ZAP Java API +selenium automation
1,577 views
Skip to first unread message
janani muthiyalu
Oct 13, 2016, 6:53:24 AM10/13/16
to OWASP ZAP User Group
Hello,
Has anyone integrated ZAP Java API to the selenium automation project to perform penetration testing?
If yes, Kindly share the steps.
Regards,
Janani.
Simon Bennetts
Oct 13, 2016, 7:01:38 AM10/13/16
to OWASP ZAP User Group
I've proxies Selenium tests through ZAP in order to effectively explore an application, and also used the ZAP Ajax Spider which itself uses Selenium.
However I havnt called the ZAP API from Selenium.
Can you explain how you would like this to work?
I'm no Selenium expert but I can offer advice and guidance on the ZAP API side...
Cheers,
Simon
However I havnt called the ZAP API from Selenium.
Can you explain how you would like this to work?
I'm no Selenium expert but I can offer advice and guidance on the ZAP API side...
Cheers,
Simon
Shawn McCarthy
Oct 13, 2016, 11:32:33 AM10/13/16
to OWASP ZAP User Group
You wouldn't use "Selenium" to all the ZAP Java APIs. Selenium only interacts with browsers. You can have selenium calls next to your ZAP Java API calls.
janani muthiyalu
Oct 17, 2016, 5:07:53 PM10/17/16
to OWASP ZAP User Group
Thanks Simon, I have selenium script for all UI actions of my application. I want to set ZAP as proxy to scan for security issues while selenium functional tests are running.
My project is a maven project. (selenium webdriver)
Regards,
Janani
Jones Michael
Oct 18, 2016, 2:09:12 PM10/18/16
to OWASP ZAP User Group
Create a proxy in capabilities object..something like this:
On Thursday, October 13, 2016 at 3:53:24 AM UTC-7, janani muthiyalu wrote:
capability.setCapability(CapabilityType.PROXY, getZAPSeleniumProxyObject());
public Proxy getZAPSeleniumProxyObject() {
Proxy proxy = new Proxy();
proxy.setAutodetect(false);
proxy.setProxyType(ProxyType.MANUAL);
proxy.setHttpProxy(zapConf.getZapHost() + ":" + zapConf.getZapPort());
proxy.setSslProxy(zapConf.getZapHost() + ":" + zapConf.getZapPort());
proxy.setFtpProxy(zapConf.getZapHost() + ":" + zapConf.getZapPort());
proxy.setSocksProxy(zapConf.getZapHost() + ":" + zapConf.getZapPort());
return proxy;
}
On Thursday, October 13, 2016 at 3:53:24 AM UTC-7, janani muthiyalu wrote:
Simon Bennetts
Oct 19, 2016, 4:32:59 AM10/19/16
to OWASP ZAP User Group
Thanks for the Selenium proxy settings :)
So proxy your Selenium tests through ZAP with those settings, the use ZAP to scan those pages.
You can either wait until your tests have finished before running ZAP, or you can use the ZAP 'attack mode' to attack them while your tests are running. Note that the latter may cause your tests to fail as they will be interacting with your app at the same time.
We have various examples of using the ZAP API including this one https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/wavsep-1.5-spider-scan.py which runs the standard spider, the ajax spider (optionally) and the active scanner.
Cheers,
Simon
So proxy your Selenium tests through ZAP with those settings, the use ZAP to scan those pages.
You can either wait until your tests have finished before running ZAP, or you can use the ZAP 'attack mode' to attack them while your tests are running. Note that the latter may cause your tests to fail as they will be interacting with your app at the same time.
We have various examples of using the ZAP API including this one https://github.com/zapbot/zap-mgmt-scripts/blob/master/wavsep/wavsep-1.5-spider-scan.py which runs the standard spider, the ajax spider (optionally) and the active scanner.
Cheers,
Simon
janani muthiyalu
Oct 19, 2016, 4:42:19 AM10/19/16
to OWASP ZAP User Group
thanks Simon and Jones..
for scanning, i need ZAP_API KEY.. how to get that?
zapScanner = new ZAProxyScanner(ZAP_PROXYHOST,ZAP_PROXYPORT,ZAP_APIKEY);
zapScanner.clear(); //Start a new session
zapSpider = (Spider)zapScanner;
Regards,
Janani.
Simon Bennetts
Oct 19, 2016, 4:48:35 AM10/19/16
to OWASP ZAP User Group
By default ZAP generates a random one, which is fine for the UI but no good for automation.
However you can set it from the command line when you start ZAP: https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Cheers,
Simon
However you can set it from the command line when you start ZAP: https://github.com/zaproxy/zaproxy/wiki/FAQapikey
Cheers,
Simon
janani muthiyalu
Oct 21, 2016, 4:46:35 AM10/21/16
to OWASP ZAP User Group
Thanks all.. It resolved.
I get below error, i am using a https url.. could someone help?
org.zaproxy.clientapi.core.ClientApiException: Provided parameter has illegal or unrecognized value
thc...@gmail.com
Oct 21, 2016, 5:02:58 AM10/21/16
to zaprox...@googlegroups.com
Hi.
When does that happen (which method)? Could you enable the option "API"
> "Report error details via API" [1] and tell the parameter name?
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsApi#report-error-details-via-api
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/fc07a1cb-e3cb-4f53-a12c-4a31f39e9ae2%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/fc07a1cb-e3cb-4f53-a12c-4a31f39e9ae2%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
When does that happen (which method)? Could you enable the option "API"
> "Report error details via API" [1] and tell the parameter name?
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsApi#report-error-details-via-api
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/fc07a1cb-e3cb-4f53-a12c-4a31f39e9ae2%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/fc07a1cb-e3cb-4f53-a12c-4a31f39e9ae2%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Dollar Strike
Mar 25, 2017, 6:48:56 AM3/25/17
to OWASP ZAP User Group
Hello Janani, could you help me configuring ZAP proxy for active scanning using Selenium?
Year ago I've tried ZAP proxy for passive scanning, but I want to automate Active scanning as well. Could you help me by providing a snippet.
Regards
Dollar
https://seleniumbycharan.wordpress.com
Year ago I've tried ZAP proxy for passive scanning, but I want to automate Active scanning as well. Could you help me by providing a snippet.
Regards
Dollar
https://seleniumbycharan.wordpress.com
aad...@gmail.com
Nov 8, 2017, 3:57:12 AM11/8/17
to OWASP ZAP User Group
Hi Janani,
I am trying to use ZAP maven for selenium automation integration.
In automation am facing lot of issues for new session creation active scan etc ..
If your selenium automation using ZAP maven successful then can you please share steps and the version of zap client, selenium driver and Firefox version you used for automation?
Regards,
Aadi
Aadi
aad...@gmail.com
Nov 8, 2017, 3:58:15 AM11/8/17
to OWASP ZAP User Group
If you share POM.xml file contents it will be helpful.
Reply all
Reply to author
Forward
0 new messages