In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP.
Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE.
He will cover Automating security tests using Selenium and OWASP ZAP.
In this intriguing meetup, you will learn:
1. Introduction to automated vulnerability scans and their limitations.
2. A short introduction to how functional tests can be useful in performing robust security tests.
3. Introduction to selenium and OWASP ZAP
4. Proxying selenium tests through OWASP ZAP
5. Invoking authenticated active scans using OWASP ZAP
6. Obtaining scan reports
… and more useful takeaways!
Human Factors of XR: Using Human Factors to Design XR Systems
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
1.
2. • I am Srinivasarao Kotipalli
• Lives in Singapore
• 8 years of experience in Cyber Security
• Authored Hacking Android – Packt Pub
• OSCP & OSCE
whoami
3. • Introduction to automated vulnerability scans and their limitations.
• How functional tests can be useful in performing powerful security tests.
• Introduction to selenium and OWASP ZAP.
• Proxying selenium tests through OWASP ZAP.
• Invoking authenticated active scans using OWASP ZAP.
• Obtaining scan reports.
Agenda
4. OWASP ZAP (short for Zed Attack Proxy)
is an open-source web application
security scanner. It is intended to be
used by both those new to application
security as well as professional
penetration testers.
It can also run in a daemon mode which is
then controlled via a REST API.
Source: https://en.wikipedia.org/wiki/OWASP_ZAP
Introduction to OWASP ZAP
5. • Many commercial tools are available
• Maximum crawling and an active session are crucial for better coverage
• They come with two most important features :
1. An option to record the login sequence
2. Manually explore the Web Application
• Why are these features important?
• DEMO
Automated vulnerability scans
6. • Selenium automates browsers.
• Selenium comes in different flavors and we are specifically talking about Selenium Web Driver.
• Commonly used for automation testing.
• After the product is fully integrated, these tests are run to make sure that the application
is working as expected.
Introduction to Selenium
8. So, what problem are we solving?
• Login Pages in web Applications may stop Automated scanners.
• Features that require authentication may not be properly scanned, with default scans.
• QA teams are already writing scripts to properly crawl through the web apps.
• Security teams may not leverage these QA automation scripts in security testing.
9. So, what problem are we solving?
• knows how to login and crawl through important features.
• knows how to find security issues in crawled pages.
• Login Pages in web Applications may stop Automated scanners.
• Features that require authentication may not be properly scanned, with default scans.
Use them together to achieve better DAST
12. Integrating Selenium and ZAP in CICD pipeline
• Launch ZAP – listens on a port
• Proxy Selenium traffic through ZAP
• Run functional tests (Passive scan is automatically done)
• Invoke ZAP Active scan:
• As a bash command from CI Server
• As a python script on CI Server
• As a test from Selenium
• Get the results:
• As a bash command from CI Server
• As a python script on CI Server
• As a test from Selenium
https://www.zaproxy.org/docs/api/#introduction
13. Proxy proxy = new Proxy();
proxy.setHttpProxy("localhost:8081");
proxy.setSslProxy("localhost:8081");
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability("proxy", proxy);
[Selenium Tests here]
[Optionally, Security Tests here]
Proxying Selenium requests through ZAP
ZAP is run on localhost:8081
16. curl "http://localhost:8081/OTHER/core/other/htmlreport/" -o zap.html
curl "http://localhost:8081/OTHER/core/other/jsonreport/" -o zap.json
curl "http://localhost:8081/OTHER/core/other/xmlreport/" -o zap.xml
Get HTML/XML report from command line
ZAP is run on localhost:8081
XML/JSON formats can be useful if you want to import the findings into a Vulnerability Management tool
19. • You can possibly take advantage of any functional testing framework to perform security scans.
• If you have existing Selenium test cases written for your web apps, use them to drive security scans.
• If you already spent time and efforts on writing Selenium scripts, you already explored the website for
your scanner. Proxy the Selenium traffic through ZAP.
• OWASP ZAP comes with the best and easy to use REST APIs, use them for DAST.
• ZAP is an OWASP project, you can trust its abilities to discover common vulnerabilities.
Key takeaways