Automated Security Testing Using OWASP ZAP


Outline

In this article, I will try to explain basic instructions which will help you to add an automatic step using OWASP ZAP into your Continuous Integration/Continuous Delivery Platform (CI/CDP) systems for security tests.

Bu makalenin Türkçe’si için link’e tıklayınız.

What is OWASP ZAP and What is the Purpose of This Test?

OWASP (Open Source Web Application Security Project) is an online community which produces and shares free publications, methodologies, documents, tools and technologies in the field of application security. ZAP (Zed Attack Proxy) is one of the most important tools developed by this community. The main purpose of this tool is to do security scannings for web applications.

The purpose of the method that I will describe in this article is not to teach you how to do web security testing and its tricks, also, I will not give all the technical details of ZAP. The aim is here to show you the first steps of security scan operations automatically and leave the improvements to you.

Walkthrough and Operations to be Performed

I used Cucumber and Capybara on Ruby at web automation part for this test but no matter which tool or framework is used, you can perform this procedure with any web automation method such as SeleniumWatir, etc. You can examine the code that I wrote for this test on https://github.com/swtestacademy/zap-security/tree/swtestacademy . Now, Let’s go into details of the way that we will carry out this security test.

Step by Step Instructions

Prerequisites

JAVA (preferably 8) must be installed on the computer/build agent/container which will perform all these operations. Download ZAP cross-platform version and extract it into the same machine.

zap

owasp

Step-1: Zap Configuration

You need to specify which address’s which port will be listened by ZAP. First, open ZAP with “zap.bat” (on Windows) or “zap.sh” (OS X or Linux), then start to modify settings. I used localhost:8095 in my project. You can do this setting on Tools -> Options -> Local Proxy screen. If you connect the internet through a proxy in your company, you can change proxy settings on Tools ->> Options ->> Connection screen. Also, you must select your Operating System and Web Browser on Tools ->> Options ->> Connection screen. These settings are shown below figures.

owasp

zap

zap

zap

zap

zap

[Optional] Manual Security Test with ZAP and Firefox

You can change Firefox’s proxy settings as shown below. First, go to Tools ->> Options ->> Advanced tab. Then, do the following settings.

firefox

zap

After completing these settings, restart ZAP and Firefox and then when you visit any website you will see http request lines and Alerts in ZAP console panel as shown below. This is the MANUAL way of performing security tests.

zap

Step-2: Browser Configuration in our Automation Code

As I mentioned earlier, I used Capybara for web automation and Selenium Webdriver as a driver. You should also install RestClient gem.

You can find how to install Ruby, Cucumber, and Capybara configuration in this article.

In this configuration, I chose Firefox as a browser. In order to reach the internet using Firefox browser through our preferred proxy, we need to add below code in env.rb file.

Step-3: Start the ZAP in the Code

Before running the tests, we need to start ZAP. To do this, I executed below line in my Ruby code.

In OS X or Linux:

In Windows :

In Ruby there are a few different ways to run an external program (kernel, exec, backtik, etc.). However, after running the external program, none of the methods do not automatically give rest of the control to the ruby code.Only “IO.popen” method executes the program you want, and then lets the rest of the code continue operate.

Step-4: Running Web Automation Codes

There are passive and active ways to do security testing on web applications. You can attack the sites with AJAX crawlers in active methods. In our sample project, we will use a passive method because site under test doesn’t belong to us. In this method, we will automate some basic journey tests and we will let the ZAP detect security vulnerabilities in the site. If you enrich and diversify your test scenarios, you will also increase the probability of ZAP’s vulnerability detection. In our project, our journey test flow is described below;

  1. Navigate to www.akakce.com
  2. Search an item.
  3. Filter the results according to certain price range.
  4. Go to the details of first filtered result.

Above scenario’s code is shown below:

At the end of the code, I waited 20 seconds because it takes some time for ZAP to interpret the detected vulnerabilities and send the results to the API. Instead of using static wait, you can implement this wait with status checks that the API provides. I am leaving the details of this work to you.

Step-5: Reading Warnings and Reporting with ZAP

When our tests are finished, we need to interpret the detected warnings, errors, vulnerabilities. We use ZAP API to reach them. While your ZAP instance is alive, if you go to the ZAP’s <listened proxy>/UI address with your browser, you can see all the functions that ZAP API provides us. We used below code line to reach warnings/errors/vulnerabilities.

When we get the results, then we can separate and report them with their vulnerability degrees. When we examine our code, if the high priority vulnerability is found, we print them at first and then break the build with an assertion. You can also prepare a test plan and design your build pipeline based on your criteria.

Test Codes and Test Execution

Folder Structure

zap

GitHub Page 0f Test Codes

https://github.com/swtestacademy/zap-security/tree/swtestacademy/

Test Files

Feature File (owasp_zap_scanning.feature):

Steps File (my_steps.rb):

Functions File (functions.rb):

Environment File (env.rb):

Test Execution

You can go to your test automation project folder and run below command.

zap

and then ZAP will open and you will see below results.

zap

zap

Conclusion

Actually, the method that I tried to explain here is the new even to me. There are many improvements that can be made. I hope this article, which aims to explain the security tests can be done without external human intervention, will be useful to you. Please keep in mind that applying the techniques described in here does not mean that you do not need any more security or penetration testing. Security is a very serious issue and it has to be handled by the security experts with an engineering point of view. The basic objective of our test in here is to a give feedback to the development team about the safety of product from the first iteration and ensure the basic level of security. Also, it can help us to find and eliminate the security vulnerabilities before the extensive and more professional security/penetration testing phases.

About ThoughtWorks and Test Hive

ThoughtWorks is a software consultancy firm which carries on its operations in 12 countries with 34 offices and more than 3600 consultants since 1993. In software sector, ThoughtWorks is not only a follower and implementer, it produces and discovers new ways with its game changer consultants. Thus, it is located in a very important place in the market. ThougtWorks has been operating for more than two years in Turkey and it has an ambitious mission to change the understanding of software in our country. In order to achieve this goal, it pioneered foundation of many communities and it is also a sponsor of Test Hive group which undertakes the same mission in software testing domain. Test Hive, regularly organizes events to help progress in software testing, shares articles and research papers, organizes trainings and provides environments to the test engineers for information sharing. www.testhive.org

javafx

Database Operations in JavaFX

By Onur Baskirt / Apr 1, 2016 / 56 Comments
Before started this section, please check the first article and learn How to Start JAVAFX! http://www.swtestacademy.com/getting-started-with-javafx/ At first, part of JavaFX tutorial series, we created a sample JavaFX project, designed the draft version of the UI and set up an...
extentreports

How to Write Smart XPath Locators

By Onur Baskirt / Sep 24, 2017 / 5 Comments
Hi all, in this tutorial, I will describe you how to write smart and non-brittle XPath locators. When we write our test scripts, we generally prefer to use id, name, class, etc. these kinds of locators. However, sometimes we could not...
extentreports

How to Write Effective CSS Locators

By Onur Baskirt / Oct 1, 2017 / 0 Comments
Hi all, in this tutorial, I will describe you how to write effective CSS locators to interrogate web elements for your automation projects. As a rule of thumb, your interrogation strategy should be in below order: First try to use...
rest assured

REST API Testing with Rest Assured

By Onur Baskirt / Mar 8, 2016 / 32 Comments
Outline In this post, I will explain what is API and API testing, what is the difference between SOAP and REST services, and how to test REST APIs with Rest Assured Library. What is API? API stands for Application Programming...
javafx

Getting Started with JavaFX

By Onur Baskirt / Mar 25, 2016 / 0 Comments
When I started to work in my current position, one of my task is to do manual operations for campaign products  every week. After the second week, I thought that I have to automate this task using a GUI based...
extentreports

Selenium-1: Quick Start to Automation with Selenium WebDriver & JAVA & JUnit & Maven & IntelliJ

By Onur Baskirt / Sep 8, 2015 / 26 Comments
Outline Selenium Webdriver is the most popular open source web test automation framework across the wide range of browsers and platforms. In this tutorial, you will learn how to do web test automation with Selenium Webdriver and the related tools....
extentreports

Selenium-11: Execute JavaScript with JavascriptExecutor

By Onur Baskirt / Jan 27, 2016 / 15 Comments
Outline Sometimes we cannot handle some conditions or problems with Webdriver, web controls don't react well against selenium commands. In this kind of situations, we use Javascript. It is useful for custom synchronizations, hide or show the web elements, change...
page object model

Page Object Model with C#

By Ege Aksoz / Jun 18, 2017 / 8 Comments
In the previous tutorial, we’ve taken the initial steps and entered the world of automated testing. We also wrote our first automated test. From this point on, since we are not just going to write one test, we need to...
extentreports

How to Select a Date From DatePicker Using Selenium

By Onur Baskirt / Aug 13, 2016 / 6 Comments
When you need to automate a airway, hotel, or similar websites you need to deal with Datepickers and some times it is a little bit cumbersome to select a specific date on the Datepicker or calendar.  In this post, I...

Getting Started with RobotFramework on Windows

By Onur Baskirt / Apr 25, 2016 / 12 Comments
What is RobotFramework? RobotFramework is a GENERIC test automation framework for acceptance testing and acceptance test-driven development (ATTD). What it means that you can do web, mobile, desktop and other test automation activities with related test libraries. These libraries can...
By | 2017-03-09T23:16:01+00:00 March 22nd, 2016|Security Testing, Test Automation, Zap|1 Comment

About the Author:

Alper Mermer
Alper Mermer is graduated from Hacettepe University Computer Engineering Department. He is in software sector for more than 10 years and he has spent the last 8 years by working on software testing actively. He has experience in Finance, Telecommunications, Online Retail sectors. He is also founder and the organizer of Test Hive group. Alper is now working at ThoughtWorks Turkey Office as a Quality Enforcer.

One Comment

  1. Ach_test June 8, 2017 at 7:34 am - Reply

    Thanks a lot for the detailed description, it was very much helpful but i am facing below issues, can you please guide me
    my execution was successful and we wanted to view results from pen testing

    Then I wait for “40” seconds # features/step_definitions/XXX_Steps.rb:92
    Then I should be able to see security warnings # features/step_definitions/my_steps.rb:24
    uninitialized constant RestClient (NameError)
    ./features/step_definitions/my_steps.rb:26:in /^I should be able to see security warnings$/'
    ./features/support/env.rb:100:in
    call’
    ./features/support/env.rb:100:in block (2 levels) in '
    ./features/support/env.rb:98:in
    upto’
    ./features/support/env.rb:98:in block in '
    features/US0002.feature:24:in
    Then I should be able to see security warnings’

    ling Scenarios:
    umber features/US0002.feature:6 # Scenario: TC2762 – Ability to view all proposed investments by fund gateway

Leave A Comment