SlideShare a Scribd company logo

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps

Mohammed A. Imran
Mohammed A. Imran

In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP. Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE. He will cover Automating security tests using Selenium and OWASP ZAP. In this intriguing meetup, you will learn: 1. Introduction to automated vulnerability scans and their limitations. 2. A short introduction to how functional tests can be useful in performing robust security tests. 3. Introduction to selenium and OWASP ZAP 4. Proxying selenium tests through OWASP ZAP 5. Invoking authenticated active scans using OWASP ZAP 6. Obtaining scan reports … and more useful takeaways!

1 of 20
• I am Srinivasarao Kotipalli • Lives in Singapore • 8 years of experience in Cyber Security • Authored Hacking Android – Packt Pub • OSCP & OSCE whoami
• Introduction to automated vulnerability scans and their limitations. • How functional tests can be useful in performing powerful security tests. • Introduction to selenium and OWASP ZAP. • Proxying selenium tests through OWASP ZAP. • Invoking authenticated active scans using OWASP ZAP. • Obtaining scan reports. Agenda
OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It can also run in a daemon mode which is then controlled via a REST API. Source: https://en.wikipedia.org/wiki/OWASP_ZAP Introduction to OWASP ZAP
• Many commercial tools are available • Maximum crawling and an active session are crucial for better coverage • They come with two most important features : 1. An option to record the login sequence 2. Manually explore the Web Application • Why are these features important? • DEMO Automated vulnerability scans
• Selenium automates browsers. • Selenium comes in different flavors and we are specifically talking about Selenium Web Driver. • Commonly used for automation testing. • After the product is fully integrated, these tests are run to make sure that the application is working as expected. Introduction to Selenium
Commit Trigger Build Build Test Server Run Tests Security Tests Staging Production CICD PIPELINE
So, what problem are we solving? • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. • QA teams are already writing scripts to properly crawl through the web apps. • Security teams may not leverage these QA automation scripts in security testing.
So, what problem are we solving? • knows how to login and crawl through important features. • knows how to find security issues in crawled pages. • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. Use them together to achieve better DAST
Commit Trigger Build Build Test Server Run Tests Security Tests Staging Production CICD PIPELINE 1
Commit Trigger Build Build Test Server Run Tests + Security Tests Staging Production CICD PIPELINE 2
Integrating Selenium and ZAP in CICD pipeline • Launch ZAP – listens on a port • Proxy Selenium traffic through ZAP • Run functional tests (Passive scan is automatically done) • Invoke ZAP Active scan: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium • Get the results: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium https://www.zaproxy.org/docs/api/#introduction
Proxy proxy = new Proxy(); proxy.setHttpProxy("localhost:8081"); proxy.setSslProxy("localhost:8081"); DesiredCapabilities capabilities = DesiredCapabilities.chrome(); capabilities.setCapability("proxy", proxy); [Selenium Tests here] [Optionally, Security Tests here] Proxying Selenium requests through ZAP ZAP is run on localhost:8081
curl "http://localhost:8081/JSON/ascan/action/scan/?apikey=<ZAP_API_KEY>&url=<TARGET_URL>&r ecurse=true&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=" Start ZAP Active Scan from command line ZAP is run on localhost:8081
curl "http://localhost:8081/JSON/ascan/view/status/?apikey=<ZAP_API_KEY>&scanId=<SCAN_ID>" Start ZAP Active Scan from command line ZAP is run on localhost:8081
curl "http://localhost:8081/OTHER/core/other/htmlreport/" -o zap.html curl "http://localhost:8081/OTHER/core/other/jsonreport/" -o zap.json curl "http://localhost:8081/OTHER/core/other/xmlreport/" -o zap.xml Get HTML/XML report from command line ZAP is run on localhost:8081 XML/JSON formats can be useful if you want to import the findings into a Vulnerability Management tool
Commit Trigger Build Build Test Server Run Tests Security Tests Staging Production CICD PIPELINE 1 DEMO
Commit Trigger Build Build Test Server Run Tests + Security Tests Staging Production CICD PIPELINE 2 DEMO
• You can possibly take advantage of any functional testing framework to perform security scans. • If you have existing Selenium test cases written for your web apps, use them to drive security scans. • If you already spent time and efforts on writing Selenium scripts, you already explored the website for your scanner. Proxy the Selenium traffic through ZAP. • OWASP ZAP comes with the best and easy to use REST APIs, use them for DAST. • ZAP is an OWASP project, you can trust its abilities to discover common vulnerabilities. Key takeaways
THANK YOU Q&A www.offensivekubernetes.com

Recommended

Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 

Recommended

Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAPDAST in CI/CD pipelines using Selenium & OWASP ZAP
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
penetration Tester
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Codemotion
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
e2e testing with cypress
e2e testing with cypresse2e testing with cypress
e2e testing with cypress
Tomasz Bak
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
Synergetics Learning and Cloud Consulting
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Introduction to selenium
Introduction to seleniumIntroduction to selenium
Introduction to selenium
Archana Krushnan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using Selenium
Weifeng Zhang
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
VMware Tanzu
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
New relic
New relicNew relic
New relic
Shubhani Jain
 
Selenium
SeleniumSelenium
Selenium
Ruturaj Doshi
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 

More Related Content

What's hot

e2e testing with cypress
e2e testing with cypresse2e testing with cypress
e2e testing with cypress
Tomasz Bak
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
Synergetics Learning and Cloud Consulting
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Introduction to selenium
Introduction to seleniumIntroduction to selenium
Introduction to selenium
Archana Krushnan
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using Selenium
Weifeng Zhang
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
VMware Tanzu
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
New relic
New relicNew relic
New relic
Shubhani Jain
 
Selenium
SeleniumSelenium
Selenium
Ruturaj Doshi
 

What's hot (20)

e2e testing with cypress
e2e testing with cypresse2e testing with cypress
e2e testing with cypress
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Introduction to selenium
Introduction to seleniumIntroduction to selenium
Introduction to selenium
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using Selenium
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
New relic
New relicNew relic
New relic
 
Selenium
SeleniumSelenium
Selenium
 

Similar to Automating security test using Selenium and OWASP ZAP - Practical DevSecOps

we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Christian Schneider
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
Thinqloud
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
DevSecCon
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
rkadayam
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon
 

Similar to Automating security test using Selenium and OWASP ZAP - Practical DevSecOps (20)

we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 

More from Mohammed A. Imran

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
Mohammed A. Imran
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
Mohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
Mohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
Mohammed A. Imran
 

More from Mohammed A. Imran (15)

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps

  • 1.
  • 2. • I am Srinivasarao Kotipalli • Lives in Singapore • 8 years of experience in Cyber Security • Authored Hacking Android – Packt Pub • OSCP & OSCE whoami
  • 3. • Introduction to automated vulnerability scans and their limitations. • How functional tests can be useful in performing powerful security tests. • Introduction to selenium and OWASP ZAP. • Proxying selenium tests through OWASP ZAP. • Invoking authenticated active scans using OWASP ZAP. • Obtaining scan reports. Agenda
  • 4. OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It can also run in a daemon mode which is then controlled via a REST API. Source: https://en.wikipedia.org/wiki/OWASP_ZAP Introduction to OWASP ZAP
  • 5. • Many commercial tools are available • Maximum crawling and an active session are crucial for better coverage • They come with two most important features : 1. An option to record the login sequence 2. Manually explore the Web Application • Why are these features important? • DEMO Automated vulnerability scans
  • 6. • Selenium automates browsers. • Selenium comes in different flavors and we are specifically talking about Selenium Web Driver. • Commonly used for automation testing. • After the product is fully integrated, these tests are run to make sure that the application is working as expected. Introduction to Selenium
  • 8. So, what problem are we solving? • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. • QA teams are already writing scripts to properly crawl through the web apps. • Security teams may not leverage these QA automation scripts in security testing.
  • 9. So, what problem are we solving? • knows how to login and crawl through important features. • knows how to find security issues in crawled pages. • Login Pages in web Applications may stop Automated scanners. • Features that require authentication may not be properly scanned, with default scans. Use them together to achieve better DAST
  • 12. Integrating Selenium and ZAP in CICD pipeline • Launch ZAP – listens on a port • Proxy Selenium traffic through ZAP • Run functional tests (Passive scan is automatically done) • Invoke ZAP Active scan: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium • Get the results: • As a bash command from CI Server • As a python script on CI Server • As a test from Selenium https://www.zaproxy.org/docs/api/#introduction
  • 13. Proxy proxy = new Proxy(); proxy.setHttpProxy("localhost:8081"); proxy.setSslProxy("localhost:8081"); DesiredCapabilities capabilities = DesiredCapabilities.chrome(); capabilities.setCapability("proxy", proxy); [Selenium Tests here] [Optionally, Security Tests here] Proxying Selenium requests through ZAP ZAP is run on localhost:8081
  • 16. curl "http://localhost:8081/OTHER/core/other/htmlreport/" -o zap.html curl "http://localhost:8081/OTHER/core/other/jsonreport/" -o zap.json curl "http://localhost:8081/OTHER/core/other/xmlreport/" -o zap.xml Get HTML/XML report from command line ZAP is run on localhost:8081 XML/JSON formats can be useful if you want to import the findings into a Vulnerability Management tool
  • 19. • You can possibly take advantage of any functional testing framework to perform security scans. • If you have existing Selenium test cases written for your web apps, use them to drive security scans. • If you already spent time and efforts on writing Selenium scripts, you already explored the website for your scanner. Proxy the Selenium traffic through ZAP. • OWASP ZAP comes with the best and easy to use REST APIs, use them for DAST. • ZAP is an OWASP project, you can trust its abilities to discover common vulnerabilities. Key takeaways

Editor's Notes

  1. Image by MasterTux from Pixabay 
  2. Demo includes the vulnerable app’s pre and post auth features and an active scan using ZAP.
  3. Show ZAP API documentation