Running Selenium Tests Through ZAP

By routing Selenium runs through OWASP ZAP in daemon mode, teams can add passive security scanning to CI with minimal pipeline overhead. This post shows a practical Jenkins script workflow for starting ZAP, executing tests through the proxy, exporting reports, and cleaning up.

Coveros Staff

February 17, 2017

Many organizations we work with have some understanding of front-end testing using tools like Selenium. However, they struggle to prioritize, understand or properly implement security scanning in their Agile/DevOps Development process. One of the easiest ways to implement security testing with little to no additional effort is to use OWASP Zed Attack Proxy in conjunction with Selenium to do passive security testing while running our front-end tests.

OWASP Zed Attack Proxy is a free security tool that actively or passively scans web applications for security vulnerabilities. ZAP pairs very well with Selenium tests, allowing you to perform a passive security scan on your organization’s web application for very little extra time cost. More information about all ZAP’s capabilities can be found here. I will focus on running Selenium tests written with our .

The way it works is fairly simple. We start ZAP in daemon mode (no UI) on a port, then run your Selenium tests normally while also providing the host and port of your ZAP process. ZAP will read all requests and responses, passively scanning them for obvious vulnerabilities. STF uses the proxyHost and proxyPort command line arguments to run the tests through ZAP. In practice, a Jenkins shell script might look like this:

# Start ZAP, specifying a new session in the current workspace, as a background process
/opt/zap/zap.sh -daemon -config api.disablekey=true -newsession ${WORKSPACE}/webui -port 9092 &

# Save ZAP's PID to use later
ZAP_PID=$!

# While ZAP is still starting up, sleep one second
while [ ! netstat -anp | grep 9092 | grep LISTEN ];
do
	if [ $counter = 300 ];
	then
		exit 1;
	fi;
	echo "sleeping $counter";
	counter=$((counter+1));
	sleep 1s;
done
echo "done sleeping";

javac  -cp "lib/*:src/test/java/seleniumTest/workflows/*" -d bin src/test/java/seleniumTest/workflows/*.java src/test/java/seleniumTest/*.java

# Run your selenium tests, providing the host and port of ZAP
java -cp "bin:lib/*" -Dworkspace=${WORKSPACE} -DappURL=http://${PRIVATE_IP}/ -DproxyHost=localhost -DproxyPort=9092 -Dbrowser=Firefox org.testng.TestNG selenium.xml

# While ZAP is still running, download the html report using the ZAP API
wget -O zapresult.html http://localhost:9092/OTHER/core/other/htmlreport/?

# Finally, kill the ZAP process
kill $ZAP_PID

After the report has been generated, you can use the ‘Publish HTML reports’ plugin in Jenkins to display the results.  Conveniently, there is also a Sonarqube plugin for publishing ZAP results, which can be found here. Jenkins has an official OWASP Zed Attack Proxy Jenkins Plugin, but in practice, I found the ZAP Jenkins plugin to be too cumbersome for this task. Maybe if you were using ZAP to perform different active scans as well, then you would find it more useful. Within a couple hours you can easily implement a good baseline security scan of your application (assuming you already have sufficient front-end tests) with no extra time cost added to your pipeline.

Related Blogs

Navigating the Technical Debt Crisis in Financial Services

Leveraging AI-Augmented Development to Mitigate Systemic Risk and Reclaim Operational Alpha

The ROI of Training

This article builds the financial case for investing in staff training, covering both hard metrics and intangible cultural benefits such as...

Using Hierarchical State Diagrams to Tame State Explosion Representation in Complex Software State Diagrams

As systems grow complex, flat state diagrams suffer from state explosion where the number of states and transitions becomes unmanageable for...

Building Scalable Resilient and Efficient Systems with the GitHub Well Architected Framework

Breaks down the Architecture pillar of the GitHub Well-Architected Framework, covering scalability, resiliency, efficiency, modularity,...
Coveros Staff

Coveros Staff

This post represents the collective insights of the Coveros team. Our staff consists of software experts who bring deep experience in secure agile development, DevOps, testing, and software quality. Over the past 20 years, Coveros has trained more than 30,000 professionals and worked with half of the Fortune 100 companies on mission-critical software development challenges. We draw on this extensive experience to share practical insights, proven strategies, and real-world solutions that help organizations build better software faster and more securely.