This is a project that integrates Selenium 4 with OWASP ZAP for performing security tests on web applications.
To use this project, it is necessary to have the following installed:
- Java 11 or higher
- OWASP ZAP 2.10.0 or higher
- Clone the repository.
git clone git@gitlab.abstracta.us:Automation/poc-selenium-zap.git
- Configure the ZAP_API_KEY, ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT properties in the config.properties file with the value of your OWASP ZAP API key.
infoBy default, the address will be localhost and the port will be 8080. To get the API KEY: open the GUI Tools > Options > API and copy the string found in the API Key input
- Run the following command to download the project's dependencies:
mvn clean install
To run the project and do tests on a web application, follow these steps:
- Start OWASP ZAP GUI: You can download it from here. You can also download it from a package manager like APT, Chocolatey, or Homebrew and raise the proxy with the following command:
zap.sh -daemon -port 8090
- Run the following command to execute the Selenium test:
mvn test
-
Verify that the test has passed correctly.
-
You will be able to observe that the site under test will be set with the controls of ZAP GUI and from there you can see the vulnerabilities.
-
Open the abstracta-web-security-report.html file in a web browser to view the report generated by OWASP ZAP.
OWASP ZAP (Zed Attack Proxy) is an open-source web application security testing tool. It is used to detect vulnerabilities in web applications and provide a comprehensive security assessment.
Among the features of OWASP ZAP, these are included:
-
Automated vulnerability scanning: OWASP ZAP can perform automated vulnerability tests to detect issues such as SQL injection, XSS, session vulnerabilities, authentication vulnerabilities, etc.
-
Support for multiple protocols: OWASP ZAP supports HTTP, HTTPS, and TCP.
-
Proxy interceptor: OWASP ZAP acts as a proxy between the browser and the web application, allowing it to intercept and modify requests and responses.
-
Manual exploration mode: OWASP ZAP also allows manually exploring web applications, which is useful for testing specific and customized functionalities.
-
Detailed reports: OWASP ZAP provides detailed reports on detected vulnerabilities, including information about the severity of the vulnerability and suggestions on how to fix it.
-
Integration with other systems: OWASP ZAP can be integrated with other security testing and test automation systems, such as Jenkins, Selenium, etc.
-
Cross-platform support: OWASP ZAP is compatible with Windows, Linux, and Mac OS X.
-
Customization and extensibility: OWASP ZAP is highly customizable and extensible, allowing users to add their own test scripts and adjust the tool to meet their specific needs.
The integration of OWASP ZAP and Selenium can be achieved by configuring a proxy in Selenium so that all HTTP requests are sent through ZAP. This allows ZAP to intercept all requests and responses made to the web application and perform real-time security analysis.
Below are the steps to integrate OWASP ZAP with Selenium testing:
- Download and install OWASP ZAP on your machine.
- Start OWASP ZAP and configure the port and IP address for Selenium to connect.
- Configure Selenium to use the OWASP ZAP proxy. In a Java and Selenium project, you can do it as follows:
@BeforeMethod
public void setup(){
String proxyServerUrl = ZAP_PROXY_ADDRESS + ":" + ZAP_PROXY_PORT;
Proxy proxy = new Proxy();
proxy.setHttpProxy(proxyServerUrl);
proxy.setSslProxy(proxyServerUrl);
ChromeOptions co = new ChromeOptions();
co.setAcceptInsecureCerts(true);
co.setProxy(proxy);
WebDriverManager.chromedriver().setup();
driver = new ChromeDriver(co);
api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);
}
- You can determine how to generate the report as follows:
@AfterMethod
public void tearDown() throws Exception {
if (api != null) {
String title = "POC ZAP Selenium - Abstracta";
String template = "traditional-html";
String description = "Este es un reporte de pruebas de ZAP";
String reportfilename = "abstracta-web-security-report.html";
String targetFolder = System.getProperty("user.dir");
try {
ApiResponse res = api.reports.generate(title, template, null, description, null, null, null,null, null, reportfilename,null, targetFolder,null);
System.out.println("Reporte de ZAP generado aqui: " + res.toString());
} catch (ClientApiException ex) {
throw new Exception(ex);
}
}
}
- Develop the Selenium tests as usual. Each request and response will be automatically intercepted by OWASP ZAP and analyzed in real-time.
- After the test is finished, you can view the results of the security analysis in OWASP ZAP. The tool provides detailed reports on the detected vulnerabilities, classifying them by severity and providing information on how to fix them.