Is there any way to integrate ZAP proxy with selenium or playwright GUI tests ?
126 views
Skip to first unread message
Kunal Thergaonkar
Dec 7, 2023, 4:46:59 AM12/7/23
to ZAP User Group
Is there any way to integrate ZAP proxy with selenium or playwright GUI tests , so that when our automated GUI tests are running ZAP can scan and identify vulnerabilities and create report for the same?
Simon Bennetts
Dec 7, 2023, 4:54:41 AM12/7/23
to ZAP User Group
Almost certainly, yes :)
Proxying existing integration tests through ZAP is an ideal way to explore your app as mentioned on https://www.zaproxy.org/docs/getting-further/automation/exploring-your-app/#proxying-integration-tests
You will need to start ZAP, proxy your tests through ZAP and then (optionally) run the ZAP active scanner.
If you dont run the active scanner then you could do this as part of your standard testing - ZAP will just perform passive scanning but that will report some useful things.
However it wont find the more significant vulnerabilities like XSS, SQLi etc.
If you run the active scanner then you will want to do this in a separate test run - it will almost certainly break your tests :)
Once your tests have run you will want to get some sort of report from ZAP and then stop it.
The Automation Framework is a good option for controlling ZAP: https://www.zaproxy.org/docs/automate/automation-framework/
This has a "delay" job that should be ideal for pausing ZAP while you proxy your tests through it: https://www.zaproxy.org/docs/desktop/addons/automation-framework/job-delay/
Does that help?
Feel free to ask more questions here :)
Cheers,
Simon
Lakshmi Narayana Inguva
Dec 8, 2023, 6:43:15 AM12/8/23
to ZAP User Group
Hi Simon,
Is there any wiki page or video to demo this use case.
I am running zap in azure devops, also want to use selenium tests for improved coverage.
Thanks,
LN
Simon Bennetts
Dec 8, 2023, 6:55:12 AM12/8/23
to ZAP User Group
There are some videos on the Automation Framework (AF) linked off https://www.zaproxy.org/docs/automate/automation-framework/ but they dont (yet) cover this specific use case.
You will need to create an AF plan which:
- Configures the passive scan rules (if required)
- Uses the delay job to wait for an indication that your tests have finished
- Runs the spiders (if required)
- Runs the active scanner
- Reports the result
You'll then need to:
- Run ZAP with the plan - it will wait on the delay job
- Run your integration tests proxied through ZAP
- Trigger whichever option you have chosen to indicate the delay job should exit
- Do something with the report
Does that help?
Cheers,
Simon
Lakshmi Narayana Inguva
Dec 8, 2023, 12:00:39 PM12/8/23
to ZAP User Group
Hi Simon,
Thanks for the update.
I would like to understand the below step in Azure devops pipeline using docker command. Would it be possible run the below step in between scan and report commands ?
- Run your integration tests proxied through ZAP
Please help if there any examples or videos.
Thanks,
LN
Simon Bennetts
Dec 8, 2023, 12:03:58 PM12/8/23
to ZAP User Group
The only videos we have are linked above :)
The full set of ZAP videos can be found on https://www.zaproxy.org/videos-list/
I cant see why you would want to run your integration tests _after_ the ZAP scan runs.
I think the whole idea of useing integration tests is to help ZAP understand your app.
You have to do that before the scan or theres no point..
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages