ZAP Automation With Selenium

[coollax...@gmail.com]

Hi,

I recently got a new project where I need to Automate Security Testing with Selenium.

Need help in automating selenium with ZAP by step by step how to configure and how to do spider, active scan with selenium.

Thanks,

Laxman 

[Simon Bennetts]

Hi Laxman,

Do you have existing selenium tests for your application?

If so you can:

1. Launch ZAP (eg in daemon mode)
2. Run your selenium tests, proxying through ZAP
3. Start the ZAP active scan via the API
4. Wait for the active scan to complete
5. Read the alerts raised
6. Stop ZAP

If you dont have any existing selenium tests then you can use the ZAP Ajax Spider which uses selenium.

You can call the ZAP API directly or you can use one of the ZAP API client libraries.

This script performs a full active scan of a target, using the traditional spider to explore as well as (optionally) the ajax spider: https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-full-scan.py

Does that help?

Cheers,

Simon

[Laxman Gaddam]

Hi Simon,

Thanks for your prompt response.

I am new to automation security testing, I am not even sure how to start it. Tried doing in python no success their in Kali. Windows as well installed python but unable to get further go.

So thought to do it in Slenium, as of now I have my application but how to proceed further not even sure. I have all github zap files not sure how to configure and test it.

If you can help me in getting started step by step it would help me in succeed in my project.

My application is an ecommerce site and we test only OTP and static passwords.

Need ur help in to automate this project.

Thanks and Regards,

Laxman Gaddam

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/81909ac6-d493-466d-9227-0d6128ca16c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Bennetts]

Try using the Baseline scan with docker first: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan

docker pull owasp/zap2docker-stable 
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com

Thats not too bad is it?

Once you've got that working then try the same with the full scan.

Cheers,

Simon

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

[Laxman Gaddam]

Hi Simon,

Still I am not able to execute the baseline scan using command line.

I am getting following error message,

Please find below screen shot for the same,

Kindly please help me.

Thanks & Regards,

Laxman Gaddam

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.

[thc...@gmail.com]

Hi.

Did you try with http://demo.testfire.net/ ?

Best regards.

On 18/06/18 07:45, Laxman Gaddam wrote:
> Hi Simon,
>
> Still I am not able to execute the baseline scan using command line.
>
> I am getting following error message,
>
> Please find below screen shot for the same,
>
>
>

> Kindly please help me.
>
> Thanks & Regards,
> Laxman Gaddam
>
> On Mon, Jun 11, 2018 at 10:34 PM, Simon Bennetts <psi...@gmail.com> wrote:
>
>> Hi Laxman,
>>
>> Do you have existing selenium tests for your application?
>> If so you can:
>>

>> 1. Launch ZAP (eg in daemon mode)
>> 2. Run your selenium tests, proxying through ZAP
>> 3. Start the ZAP active scan via the API
>> 4. Wait for the active scan to complete
>> 5. Read the alerts raised
>> 6. Stop ZAP

>>
>> If you dont have any existing selenium tests then you can use the ZAP Ajax
>> Spider which uses selenium.
>> You can call the ZAP API directly or you can use one of the ZAP API client
>> libraries.
>> This script performs a full active scan of a target, using the traditional
>> spider to explore as well as (optionally) the ajax spider:
>> https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-full-scan.py
>>
>> Does that help?
>>
>> Cheers,
>>
>> Simon
>>
>> On Thursday, 7 June 2018 11:55:32 UTC+1, coollax...@gmail.com wrote:
>>>
>>> Hi,
>>>
>>> I recently got a new project where I need to Automate Security Testing
>>> with Selenium.
>>>
>>> Need help in automating selenium with ZAP by step by step how to
>>> configure and how to do spider, active scan with selenium.
>>>
>>> Thanks,
>>> Laxman
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "OWASP ZAP User Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to zaproxy-user...@googlegroups.com.

>> To view this discussion on the web visit https://groups.google.com/d/
>> msgid/zaproxy-users/81909ac6-d493-466d-9227-0d6128ca16c1%
>> 40googlegroups.com

>> <https://groups.google.com/d/msgid/zaproxy-users/81909ac6-d493-466d-9227-0d6128ca16c1%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .

[Lokesh Singhal]

Hi, 

I tried with  http://demo.testfire.net/. 

When I do a quick start & pass url in URL to Attack, I get the vulnerabilities.

However when I use Selenium tests, open the chrome in proxy port as zap and open the url and do some actions.

I do not get the vulnerabilities which I got with above way. 

What is wrong here??

I am following full process :

1. start zap

2. run selenium scripts proxied through zap

3. set context and authentication and pass context to ascan

4. generate report

[kingthorin+owaspzap]

Please stick to a single thread for a single issue.

[naresh C]

Hi Simon,

I have some trouble in the 2 step.

I can able to capture only the http Requests but unable to capture HTTPs traffic even after changing the following steps

     profile.setAssumeUntrustedCertificateIssuer(true);

    profile.setAcceptUntrustedCertificates(true);

Can you suggest me how to overcome this issue?

Thanks in advance.

[Bhawna Gupta]

in need ZAP api integartion code in java , do we have same if so please sahre link .

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/95f180d0-c715-42c8-8410-5c4e2c1b390c%40googlegroups.com.

[hauschu...@gmail.com]

That looks like it is unable to reach the URL at all, which points to it being a network problem. 

What is your network setup? Is there a downstream corporate proxy you need to go through? 

[Riya jindal]

Hi,

How to run python tests without killing the zap with CRTL+c, if zap is running, will block the command line. what are commands for steps mentioned above.

1. Launch ZAP (eg in daemon mode)( how to stop it clock command line)
2. Run your selenium tests, proxying through ZAP( isn't like if ZAp is proxies, every request through browser wipp pass through zap)

1. Start the ZAP active scan via the API
2. Wait for the active scan to complete
3. Read the alerts raised
4. Stop ZAP

I find other ways,can you please give command fr each

Thanks,

Riya