZAP.
Below, we share a step-by-step guide on how to achieve this integration, to achieve security testing with Selenium:
1. Install OWASP ZAP (version 2.10.0 or higher)
The easiest way is to install the ZAP GUI but it can be done by raising the proxy with Docker.
2. Get OWASP ZAP Started
Configure the port and IP address for Selenium to connect to. By default, the IP will be localhost and the port will be 8080. To get the API KEY, open the GUI, and go to Tools > Options > API, and copy the string found in the API Key input.
3. Configure Selenium to Use the ZAP Proxy
Stop a Selenium project created with its dependencies configured correctly and add the proxy with the following code:
@BeforeMethod
public void setup(){
String proxyServerUrl = ZAP_PROXY_ADDRESS + ":" + ZAP_PROXY_PORT;
Proxy proxy = new Proxy();
proxy.setHttpProxy(proxyServerUrl);
proxy.setSslProxy(proxyServerUrl);
ChromeOptions co = new ChromeOptions();
co.setAcceptInsecureCerts(true);
co.setProxy(proxy);
WebDriverManager.chromedriver().setup();
driver = new ChromeDriver(co);
api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);
}4. Generate a Report
After running the tests, you can generate a detailed report of the vulnerabilities detected by ZAP in the tearDown method (or whatever it is called in each case.)
@AfterMethod
public void tearDown() throws Exception{
if (api != null) {
String title = "POC ZAP Selenium - Abstracta";
String template = "traditional-html";
String description = "This is a ZAP test report";
String reportfilename = "abstracta-web-security-report.html";
String targetFolder = System.getProperty("user.dir");
try {
ApiResponse res = api.reports.generate(title, template, null,
description, null, null, null,null, null, reportfilename,null,
targetFolder,null);
System.out.println("ZAP report generated here: " + res.toString());
} catch (ClientApiException ex) {
throw new Exception(ex);
}
}
}
To have a quick demo of its operation and test the integration of ZAP with Selenium (Selenium test), we share a proof of concept in our GitHub. Don’t hesitate to try it and contact us if you have any questions!
How to Take The Security of Your Mobile Apps to the Next Level of OWASP? Don’t miss this article!
In need of help with security testing?
We are quality partners! Learn more about our solutions here! Contact us to discuss how we can help you grow your business.
Security Testing in Continuous Integration with VAddy
Integrate VAddy with your CI tools for robust security checks, automatically If you have Continuous Integration in place, it’s a great idea to add in some security checks to the pipeline. We all know about the threat that hacks and data breaches pose for every…
7 Security Testing Tools to Try Now
It’s never too soon to assess the security of your application with these great penetration testing tools Remember the Equifax breach in 2017 which affected nearly one in three Americans? Or the 2018 Marriott breach that compromised 500 million accounts in its database? It’s very…
Read the Ultimate Guide to Continuous Testing
Abstracta
