This article will cover the steps for adding security testing capabilities to an automated testing framework (designed for Backend & Frontend testing) built with JUnit5, Selenide and REST Assured.
The OWASP Zed Attack Proxy (ZAP) is a widely used web app scanner, free and open source. It comes in a wide array of setups and for this tutorial we will use the Docker version, running it headless mode in a Docker container.
Depending on the machine's OS, Docker is installed in different ways. In this case, the operating system was MacOS so Docker Desktop was initially installed.
Setting up ZAP Docker
1. Get the ZAP Docker image by running in terminal:
docker pull owasp/zap2docker-stable
2. Run the image:
docker run -u root -p 8090:8090 -i owasp/zap2docker-stable zap-x.sh -daemon -host 0.0.0.0 -port 8090 -config api.addrs.addr.name=.\* -config api.addrs.addr.regex=true -config api.disablekey=true -config scanner.attackOnStart=true -config view.mode=attack
3. Check the newly started ZAP scanner at http://localhost:8090/.
Refactoring the test automation framework so that the ZAP proxy will intercept the traffic
The test automation framework showcased in this article can be checked here. It has 3 main test classes:
- UiTest.java, built with Selenide for Frontend testing;
- RestAPITest.java, built with REST Assured for Backend testing (REST service);
- GraphQLTest.java, built with REST Assured and an additional GraphQL helper library for Backend testing (GraphQL service).
1. For the Backend tests, being built with REST Assured, this refactoring only means setting the proxy variable to the ZAP location with one simple line of code:
RestAssured.proxy("0.0.0.0", 8090, "http");
2. For the Frontend test, this refactoring is similar and implies adding the ZAP proxy when instantiating the WebDriver:
Proxy proxy = new Proxy();
proxy.setHttpProxy("0.0.0.0:8090");
options.setCapability("proxy", proxy);
ChromeDriver chromeDriver = new ChromeDriver(options);
3. Run the tests and now ZAP will intercept the traffic at each test execution and identify security vulnerabilities.
Checking the results
Go to http://localhost:8090/OTHER/core/other/htmlreport and check the discovered vulnerabilities. They also come with a short description and additional resources for information.
As seen in this article, with minimum effort you can improve your test automation giving it basic security testing capabilities, thus security vulnerabilities can be discovered early on in the development process when it's a lot faster and cheaper to fix them.
Building secure products is a shared responsibility.
No comments:
Post a Comment