OWASP ZAP Using Automated Selenium Tests

OWASP ZAP Using Automated Selenium Tests

Using automated end-2-end tests to automatically analyze web applications with OWASP ZAP In one of my last stories [Automated Security Testing in Agile Software...

Using automated end-2-end tests to automatically analyze web applications with OWASP ZAP

In one of my last stories Automated Security Testing in Agile Software Projects, I had a look at automated security tests using OWASP ZAP. This tool can be used to perform automated penetration tests for various kinds of web application and can easily be integrated into existing CI/CD pipelines. ZAP can provide valuable and fast feedback to developers. However, to get the optimum out of it, you need to tweak it to your specific setup. Crucial thereby is the exploration stage where ZAP analyses the application and tries to find all provided endpoints.

The simplest way to do this is to use a web-spider following all links and references or to provide an OpenAPI specification of your endpoints. While this already provides valuable feedback, it also bears some limitations (see details in my last story):

  • If complex user interaction is needed to access parts of your application (e.g. filling out a form) a web-spider is not able to detect these parts.
  • When provided with an OpenAPI Specification, ZAP cannot guess path variables with valid values and will therefore often perform invalid requests.

As an alternative approach, you can use the ZAP interception proxy together with automated system tests. When provided with an exhaustive set of such tests, ZAP should be able to detect all provided application endpoints, without additional tweaking.

To test this, I created a simple test application featuring a single page frontend build with Angular, a REST backend build using Spring Boot and OpenID-Connect for Authentication. You can find the source code as well as a Readme at GitHub. Additionally, you can find the source code of the performed test in another GitHub-Repository.

selenium security testing java penetration-testing

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

7 Test Frameworks To Follow in 2021 for Java/Fullstack Developers

It is time to learn new test frameworks in 2021 to improve your code quality and decrease the time of your testing phase. Let's explore 6 options for devs. 7 Test Frameworks To Follow in 2021 for Java/Fullstack Developers.

Top Security Penetration Testing Companies

Cybercrime is one of the world’s fastest-growing threats, with malicious actors constantly elaborating their methods of undetectable intrusion. According to Verizon’s Business 2020 Data Breach Investigations report, there has been a 100% increase in web app breaches, and stolen credentials were used in more than 80% of these cases. These statistics are worrying for many businesses that actively move their processes to the cloud and deal heavily with customers’ personal data.

Penetration Testing Is Essential To Your IT Security Strategy

It's not a matter of if but when your company will be the target of an attack. With the help of penetration testing, you can locate those vulnerabilities. Once discovered, your IT department can set about patching the vulnerable devices.

How to Install OpenJDK 11 on CentOS 8

What is OpenJDK? OpenJDk or Open Java Development Kit is a free, open-source framework of the Java Platform, Standard Edition (or Java SE).

How to Keep Your Java Applications Secure - DZone Security

The solution to keeping your Java applications secure is simple: make sure they stay up to date. Check out the details within.