Security testing automation
123 views
Skip to first unread message
Vikas Sanap
Mar 25, 2015, 7:36:55 AM3/25/15
to zaprox...@googlegroups.com
Hi All,
I am trying to automate security testing using OWASP ZAP.
I have automated functional test cases using cucumber(100+ test cases).
Each test case performs login and logout operation.
My test users are limited.
Now I want to integrate Functional testing + Security testing.
I am able to do passive security scanning by just pointing browser proxy to zap.
But I want to perform active scan after completion of functional test case execution automatically. So that I can get more information about possible attacks.
Actually I can't figure out how to do it?
Thanks,
Vikas
I am trying to automate security testing using OWASP ZAP.
I have automated functional test cases using cucumber(100+ test cases).
Each test case performs login and logout operation.
My test users are limited.
Now I want to integrate Functional testing + Security testing.
I am able to do passive security scanning by just pointing browser proxy to zap.
But I want to perform active scan after completion of functional test case execution automatically. So that I can get more information about possible attacks.
Actually I can't figure out how to do it?
Thanks,
Vikas
kingthorin+owaspzap
Mar 25, 2015, 9:20:28 AM3/25/15
to zaprox...@googlegroups.com
You might find this article helpful:
https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/
https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/
Vikas Sanap
Mar 25, 2015, 10:17:42 AM3/25/15
to zaprox...@googlegroups.com
Thanks.
But I want to perform active scan once functional test case automation ends. For that I need user session.
Do I need to call active scan api from automation code?
or
Is there any way by which I can trigger active scan once automation execution is completed?
Thanks,
Vikas
But I want to perform active scan once functional test case automation ends. For that I need user session.
Do I need to call active scan api from automation code?
or
Is there any way by which I can trigger active scan once automation execution is completed?
Thanks,
Vikas
Simon Bennetts
Mar 25, 2015, 10:24:10 AM3/25/15
to zaprox...@googlegroups.com
You will need to use the API to invoke an active scan - ZAP has no way of knowing how many functional tests you have and therefore when they will have completed.
If you need a user session then you'll probably need to configure a context with details of the applications session handling, authentication and user details.
You can do that via the UI and then export it.
You can then import that context via the API (in the weekly releases) and then scan as any of the configured users.
Cheers,
Simon
If you need a user session then you'll probably need to configure a context with details of the applications session handling, authentication and user details.
You can do that via the UI and then export it.
You can then import that context via the API (in the weekly releases) and then scan as any of the configured users.
Cheers,
Simon
Vikas Sanap
Mar 25, 2015, 12:26:19 PM3/25/15
to zaprox...@googlegroups.com
Thanks Simon.
I have another question related to same topic:
Should I write/automate test cases for security testing separately, so that I can collect alerts or perform active scan after each user action if required?
I am asking this question because,
When I try to perform active scan after functional test cases execution, I am not getting vulnerability list that I am getting when I perform some action then trigger active scan.
Thanks,
Vikas
I have another question related to same topic:
Should I write/automate test cases for security testing separately, so that I can collect alerts or perform active scan after each user action if required?
I am asking this question because,
When I try to perform active scan after functional test cases execution, I am not getting vulnerability list that I am getting when I perform some action then trigger active scan.
Thanks,
Vikas
Simon Bennetts
Mar 25, 2015, 1:12:50 PM3/25/15
to zaprox...@googlegroups.com
ZAP can only attack what it knows about, so the effectiveness of an automated scan is directly proportional to how well you explore the application :)
You can use the ZAP spiders but they typically wont be as effective as manual exploration or thorough regression tests.
So if you have good regression tests then run those first before performing the ZAP scan.
If you need to authenticate then test this in isolation so that you know the authentication is working correctly, otherwise you'll probably just get redirected to the login page ;)
Having application specific security tests is also good, but these could take a lot of time to implement. Exactly what you need to do is completely dependent on your application.
In the past I've implemented custom access control tests for an application I created.
ZAP now has an access control testing add-on which will make this much easier :)
Cheers,
Simon
You can use the ZAP spiders but they typically wont be as effective as manual exploration or thorough regression tests.
So if you have good regression tests then run those first before performing the ZAP scan.
If you need to authenticate then test this in isolation so that you know the authentication is working correctly, otherwise you'll probably just get redirected to the login page ;)
Having application specific security tests is also good, but these could take a lot of time to implement. Exactly what you need to do is completely dependent on your application.
In the past I've implemented custom access control tests for an application I created.
ZAP now has an access control testing add-on which will make this much easier :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages