Automated Testing with ZAP

[Christofer Huber]

Hy Guys! First of all ZAP is a great tool, to scan a web-application for vulnerabilities :)

I'm searching a possibility to make automated tests. My first approach was to combine ZAP with Selenium. Therefore i recorded different test cases, so that ZAP is aware auf all subsites and requests of the application (because i noticed that the spider, is not able to find every page/action).

Now i ask oneself how is it possible to do some automated testing of an application. Selenium is also available as server version, so that it can be run on a linux machine.

Is there a possibility to install ZAP on a linux machine with e.g. Ubuntu and run automated tests in combination with Selenium every night or in a certain interval?

would be great if you can give me some hints

best regards!

[Christofer Huber]

.... seems that it is not possible to edit posts :/ ... one addition

for a first approach it would be enough to configure it in a way that it is possible to run selenium and zap combined on a windows desktop environment for example with a batch-script

[Simon Bennetts]

Hi Christofer,

Thanks for the feedback, and for getting in touch :)

This is a topic close to my heart .. and probably the reason Mozilla hired me!
Have you had a look at http://code.google.com/p/zaproxy/wiki/SecRegTests ?
The Demo Setup page linked off there shows how to set up these sort of tests using Selenium running against the BodgeIt Store.
You can install ZAP on Windows, Linux and Mac OS, and yes you can run these sort of automated tests as part of your continuous integration - thats what I set up at my last job, and one of the things I'm now working on at Mozilla.
So in the demo you run standard (functional) Selenium tests (controlled by Ant) against BodgeIt, which all pass.
You then use a slightly changed Ant task which first starts ZAP, then proxies the functional Selenium tests through ZAP, then runs the Spider and active Scanner before checking for any alerts.
And it fails (of course) because BodgeIt is vulnerable ;)

Scripting this stuff is definitely the way to go, and I'd suggest something cross platform.
The demo uses Ant, but at Mozilla we're probably going to be using Python.
Theres a ZAP Python Client API available, and I've just written a pytest for controlling ZAP tests.

So, this is a bit bleeding edge right now, but its something I'm going to be putting a significant amount of effort into.

Is that enough to get started?
Please ask any questions, either on this forum or you can contact me directly.

Many thanks,

Simon

[Christofer Huber]

Hello Simon!

Thanks for the quick response ;)

Now I set up the following configuration (running on Win 7)

+ ZAP 1.4.0.1

+ Firefox 13 with Selenium Plugin

+ Netbeans 7.1 with Ant Plugin

+ Selenium Test-Case specified

+ ZAP is tracking the traffic on localhost

My next task would also be writting a little build.ant script to start ZAP and all other processes as mentioned in your post. Did you already have a basic script or maybe a resource, where i can find the commands and parameters i need to use in the ant-script to start ZAP, Selenium and the other tools for example :)

What i didn't understand right now is how to setup ZAP on a web-server. You wrote that there is a python client, i'm not familiar with python, so i am not sure how the client or the python script can be executed. But would it be possible to run ZAP "headless" on a linux-machine and logging the results into a log-file or something?

Thank you and best regards,

Christofer

[psiinon]

Hi Christofer,

Got those already :)
There a bit about them on the wiki: http://code.google.com/p/zaproxy/wiki/ApiAnt
So the Ant tasks are part of the Java API.
The scripts linked off there explain in comments how to import the tasks into Eclipse.
I'm afraid I dont know how to do that for Netbeans - if you work it out please let me know and I'll add that to the wiki :)

The ZAP API is a simple REST one, so you can drive it directly, using the Java API, Ant tasks or Python API.
They all have the same functionality.
And if you fancy writing an API in any other language I'll be pleased to 'officialize' that ;)

And yes you can run ZAP in headless mode - use the "-daemon" switch from the command line.
To stop a ZAP daemon you need to use the API ;)

You can save the session to a set of files via the API, or access all of the alerts.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "zaproxy-users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-users/-/PuBVyNCg4ewJ.

To post to this group, send email to zaprox...@googlegroups.com.
To unsubscribe from this group, send email to zaproxy-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/zaproxy-users?hl=en.

--
OWASP ZAP: Toolsmith Tool of the Year 2011

[Christofer Huber]

Hello again ;)

Yesterday i accomplished some additional tasks. I added the ANT-plugin to Netbeans and also installed the native ANT application on my local machine, so that i can run an ant script from Netbeans console. I can also access ZAP from a dos prompt, but at the moment i only able to output the application version ;)

As mentioned in your build.api.xml file i added the files of the  ZAP_Client_API-Archive to the local ANT-lib-folder (but i suppose that Netbeans dont notice that ;)).

Running a simple "Hello World" script from the Netbeans console was then not the biggest task. But then i tried to modify my ANT-file according to your comments respectively  to your structure. I only wanted to execute the "tasks" startZap and stopZap to ensure, that i can interact with ZAP at all. But at this point the first problems occured and I got the following output in the console:

D:\Program Files (x86)\Zend\Apache2\htdocs\project_beta\build.ant:8: taskdef class org.zaproxy.clientapi.ant.AccessUrlTask cannot be found

 using the classloader AntClassLoader[]

Then i searched the web, if Netbeans has a own syntax with ANT-files. Instead of the element <taskdef> it seems that <macrodef> should be used. But i have no idea here, which commands i have to use or which can be used. Here i upload my build.ant script (http://pastebin.com/QcTFjnLB)

In addition to this i asked myself, if it would be possible to start the build process also from the dos prompt, where i can also interact with the ant application and where its maybe possible to communicate with ZAP, because the jar-Files of the ZAP client are also located there.

Is it already possible to initiate the process from a dos prompt? But i suppose i then also need a well-configured build.xml or build.ant?

Best regards,

Christofer

Am Donnerstag, 12. Juli 2012 18:48:52 UTC+2 schrieb Simon Bennetts:

Hi Christofer,

Got those already :)
There a bit about them on the wiki: http://code.google.com/p/zaproxy/wiki/ApiAnt
So the Ant tasks are part of the Java API.
The scripts linked off there explain in comments how to import the tasks into Eclipse.
I'm afraid I dont know how to do that for Netbeans - if you work it out please let me know and I'll add that to the wiki :)

The ZAP API is a simple REST one, so you can drive it directly, using the Java API, Ant tasks or Python API.
They all have the same functionality.
And if you fancy writing an API in any other language I'll be pleased to 'officialize' that ;)

And yes you can run ZAP in headless mode - use the "-daemon" switch from the command line.
To stop a ZAP daemon you need to use the API ;)

You can save the session to a set of files via the API, or access all of the alerts.

Cheers,

Simon

On Thu, Jul 12, 2012 at 5:03 PM, Christofer Huber <christofer.huber@googlemail.com> wrote:

Hello Simon!

Thanks for the quick response ;)

Now I set up the following configuration (running on Win 7)

+ ZAP 1.4.0.1

+ Firefox 13 with Selenium Plugin

+ Netbeans 7.1 with Ant Plugin

+ Selenium Test-Case specified

+ ZAP is tracking the traffic on localhost

My next task would also be writting a little build.ant script to start ZAP and all other processes as mentioned in your post. Did you already have a basic script or maybe a resource, where i can find the commands and parameters i need to use in the ant-script to start ZAP, Selenium and the other tools for example :)

What i didn't understand right now is how to setup ZAP on a web-server. You wrote that there is a python client, i'm not familiar with python, so i am not sure how the client or the python script can be executed. But would it be possible to run ZAP "headless" on a linux-machine and logging the results into a log-file or something?

Thank you and best regards,

Christofer

--
You received this message because you are subscribed to the Google Groups "zaproxy-users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-users/-/PuBVyNCg4ewJ.

To post to this group, send email to zaprox...@googlegroups.com.

To unsubscribe from this group, send email to zaproxy-users+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/zaproxy-users?hl=en.

[psiinon]

Hey Christofer :)

Does your Ant script work in Netbeans?
Be really nice to support that as well, but I suspect I wont be able to find the time to install and learn about netbeans :(
You could always ask about it on the dev group - someone might have experience with it (as least more that I do;).

What do you see when you try starting ZAP from the dos prompt?
I've updated the FAQ with a couple of answers related to this, which might help.
Make sure you're in the install directory before you run the zap.bat script.

It should be possible to build ZAP from a dos prompt, but you will need to use Ant.
I used to do this on linux, but I must admit I always use Eclipse these days :(
Another one for the dev group?

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-users/-/sbnysxS0m48J.

To post to this group, send email to zaprox...@googlegroups.com.

To unsubscribe from this group, send email to zaproxy-user...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/zaproxy-users?hl=en.

[Christofer Huber]

Hello Simon ... i was off for a while ;)

In the meanwhile i managed to configure my build-file in a way, so that it is possible to launch zap from eclipse (i changed to eclipse, because i have to get in touch with ant and the syntax first, when i will continue with netbeans)

But i got the following error message in the console

[spiderUrlTask] ["100"]

[spiderUrlTask] Open URL: http://zap/json/spider/action/scan/?url=http://localhost:80/

[spiderUrlTask] ["OK"]

[spiderUrlTask] Open URL: http://zap/json/spider/view/status

[spiderUrlTask] ["100"]

[saveSessionTask] Open URL: http://zap/json/core/action/savesession/?name=test 08-08-2012 23-10-20

[saveSessionTask] ["OK"]

[alertCheckTask] Open URL: http://zap/json/core/view/alerts

BUILD FAILED

D:\eclipse\workspace\myproject_beta\build-api.xml:94: java.net.ConnectException: Connection refused: connect

Here is my build-api.xml: http://pastebin.com/G4AD2tiK

Do you have any idea, why i cant save the session?

On Thu, Jul 12, 2012 at 5:03 PM, Christofer Huber <christof...@googlemail.com> wrote:

Hello Simon!

Thanks for the quick response ;)

Now I set up the following configuration (running on Win 7)

+ ZAP 1.4.0.1

+ Firefox 13 with Selenium Plugin

+ Netbeans 7.1 with Ant Plugin

+ Selenium Test-Case specified

+ ZAP is tracking the traffic on localhost

My next task would also be writting a little build.ant script to start ZAP and all other processes as mentioned in your post. Did you already have a basic script or maybe a resource, where i can find the commands and parameters i need to use in the ant-script to start ZAP, Selenium and the other tools for example :)

What i didn't understand right now is how to setup ZAP on a web-server. You wrote that there is a python client, i'm not familiar with python, so i am not sure how the client or the python script can be executed. But would it be possible to run ZAP "headless" on a linux-machine and logging the results into a log-file or something?

Thank you and best regards,

Christofer

--
You received this message because you are subscribed to the Google Groups "zaproxy-users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-users/-/PuBVyNCg4ewJ.

To post to this group, send email to zaprox...@googlegroups.com.

To unsubscribe from this group, send email to zaproxy-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/zaproxy-users?hl=en.

--
OWASP ZAP: Toolsmith Tool of the Year 2011

--
You received this message because you are subscribed to the Google Groups "zaproxy-users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/zaproxy-users/-/sbnysxS0m48J.

To post to this group, send email to zaprox...@googlegroups.com.
To unsubscribe from this group, send email to zaproxy-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/zaproxy-users?hl=en.

[Christofer Huber]

Hello :)

I did some further researches and managed it to start also Selenium Server (RC) from eclipse respectively from the build-file. I therefore only configured eclipse to execute cmd prompt commands and added this to my build-api.xml (so that runSelenium is executed after startZap or startZapDaemon)

<target name="runSelenium">

<echo> Starting selenium Testing </echo>

<exec dir="${seleniumDir}" executable="cmd"> 

<arg line="/K start java -jar selenium-server.jar -multiwindow -htmlSuite '*firefox D:\Program Files (x86)\Mozilla Firefox\firefox.exe' 'http://gr3at/' 'test_suite_project.html' 'test_results_project.html'"></arg>

</exec>

<sleep seconds="60" />

</target>

It works, selenium server and firefox were started and the tests were performed. But the existing Zap-instance didn't notice that the local-site is clicked and so the site-access weren't analyzed and stored in ZAP. 

I suppose there is a problem with the proxy-server, so that Zap didn't notice the actions performed. Can you give me an advice, how to configure the build-file so that selenium and ZAP interact.

best regards!

Christofer

[thc202]

Hi.

It seems that you have to set the proxy configuration for the selenium server to point to ZAP.

If you are running ZAP and Selenium on the same machine and ZAP is listening on the default port you have to add to your command, that starts selenium server, the following:
 -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8080

Best regards.

[Simon Bennetts]

Strangely enough the tests intended to run without using a separate selenium server, although obviously they could still use one.
Did you try following the setup steps here: http://code.google.com/p/zaproxy/wiki/RegTestsDemo (with relevant changes for Netbeans)?
The FunctionalZAP test should handle wrapping the FunctionalTest with the required selenium functionality.

Cheers,

Simon

[Christofer Huber]

Thx for your advice with the proxy configuration ... but it still doesnt work, when i start ZAP and Selenium from my ant file within eclipse, selenium got's the following problem :

http://s1.directupload.net/file/d/2991/pivk3wqt_jpg.htm 

If i enter the command on windows prompt Selenium is startet correctly ... i dont have any idea what the problem is. Maybe ZAP is blocking the proxy or something like this? Any further advices?

@Simon

I took a closer look on your proposal but I'm not sure where to put the several classes (which folder of my project) and how to start the tests from the ant-file :-/ ...so the solution with the Selenium Server seem to be easier for me :)

[thc202]

Hi.

Can you translate the error message that is shown inside the frames?
Could you post your most recent build-api.xml file?

Do you mind to try the following?
 - Change the port of the values of parameters resultsUrl and test from 8080 to 4444 of the "Selenium Functional Test Runner" page that is giving the error and access it to see if it works.

Best regards.

[Christofer Huber]

Hello again :)

This is excactly the error i got:  http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/BK15965/firefox.error.jpg 

recent build file:  http://pastebin.com/27QvPvfw 

 - Change the port of the values of parameters resultsUrl and test from 8080 to 4444 of the "Selenium Functional Test Runner" page that is giving the error and access it to see if it works. 

It does mind if i set the parameters manually in the browser and try to reload the site, i got the mentioned error again ... but when i close ZAP and then load the page the functional test runners works like charm with port 4444 or 8080 ... ZAP definetley breaks the proxy settings or something else

[thc202]

Hi.

The argument -port for the Selenium server is to set it to run on the given port.
From looking at the targets startZap/startZapDaemon you're setting Selenium server to run on the same port as ZAP (8080).

Do you mind to change the command that starts the selenium server to:

/K start java -jar selenium-server.jar -Dhttp.proxyHost=${zapaddr} -Dhttp.proxyPort=${zapport} -port ${seleniumPort} -multiwindow -htmlSuite [...]

where [...] is the other arguments and see if it works.

You can change to run the server using the java task instead of the exec task:

<java jar="${seleniumDir}/selenium-server.jar" fork="true" spawn="true">
    <jvmarg value="-Dhttp.proxyHost=${zapaddr}" />
    <jvmarg value="-Dhttp.proxyPort=${zapport}" />
     <arg line="-port ${seleniumPort} -multiwindow -htmlSuite [...]" />
</java>

What version of Selenium server are you using?

Best regards.

[Christofer Huber]

Hello thc202!

Ok i see, i changed the settings and now ZAP is started and also the selenium tests were running without connection/proxy errors. But there is still one problem left. ZAP doesn't track the traffic at the moment ... ZAP Proxy Configuration is set to localhost with port 8080 within the build-file as you see and also within the tool when it is started.

I am using Selenium Server 2.25.0

best regards

[thc202]

Hi.

As setting the proxy settings to the Selenium server is not working with that version I would suggest to use a Firefox profile template with the proxy settings instead, which will be used by Selenium to create the Firefox profiles.

To define the proxy settings for the template profile you would have to create a folder with a file in it named "prefs.js" and with the following contents:

user_pref("network.proxy.http", "localhost");
user_pref("network.proxy.http_port", 8080);
user_pref("network.proxy.ssl", "localhost");
user_pref("network.proxy.ssl_port", 8080);
user_pref("network.proxy.type", 1);

and pass as argument to the Selenium server the following:

-firefoxProfileTemplate 'X:\path\to\dir\with\firefox\profile\'

If you want you may also create an Ant task to do that dynamically:

<property name="firefoxProfileDir" value="X:\path\to\dir\with\firefox\profile\" />

<echo file="${firefoxProfileDir}/prefs.js">
 user_pref("network.proxy.http", "${zapaddr}");
 user_pref("network.proxy.http_port", ${zapport});
 user_pref("network.proxy.ssl", "${zapaddr}");
 user_pref("network.proxy.ssl_port", ${zapport});
 user_pref("network.proxy.type", 1);
</echo>

<java jar="${seleniumDir}/selenium-server.jar" fork="true" spawn="true">

     <arg line="-port ${seleniumPort} -multiwindow -firefoxProfileTemplate '${firefoxProfileDir}' -htmlSuite [...]" />
</java>

The previous arguments for setting the proxy to the Selenium server wouldn't be needed.


Note that the firefoxProfileTemplate argument is only available to give backward compatibility with Selenium RC.
If you were using WebDriver you would be able to set the proxy settings directly when creating the FirefoxDriver.

Best regards.

[Christofer Huber]

Hello :)

With the firefox template it is working now! Thank you very much for your help!

[ΓΙΑΝΝΗΣ ΠΑΠΑΔΑΚΗΣ]

Hi all,

i have a problem scanning the targetURL with zap-maven-plugin. 

Selenium proxy conf (capabilities): localhost:8090

Target URL: http://localhost:8090/myApp

The Application and the ZAP are listening to default port 8090 but after starting ZAP with maven the prosess phace returns timeout after reading elements in page (Socket timout exception) and the scan is not starting at all. ZAP and selenium server run in my local environment.

Are you aware how to bypass this?

Thanks,

Giannis Papadakis

[Simon Bennetts]

Hiya,

You cant have both your application and ZAP listening on the same port.
You can change the ZAP port via the Options/Local proxy screen or using the -port command line switch.

Cheers,

Simon

[Puneet Sharma]

Hi Christofer Huber ;

i am really new to automation testing can you help me how to start zap and selenium integration

[tabassum nasrat]

Hello Simon,

I have recently started using ZAP, version is 2.6.0. I am new to the tool and I am facing a lot of issues and I am unable to relate to the video tutorials well. Here are few of my queries:

1. I am working on an application which has been automated using Robot Framework and it is run on Chrome. How do I do the security testing using ZAP on this automated script?

2. I am not able to login to the application using when I am doing an Active Scan or AJAX Spider attack. How does that work if at all it is possible?

3. If I click on the link to any internal page of the application and "AJAX Spider", I am not able to run it and instead I get an error page which quickly disappears as well.

4. Even with my proxy settings changed on Chrome it is not working for ZAP. What do I do?

Regards.

[Simon Bennetts]

Hiya,

Authentication is a pain ;)
How does authentication work in your app?
Is it form based. or does it use something else (eg SSO)?
For form based authentication see https://github.com/zaproxy/zaproxy/wiki/FAQformauth

Cheers,

Simon

[kingthorin+owaspzap]

You might want to keep an eye on this:
https://twitter.com/abhaybhargav/status/900210045987803136