Security Test Automation using Selenium and ZAP

Recently I got a chance to participate in a contest conducted inside our organization. We as a team have to come up with some innovative ideas and to work on that for a week to showcase some live working samples.

In the recent visit to Selenium Conference 2014 – http://seleniumconf.org/, we came up across an interesting topic called, Hacker Proof your app using Functional Tests – http://confengine.com/selenium-conf-2014/schedule#session-218-info

It covers how to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications. In this conference, they have used IronWasp, an OWASP leading vulnerability scanner along with their selenium test scripts.

First of all OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security Project is an online community dedicated to web application security. All the software materials here are available under a free and open software license.

As I said earlier, IronWasp – https://ironwasp.org/ is a Free and Open source GUI based, easy to use scanning engine.

But one of the major constraints is, the report generation after performing a vulnerability scanning has been done manually when going for IronWasp. So We actually searched for some other alternative vulnerability scanners that goes well with webdriver.

So we came across another interesting solution using Zed Attack Proxy/ZAP-Proxy

The OWASP Zed Attack Proxy (ZAP) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. But our requirement is to do a automated scanning for our functional test flows. So we have searched for some API’s and we found out that also.

Yes ZAP provides very good API which allows you to interact with ZAP Programatically.
Please refer the https://code.google.com/p/zaproxy/wiki/ApiJava for more details.

Also the ANT Tasks, https://code.google.com/p/zaproxy/wiki/ApiAnt will let you to do the automated scanning for your functional flows without even changing any Code of your functional/regression tests.

So we have decided to go with this tool and below are the following set of tools/libraries that you need to perform a vulnerability assessment.

1. ZAP
2. Eclipse
3. The Bodge It Store
4. Tomcat (the web server hosting the Bodge It Store)
5. Firefox
6. Java and ANT

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

You can download – https://code.google.com/p/bodgeit/downloads/list this as a WAR file and can deploy this in Apache Tomcat web server.

Note that you should be able to use ZAP in this way using any IDE, web app, web server and browser – the above are just the ones used in this demo.

1. Download and install Java
2. Download and install ZAP
3. Run ZAP
OK the license agreement
Its up to you whether you create a Root CA certificate, its not required for this demo
Select Tools / Options… / Local proxy
Change the Port to 8090
4. Download and install Tomcat
The latest one is best, but older ones will probably still work
5. Start Tomcat
Connect to Tomcat to make sure its working properly: http://localhost:8080
6. Download BodgeIT WAR file.
Deploy this BodgeIT war file in Tomcat.
7. Download and install Eclipse
8. Start Eclipse
Checkout/Clone this Project from Github – https://github.com/linkeshkanna/SecurityTestAutomation
Import this project into your Eclipse Workspace.
Add the libraries – junit-4.0.jar, selenium-java-2.43.0.jar, selenium-server-standalone-2.43.0.jar and zap-api-v2-8.jar
9. Run the “ZAPDemo” Task in “build.xml” as an ANT Task.

This will popup the firefox browser and will navigate through the BodgeIT application and first it will do the functional validation. Next it will do a scan for all the web pages you navigated in your functional test flows and will produce you the results.

How this actually works?
So if you don’t want to use the BodgeIT store application and if you want to do a assessment on a different AUT, What changes you actually have to do?

It’s Simple. You need to bypass all your webdriver actions through a proxy at which the ZAP listens to.
In the above steps, we actually started ZAP Proxy at 8090. So it is actually listening on this particular port. So in your selenium tests, before initializing webdriver, make sure that you have done with your Proxy settings.

public void setUp() throws Exception {
		  Proxy proxy = new Proxy();
		  proxy.setHttpProxy("localhost:8090");
		  proxy.setFtpProxy("localhost:8090");
		  proxy.setSslProxy("localhost:8090");
		  DesiredCapabilities capabilities = new DesiredCapabilities();
		  capabilities.setCapability(CapabilityType.PROXY, proxy);
		  driver = new FirefoxDriver(capabilities);
		  this.setDriver(driver);
		  driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
	}

This is how the web requests from browser will pass through

ZAP-Integration
ZAP-Integration

That’s it. No need to do any other code changes. All the remaining activities can be taken care through the ANT tasks.

Advantages:
Additional ROI:
We are not going to add any efforts to do security assessment for your web applications.
We are simply reusing the existing Test Automation Scripts with minimal tweaks to do vulnerability Assessment.
So it is definitely an value addition in ROI.

Can be Integrated with our Continuous Integration Builds:
As it is just an Ant build, we can able to achieve vulnerability assessment reports through CI nightly builds also.

Ignoring Low Priority Alerts:
This is an another interesting option and it is definitely a Big Boon for the developers.
If you want to avoid build failure just because of some vulnerability alerts in your application,
simply ignore those alerts in your “build.xml” ant tasks.

<VulnerabilityAssessment zapAddress="${zapaddr}" zapPort="${zapport}" debug="true">
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="X-Content-Type-Options header missing" />
	<ignoreAlert alert="X-Frame-Options header not set" />
	<ignoreAlert alert="Application Error disclosure" />
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="Password Autocomplete in browser" />
</VulnerabilityAssessment>

We have shared our Presentation slides

We have Checked-in our Project Source Code – https://github.com/linkeshkanna/SecurityTestAutomation

Advertisements

11 thoughts on “Security Test Automation using Selenium and ZAP

  1. I get this? Any one know why?

    Buildfile: /Users/joshuadunn/workspace_new/SecurityTestAutomation/ZAP/build.xml

    BUILD FAILED
    /Users/joshuadunn/workspace_new/SecurityTestAutomation/ZAP/build.xml:14: taskdef class org.zaproxy.clientapi.ant.AccessUrlTask cannot be found
    using the classloader AntClassLoader[]

    Total time: 456 milliseconds

    Like

  2. For the procedures mentioned in the article get done, I had to alter the build.xml code (the target run part), so it looks like this:

    In code above, was changed to add “${bin}” value. This way, the ant is able to find the test class binary. Change this tag value accordingly to your binaries directory.

    The second, related to the webdriver connection problems reported in comments, was to update the selenium jar-files to the lastest version available. My lib directory looks like this:

    $ ls SecurityTestAutomation/ZAP/lib
    junit-4.0.jar selenium-java-2.53.1.jar selenium-server-standalone-2.53.1.jar zap-api-v2-8.jar

    Hope this can help (or just save time of) others.

    Liked by 1 person

  3. It’s really nice post !!

    But while trying to run ant file I’m getting following error,

    Buildfile: C:\Users\adithyan-m\workspace\ZAP\build.xml
    ZAPDemo:
    build:
    [javac] Compiling 1 source file to C:\Users\adithyan-m\workspace\ZAP\build
    [javac] Compiling 1 source file to C:\Users\adithyan-m\workspace\ZAP\bin
    startZap:
    startZapDaemon:
    [NewZAPSession] Open URL: http://zap/xml/core/action/newSession/?overwrite=true&name=&amp;

    BUILD FAILED
    C:\Users\adithyan-m\workspace\ZAP\build.xml:94: org.zaproxy.clientapi.core.ClientApiException: org.zaproxy.clientapi.core.ClientApiException: java.net.ConnectException: Connection refused: connect

    Please reply me.. I’m going to use this in my project.

    Liked by 1 person

  4. So, it seems like a problem with selenium or browser versions.
    So try to do this.
    Don’t configure Proxy in your selenium script. Just skip all the test related to Zap.

    Try to run a simple selenium test using firefox driver.
    If it runs without any issues, we got a situation.

    If you are getting the same issue when running your selenium script without ZAP configuration,
    try to upgrate the selenium version to the latest and again do the test run. .

    Like

  5. Thank you for your response. I have a good experience with zap but not selenium. I followed the instructions, using firefox v 41.0 selenium driver 2.43.0 and selenium driver 2.47.0, tried to run the build.xml and i get the following error: Unable to connect to host 127.0.0.1 on port 7056 after 45000 ms. Firefox console output:
    [java] not a valid add-on ID:

    Like

  6. I think the problems is you might be using some plugins/additional Jar files related to Selenium.
    My example simply uses http requests. So if your requirement is something different, tell me the complete scenario that you are trying.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s