Using ZAP with Selenium

[Varun Borar]

Hi,

I am quite new to security testing, and currently working on a project to integrate automated ZAP full scans to report vulnerabilities through a jenkins pipeline. I did some research and manual testing through ZAP Desktop app and finally came to conclusion that I need to use Selenium for logging in and crawling the application.

So my questions are as follows, 

1. What would be a better practice, to use a Graal.js script to perform the crawling and including an active scan afterwards using the automation framework or using ZAP API to setup a proxy and perform selenium tests using a python script?

2. I have the login credentials saved as a jenkins variable, how to access and use them within the script to perform authentication?

3. What would be the right frequency to do the scan, given that I am performing this on a non-production environment which receives continuous changes from the dev team.

Thanks in advance!

[Simon Bennetts]

Hi Varun,

I recommend controlling ZAP using the Automation Framework (AF): https://www.zaproxy.org/docs/automate/automation-framework/

You can test it using the ZAP desktop and then export your AF plan as a YAML file which you can use to control ZAP from the commandline.

Re authenticating see:

• https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/
• https://www.zaproxy.org/docs/desktop/addons/authentication-helper/browser-auth/

This area is being very actively worked on so I'm afraid the docs are trailing a bit behind what is possible.

Re the frequency - if you can run ZAP daily (eg overnight) then thats probably the best option. Its much better to find out about a potential issue the next day rather than a week later. If your devs are really busy then they may well have moved on to something else and will need time to go back and revisit the code they committed a week ago.

Cheers,

Simon