Security Test Automation using Selenium and ZAP

Recently I got a chance to participate in a contest conducted inside our organization. We as a team have to come up with some innovative ideas and to work on that for a week to showcase some live working samples.

In the recent visit to Selenium Conference 2014 – http://seleniumconf.org/, we came up across an interesting topic called, Hacker Proof your app using Functional Tests – http://confengine.com/selenium-conf-2014/schedule#session-218-info

It covers how to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications. In this conference, they have used IronWasp, an OWASP leading vulnerability scanner along with their selenium test scripts.

First of all OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security Project is an online community dedicated to web application security. All the software materials here are available under a free and open software license.

As I said earlier, IronWasp – https://ironwasp.org/ is a Free and Open source GUI based, easy to use scanning engine.

But one of the major constraints is, the report generation after performing a vulnerability scanning has been done manually when going for IronWasp. So We actually searched for some other alternative vulnerability scanners that goes well with webdriver.

So we came across another interesting solution using Zed Attack Proxy/ZAP-Proxy

The OWASP Zed Attack Proxy (ZAP) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. But our requirement is to do a automated scanning for our functional test flows. So we have searched for some API’s and we found out that also.

Yes ZAP provides very good API which allows you to interact with ZAP Programatically.
Please refer the https://code.google.com/p/zaproxy/wiki/ApiJava for more details.

Also the ANT Tasks, https://code.google.com/p/zaproxy/wiki/ApiAnt will let you to do the automated scanning for your functional flows without even changing any Code of your functional/regression tests.

So we have decided to go with this tool and below are the following set of tools/libraries that you need to perform a vulnerability assessment.

1. ZAP
2. Eclipse
3. The Bodge It Store
4. Tomcat (the web server hosting the Bodge It Store)
5. Firefox
6. Java and ANT

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

You can download – https://code.google.com/p/bodgeit/downloads/list this as a WAR file and can deploy this in Apache Tomcat web server.

Note that you should be able to use ZAP in this way using any IDE, web app, web server and browser – the above are just the ones used in this demo.

1. Download and install Java
2. Download and install ZAP
3. Run ZAP
OK the license agreement
Its up to you whether you create a Root CA certificate, its not required for this demo
Select Tools / Options… / Local proxy
Change the Port to 8090
4. Download and install Tomcat
The latest one is best, but older ones will probably still work
5. Start Tomcat
Connect to Tomcat to make sure its working properly: http://localhost:8080
6. Download BodgeIT WAR file.
Deploy this BodgeIT war file in Tomcat.
7. Download and install Eclipse
8. Start Eclipse
Checkout/Clone this Project from Github – https://github.com/linkeshkanna/SecurityTestAutomation
Import this project into your Eclipse Workspace.
Add the libraries – junit-4.0.jar, selenium-java-2.43.0.jar, selenium-server-standalone-2.43.0.jar and zap-api-v2-8.jar
9. Run the “ZAPDemo” Task in “build.xml” as an ANT Task.

This will popup the firefox browser and will navigate through the BodgeIT application and first it will do the functional validation. Next it will do a scan for all the web pages you navigated in your functional test flows and will produce you the results.

How this actually works?
So if you don’t want to use the BodgeIT store application and if you want to do a assessment on a different AUT, What changes you actually have to do?

It’s Simple. You need to bypass all your webdriver actions through a proxy at which the ZAP listens to.
In the above steps, we actually started ZAP Proxy at 8090. So it is actually listening on this particular port. So in your selenium tests, before initializing webdriver, make sure that you have done with your Proxy settings.

public void setUp() throws Exception {
		  Proxy proxy = new Proxy();
		  proxy.setHttpProxy("localhost:8090");
		  proxy.setFtpProxy("localhost:8090");
		  proxy.setSslProxy("localhost:8090");
		  DesiredCapabilities capabilities = new DesiredCapabilities();
		  capabilities.setCapability(CapabilityType.PROXY, proxy);
		  driver = new FirefoxDriver(capabilities);
		  this.setDriver(driver);
		  driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
	}

This is how the web requests from browser will pass through

ZAP-Integration
ZAP-Integration

That’s it. No need to do any other code changes. All the remaining activities can be taken care through the ANT tasks.

Advantages:
Additional ROI:
We are not going to add any efforts to do security assessment for your web applications.
We are simply reusing the existing Test Automation Scripts with minimal tweaks to do vulnerability Assessment.
So it is definitely an value addition in ROI.

Can be Integrated with our Continuous Integration Builds:
As it is just an Ant build, we can able to achieve vulnerability assessment reports through CI nightly builds also.

Ignoring Low Priority Alerts:
This is an another interesting option and it is definitely a Big Boon for the developers.
If you want to avoid build failure just because of some vulnerability alerts in your application,
simply ignore those alerts in your “build.xml” ant tasks.

<VulnerabilityAssessment zapAddress="${zapaddr}" zapPort="${zapport}" debug="true">
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="X-Content-Type-Options header missing" />
	<ignoreAlert alert="X-Frame-Options header not set" />
	<ignoreAlert alert="Application Error disclosure" />
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="Password Autocomplete in browser" />
</VulnerabilityAssessment>

We have shared our Presentation slides

We have Checked-in our Project Source Code – https://github.com/linkeshkanna/SecurityTestAutomation

Advertisements