Selenium scripts unable to interact with ZAP.

[Vinayak Yadav]

Hi Simon,

Hope you are doing good!

I have been using ZAP for security testing and intercepting the requests manually. Now I am trying to automate the ZAP using selenium scripts (using eclipse) but not able to get any of the scan links on ZAP "Site tree". However the selenium scripts are getting successfully executed and ZAP report also get generated without any links or Alerts.

I have been trying multiple solution but none of them are working, so thought of posting it here. 

Hope anyone can come up and assist with the issue.   

I am posting my selenium scripts below

***********************************

import org.openqa.selenium.Proxy;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.chrome.ChromeDriver;
import org.openqa.selenium.chrome.ChromeOptions;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.firefox.FirefoxOptions;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
import org.zaproxy.clientapi.core.ApiResponse;
import org.zaproxy.clientapi.core.ClientApi;
import org.zaproxy.clientapi.core.ClientApiException;

import com.oracle.tools.packager.Log;

import io.github.bonigarcia.wdm.WebDriverManager;

public class AltresZAP {

    static final String ZAP_PROXY_ADDRESS = "localhost";
    static final int ZAP_PROXY_PORT = 8098;
    static final String ZAP_API_KEY = "a8qif10r207qkqvl89o2dkjloi";

    public WebDriver driver;
    public ClientApi api;

    @BeforeMethod
    public void setup() {
        String proxyServerUrl = ZAP_PROXY_ADDRESS + ":" + ZAP_PROXY_PORT;
        Proxy proxy = new Proxy();
        proxy.setHttpProxy(proxyServerUrl);
        proxy.setSslProxy(proxyServerUrl);
        Log.info("Set proxy to host:{} and port:{}");

        //ChromeOptions fo = new ChromeOptions();
        FirefoxOptions fo = new FirefoxOptions();
        fo.setProxy(proxy);
        WebDriverManager.firefoxdriver().setup();
        driver = new FirefoxDriver();
     fo.addArguments("--ignore-certificate-errors");
        fo.setAcceptInsecureCerts(true);

        //WebDriverManager.chromedriver().setup();
        //driver = new ChromeDriver();

        api = new ClientApi(ZAP_PROXY_ADDRESS, ZAP_PROXY_PORT, ZAP_API_KEY);

    }

    @Test
    public void googleTest() {
        driver.get("https://www.google.com");
    }

    @AfterMethod
    public void tearDown() {
        if (api != null) {

            String title = "Google report test";

            String template = "traditional-html-plus";
            String description = "Google security report";
            String reportfilename = "goggle-report.html";
            String targetfolder = System.getProperty("user.dir");
            try {
                System.out.println(api.reports.templates());
                ApiResponse response = api.reports.generate(title, template, null, description, null, null, null, null,
                        null, reportfilename, null, targetfolder, null);
                System.out.println("Report Generated location" + response.toString());
            } catch (ClientApiException e) {
                e.printStackTrace();
            }
        }
         driver.quit();
    }
}

****************************

pom.xml

package altrestestzap;

<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>test</groupId>
    <artifactId>test</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>secuirtytesting</name>
    <build>

        <plugins>

            <plugin>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.1</version>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>3.0.0-M5</version>
                <configuration>
                    <suiteXmlFiles>
                        <suiteXmlFile>testng.xml</suiteXmlFile>
                    </suiteXmlFiles>
                </configuration>
            </plugin>

        </plugins>
    </build>
    <dependencies>

        <!-- https://mvnrepository.com/artifact/org.seleniumhq.selenium/selenium-java -->
        <dependency>
            <groupId>org.seleniumhq.selenium</groupId>
            <artifactId>selenium-java</artifactId>
            <version>4.3.0</version>
        </dependency>

        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>poi</artifactId>
            <version>3.17</version>
        </dependency>

        <dependency>
            <groupId>com.relevantcodes</groupId>
            <artifactId>extentreports</artifactId>
            <version>2.41.2</version>
        </dependency>

        <dependency>
            <groupId>com.aventstack</groupId>
            <artifactId>extentreports</artifactId>
            <version>5.0.9</version>
        </dependency>

        <!-- https://mvnrepository.com/artifact/org.testng/testng -->
        <dependency>
            <groupId>org.testng</groupId>
            <artifactId>testng</artifactId>
            <version>7.6.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
            <version>2.6</version>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-lang3</artifactId>
            <version>3.1</version>
        </dependency>
        <dependency>
            <groupId>net.sourceforge.jexcelapi</groupId>
            <artifactId>jxl</artifactId>
            <version>2.6.12</version>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>8.0.23</version>
        </dependency>

        <dependency>
            <groupId>io.github.bonigarcia</groupId>
            <artifactId>webdrivermanager</artifactId>
            <version>3.8.1</version>
        </dependency>

        <dependency>
            <groupId>org.assertj</groupId>
            <artifactId>assertj-core</artifactId>
            <version>3.22.0</version>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>org.zaproxy</groupId>
            <artifactId>zap-clientapi</artifactId>
            <version>1.10.0</version>
        </dependency>


        <dependency>
            <groupId>org.zaproxy</groupId>
            <artifactId>zap</artifactId>
            <version>2.12.0</version>
        </dependency>


        <!-- https://mvnrepository.com/artifact/com.google.api-client/google-api-client -->
        <dependency>
            <groupId>com.google.api-client</groupId>
            <artifactId>google-api-client</artifactId>
            <version>2.0.0</version>
        </dependency>

    </dependencies>

</project>

******************************************************************

Kindly let me know if more details are required. Any help would be appreciated!

Regards,

Vinayak

[Simon Bennetts]

Hi Vinayak,

If your tests are still working but nothing is appearing in ZAP then that implies that selenium is not proxying the requests through ZAP.

We know its possible because its what we do in ZAP :)

The settings we use are here: https://github.com/zaproxy/zap-extensions/blob/main/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/ExtensionSelenium.java#L932-L1100

The line numbers will change as and when the file is updated (for future reference) so if thats happened search for "preference" and "options".

Have a play and let us know how you get on.

Cheers,

Simon

[Vinayak Yadav]

Hi Simon, 

Thank you for the feedback!

I would refer to the mentioned link and get back to you if any help is needed.

Regards,

Vinayak

[Sanna Saravanan]

My selenium is working fine but unable to capture the request in ZAP tool, I think it's not proxying the requests through ZAP.

 Proxy proxy = new Proxy();
  proxy.setHttpProxy(proxyServerUrl);
  proxy.setSslProxy(proxyServerUrl);

  System.setProperty("webdriver.chrome.driver", "chromedriver.exe");
  ChromeOptions options = new ChromeOptions();
  // options.setExperimentalOption("debuggerAddress", proxyServerUrl);
//   options.addArguments("--disable-dev-shm-usage");
  options.addArguments("--ignore-ssl-errors=yes");
  options.addArguments("--ignore-certificate-errors");
  options.addArguments("--remote-allow-origins=*");
  options.addArguments("--proxy-bypass-list=<-loopback>");
//   options.setCapability(ChromeOptions.CAPABILITY,options);
  DesiredCapabilities capabilities = new DesiredCapabilities();
  capabilities.setCapability(CapabilityType.PROXY, proxy);
  capabilities.setCapability(CapabilityType.ACCEPT_SSL_CERTS, true);
  capabilities.setCapability(CapabilityType.ACCEPT_INSECURE_CERTS, true);
  capabilities.setCapability(ChromeOptions.CAPABILITY, options);
  options.merge(capabilities);
  driver = new ChromeDriver(options);

I tried all the options but not luck :-(

[Simon Bennetts]

If the tests work but are not appearing in ZAP then you have not set the right options.

The options we set are all in https://github.com/zaproxy/zap-extensions/blob/main/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/ExtensionSelenium.java

Cheers,

Simon