TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security...

TEST AUTOMATION WITH A

DROP OF SECURITY

SCANNINGEasy guide how to benefit from WebDriver

automation with proxy security scanners I.e.

OWASP ZAP.

MICHAŁ BUCZKOQUALITY COACH AND SECURITY TESTER

michal.buczko@newvoicemedia.com

buczkomichal

@docatisto

AGENDA:

AGENDA:

Why security is important?

AGENDA:

Why security is important?

Test automation

AGENDA:

Why security is important?

Test automation

Security scanners

AGENDA:

Why security is important?

Test automation

Security scanners

Efficient combination

WHY SECURITY

IS

IMPORTANT?

Don’t get Yourself

hacked..

HOW MUCH IS STORED ONLINE ?

HOW MUCH IS STORED ONLINE ?

HOW MUCH IS STORED ONLINE ?

HOW MUCH IS STORED ONLINE ?

HOW MUCH IS STORED ONLINE ?

HOW MUCH IS STORED ONLINE ?

FIRST

CONCLUSIONS

1.) Too MUCH code…

2.) Too FEW experts…

3.) WE ARE HACKED !!

THE THREAT

IS REAL..

#INFOSEC

HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES

5 BIGGEST

ATTACKS,

SO FAR…

5 BIGGEST

ATTACKS,

SO FAR…

5 BIGGEST

ATTACKS,

SO FAR…

5 BIGGEST

ATTACKS,

SO FAR…

5 BIGGEST

ATTACKS,

SO FAR…

5 BIGGEST

ATTACKS,

SO FAR…

TEST

AUTOMATION

Just brief

introduction to

WebDriver

SELENIUM portable software-testing

framework for web applications.

provides a record/playback tool for authoring

provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.

The tests can then run against most modern web browsers.

deploys on Windows, Linux, and OS X platforms.

It is open-source software, released under the Apache 2.0 license

SELENIUM AUTOMATION CODE SAMPLE

SECURITY

SCANNERS

First steps in

vulnerability

identification

OWASP ZAP▪ open-source web application security scanner.

▪ It is also fully internationalized and translated into over 25 languages.

▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it,

including traffic using https.

▪ This cross-platform tool is written in Java and is available in all of the popular operating systems

▪ Some of the built in features include:

➢ Intercepting proxy server,

➢ Traditional and AJAX Web crawlers,

➢ Automated scanner,

➢ Passive scanner,

➢ Forced browsing,

▪ It has a plugin-based architecture and an online ‘marketplace’.

ZAP SSL

CERTIFICATE

IN FIREFOX Open up OWASP ZAP

ZAP SSL

CERTIFICATE

IN FIREFOX

go to Tools -> Options

ZAP SSL

CERTIFICATE

IN FIREFOX

In the Certificates section, click on Generate

ZAP SSL

CERTIFICATE

IN FIREFOX

Save the certificate in some location

ZAP SSL

CERTIFICATE

IN FIREFOX

Navigate to the Preferences of your browser

ZAP SSL

CERTIFICATE

IN FIREFOX

Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates

ZAP SSL

CERTIFICATE

IN FIREFOX

Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate

ZAP SSL

CERTIFICATE

IN FIREFOX

Check all the boxes

ZAP SSL

CERTIFICATE

IN FIREFOX

Browse sites with HTTPS enabled. You're no

longer prompted with the SSL Security Exception

Error message.

UI EXAMPLE

REPORT EXAMPLE

EFFICIENT

COMBINATION

Easy connection

between

WebDriver and

OWASP ZAP

DRIVER

WITH PROXY

SELENIUM 2.0

The simple way to:

Set a manual proxy

Accept all SSL Certs

Run browser with proxy on all popups

DRIVER

WITH PROXY

SELENIUM 3.0

The simple way to:

Set a manual proxy

Accept all SSL Certs

Run browser with proxy on all popups

ANY

QUESTIONS?

Thank You…