Many organizations we work with have some understanding of front-end testing using tools like Selenium. However, they struggle to prioritize, understand or properly implement security scanning in their Agile/DevOps Development process. One of the easiest ways to implement security testing with little to no additional effort is to use OWASP Zed Attack Proxy in conjunction with Selenium to do passive security testing while running our front-end tests.

OWASP Zed Attack Proxy is a free security tool that actively or passively scans web applications for security vulnerabilities. ZAP pairs very well with Selenium tests, allowing you to perform a passive security scan on your organization’s web application for very little extra time cost. More information about all ZAP’s capabilities can be found here. I will focus on running Selenium tests written with our SecureCI Test Framework.

The way it works is fairly simple. We start ZAP in daemon mode (no UI) on a port, then run your Selenium tests normally while also providing the host and port of your ZAP process. ZAP will read all requests and responses, passively scanning them for obvious vulnerabilities. STF uses the proxyHost and proxyPort command line arguments to run the tests through ZAP. In practice, a Jenkins shell script might look like this:

# Start ZAP, specifying a new session in the current workspace, as a background process
/opt/zap/ -daemon -config api.disablekey=true -newsession ${WORKSPACE}/webui -port 9092 &

# Save ZAP's PID to use later

# While ZAP is still starting up, sleep one second
while [ ! netstat -anp | grep 9092 | grep LISTEN ];
	if [ $counter = 300 ];
		exit 1;
	echo "sleeping $counter";
	sleep 1s;
echo "done sleeping";

javac  -cp "lib/*:src/test/java/seleniumTest/workflows/*" -d bin src/test/java/seleniumTest/workflows/*.java src/test/java/seleniumTest/*.java

# Run your selenium tests, providing the host and port of ZAP 
java -cp "bin:lib/*" -Dworkspace=${WORKSPACE} -DappURL=http://${PRIVATE_IP}/ -DproxyHost=localhost -DproxyPort=9092 -Dbrowser=Firefox org.testng.TestNG selenium.xml

# While ZAP is still running, download the html report using the ZAP API
wget -O zapresult.html http://localhost:9092/OTHER/core/other/htmlreport/?

# Finally, kill the ZAP process
kill $ZAP_PID

After the report has been generated, you can use the ‘Publish HTML reports’ plugin in Jenkins to display the results.  Conveniently, there is also a Sonarqube plugin for publishing ZAP results, which can be found here. Jenkins has an official OWASP Zed Attack Proxy Jenkins Plugin, but in practice, I found the ZAP Jenkins plugin to be too cumbersome for this task. Maybe if you were using ZAP to perform different active scans as well, then you would find it more useful. Within a couple hours you can easily implement a good baseline security scan of your application (assuming you already have sufficient front-end tests) with no extra time cost added to your pipeline.

Leave a comment

Your email address will not be published. Required fields are marked *