{"id":15798,"date":"2023-11-29T17:15:07","date_gmt":"2023-11-29T17:15:07","guid":{"rendered":"http:\/\/abstracta.us\/blog\/?p=15798"},"modified":"2025-05-05T21:19:07","modified_gmt":"2025-05-05T21:19:07","slug":"selenium-security-testing-owasp-zap-integration","status":"publish","type":"post","link":"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/","title":{"rendered":"Selenium Security Testing: OWASP ZAP Integration"},"content":{"rendered":"\n<p>How can we test possible security vulnerabilities of a website while running automated functional tests?&nbsp; Is my software functional if it has a security issue? In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-46.png\" alt=\"Selenium Security Testing \"\/><\/figure>\n\n\n\n<p>Before we dive into the integration to perform security testing with Selenium, we would like to stop for a moment to talk about OWASP. And specifically about OWASP ZAP (Zed Attack Proxy).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_OWASP_ZAP_and_How_Does_it_Help_to_Achieve_Security_Testing\"><\/span>What is OWASP ZAP and How Does it Help to Achieve Security Testing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>OWASP is a leading organization and community in web security, and now also <\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\"><strong>mobile security<\/strong><\/a><strong>.&nbsp;<\/strong>It proposes an open-source and collaborative methodology for security audits. This ensures the regular review of a project to minimize errors and risks.<\/p>\n\n\n\n<p>OWASP&#8217;s work is critical in an era when it is becoming increasingly urgent to get IT security right. According to the World Economic Forum&#8217;s&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www3.weforum.org\/docs\/WEF_Global_Risks_Report_2023.pdf\">Global Risks Report 2023<\/a>, technology will \u201cexacerbate inequalities\u201d while&nbsp;<strong>\u201ccybersecurity risks will remain a constant concern\u201d&nbsp;<\/strong>over the next 10 years.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-45-1024x655.png\" alt=\"Global risks ranked by severity over the short and long term. Image: World Economic Forum\"\/><\/figure>\n\n\n\n<p><strong>Security testing with Selenium, thanks to the integration with OWASP ZAP, is a great step that will allow us to save time since we will be able to take advantage of the automated functional tests to detect possible vulnerabilities.<\/strong><\/p>\n\n\n\n<p><strong>OWASP ZAP is an open-source web application security testing tool used to identify vulnerabilities and provide a comprehensive security assessment.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Selenium_Security_Testing_%E2%80%93_OWASP_ZAP_features_include\"><\/span><strong>Selenium Security Testing &#8211; OWASP ZAP features include:<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Automated Vulnerability Scanning<\/strong><\/h4>\n\n\n\n<p>This type of automated testing process can help you detect issues such as SQL injection, XSS, session vulnerabilities, authentication vulnerabilities, and more.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u2705<strong>Multi-Protocol Support<\/strong><\/h4>\n\n\n\n<p>Supports HTTP, HTTPS, and TCP.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Proxy Interceptor<\/strong><\/h4>\n\n\n\n<p>Acts as a proxy between the browser and the web application. This allows for intercepting and modifying requests and responses.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Manual Browse Mode&nbsp;<\/strong>&nbsp;<\/h4>\n\n\n\n<p>Allows you to manually browse web applications. This mode is particularly useful when performing functional testing on specific and custom functionality.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Detailed Reports<\/strong><\/h4>\n\n\n\n<p>Provides detailed reports on detected vulnerabilities. This includes information on the severity of the vulnerability and suggestions on how to fix it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Integration with Other Systems<\/strong><\/h4>\n\n\n\n<p>Can integrate with other security testing and test automation systems, such as Jenkins, Selenium, etc.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Multiplatform Support<\/strong><\/h4>\n\n\n\n<p>It is compatible with Windows, Linux, and Mac OS X.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u2705Customization and Extensibility<\/strong><\/h4>\n\n\n\n<p>It is highly customizable and extensible. This allows users to add their own test scripts and adjust the tool to meet their specific needs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"OWASP_ZAP_%E2%80%93_Selenium_Integration\"><\/span><strong>OWASP ZAP \u2013 Selenium Integration<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This project aims to achieve security testing with Selenium. To combine ZAP with Selenium, you must first have a Selenium project. You need to configure the ZAP proxy in the Selenium project scripts so that all HTTP requests that our site under test makes are sent through ZAP.<\/p>\n\n\n\n<p><strong>Below, we share a step-by-step guide on how to achieve this integration, to achieve security testing with Selenium:<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Install_OWASP_ZAP_version_2100_or_higher\"><\/span><strong>1. Install OWASP ZAP (version 2.10.0 or higher)&nbsp;<\/strong>&nbsp;<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The easiest way is to install the ZAP GUI but it can be done by raising the proxy with Docker.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_Get_OWASP_ZAP_Started\"><\/span><strong>2. Get OWASP ZAP Started<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Configure the port and IP address for Selenium to connect to. By default, the IP will be&nbsp;<em>localhost<\/em>&nbsp;and the port will be 8080. To get the API KEY, open the GUI, and go to Tools &gt; Options &gt; API, and copy the string found in the API Key input.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Configure_Selenium_to_Use_the_ZAP_Proxy\"><\/span><strong>3. Configure Selenium to Use the ZAP Proxy<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Stop a Selenium project created with its dependencies configured correctly and add the proxy with the following code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@BeforeMethod\npublic void setup(){ \n   String proxyServerUrl = ZAP_PROXY_ADDRESS + \":\" + ZAP_PROXY_PORT; \n   Proxy proxy = new Proxy();\n   proxy.setHttpProxy(proxyServerUrl); \n   proxy.setSslProxy(proxyServerUrl); \n\n   ChromeOptions co = new ChromeOptions(); \n   co.setAcceptInsecureCerts(true); \n   co.setProxy(proxy); \n   WebDriverManager.chromedriver().setup(); \n   driver = new ChromeDriver(co); \n\n   api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_Generate_a_Report\"><\/span><strong>4. Generate a Report<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>After running the tests, you can generate a detailed <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/blog\/software-testing\/create-effective-test-report\/\">report<\/a> of the vulnerabilities detected by ZAP in the tearDown method (or whatever it is called in each case.)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@AfterMethod\npublic void tearDown() throws Exception{ \n   if (api != null) { \n      String title = \"POC ZAP Selenium - Abstracta\"; \n      String template = \"traditional-html\"; \n      String description = \"This is a ZAP test report\"; \n      String reportfilename = \"abstracta-web-security-report.html\"; \n      String targetFolder = System.getProperty(\"user.dir\"); \n      try { \n         ApiResponse res = api.reports.generate(title, template, null, \n         description, null, null, null,null, null, reportfilename,null, \n         targetFolder,null); \n         System.out.println(\"ZAP report generated here: \" + res.toString());\n      } catch (ClientApiException ex) { \n         throw new Exception(ex);\n      } \n   }\n}\n<\/code><\/pre>\n\n\n\n<p><strong>To have a quick demo of its operation and test the integration of ZAP with Selenium (Selenium test), we share a proof of concept in our&nbsp;<\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/abstracta\/poc_zap_selenium\"><strong>GitHub<\/strong><\/a><strong>.<\/strong>&nbsp;Don&#8217;t hesitate to try it and contact us if you have any questions!<\/p>\n\n\n\n<p><strong>How to Take The Security of Your Mobile Apps to the Next Level of OWASP? Don&#8217;t miss <\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/blog\/mobile-testing\/how-to-take-the-security-of-your-mobile-apps-to-the-next-level-of-owasp\/\"><strong>this article!<\/strong><\/a><\/p>\n\n\n\n<p><strong>In need of help with <\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/solutions\/security-testing\"><strong>security testing<\/strong><\/a><strong>?<\/strong><\/p>\n\n\n\n<p><strong>We are quality partners! Learn more about our <\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/\"><strong>solutions here<\/strong><\/a><strong>! <\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/abstracta.us\/contact-us\"><strong>Contact us<\/strong><\/a><strong> to discuss how we can help you grow your business.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/09\/contact-us-blog-1-1024x145.jpg\" alt=\"Contact us\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-center\"><strong>Follow us on<\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.linkedin.com\/company\/abstracta\/\"><strong> <u>Linkedin<\/u><\/strong><\/a><strong> &amp;<\/strong><a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/AbstractaUS\"><strong> <u>X<\/u><\/strong><\/a><strong> to be part of our community!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How can we test possible security vulnerabilities of a website while running automated functional tests?&nbsp; Is my software functional if it has a security issue? In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with&#8230;<\/p>\n","protected":false},"author":75,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[302],"tags":[612,456],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.0.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Selenium Security Testing: OWASP ZAP Integration | Abstracta<\/title>\n<meta name=\"description\" content=\"In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.\" \/>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Selenium Security Testing: OWASP ZAP Integration | Abstracta\" \/>\n<meta property=\"og:description\" content=\"In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/AbstractaQA\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-29T17:15:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-05T21:19:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/Security-Testing-with-Selenium-OWASP-ZAP-Integration.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1250\" \/>\n\t<meta property=\"og:image:height\" content=\"705\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AbstractaUS\" \/>\n<meta name=\"twitter:site\" content=\"@AbstractaUS\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/abstracta.us\/blog\/#website\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\",\"description\":\"AI-powered quality engineering\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/abstracta.us\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/abstracta.us\/wp-content\/uploads\/2023\/05\/image-46.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/#webpage\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\",\"name\":\"Selenium Security Testing: OWASP ZAP Integration | Abstracta\",\"isPartOf\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/#primaryimage\"},\"datePublished\":\"2023-11-29T17:15:07+00:00\",\"dateModified\":\"2025-05-05T21:19:07+00:00\",\"author\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/79bfee11ad62dc4c6240424d22bf9595\"},\"description\":\"In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with Selenium.\",\"breadcrumb\":{\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/\",\"name\":\"Security Testing\"}},{\"@type\":\"ListItem\",\"position\":3,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/selenium-security-testing-owasp-zap-integration\/\",\"name\":\"Selenium Security Testing: OWASP ZAP Integration\"}}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/79bfee11ad62dc4c6240424d22bf9595\",\"name\":\"Renzo Parente, Automation Hub Lead at Abstracta\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f692233f7d141d15fbc1b6cf65522d50?s=96&d=blank&r=g\",\"caption\":\"Renzo Parente, Automation Hub Lead at Abstracta\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15798"}],"collection":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/users\/75"}],"replies":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/comments?post=15798"}],"version-history":[{"count":8,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15798\/revisions"}],"predecessor-version":[{"id":16188,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/15798\/revisions\/16188"}],"wp:attachment":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/media?parent=15798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/categories?post=15798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/tags?post=15798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}