test automation with a drop of security scanning · owasp zap open-source web application security...
TRANSCRIPT
![Page 1: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/1.jpg)
TEST AUTOMATION WITH A
DROP OF SECURITY
SCANNINGEasy guide how to benefit from WebDriver
automation with proxy security scanners I.e.
OWASP ZAP.
![Page 3: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/3.jpg)
AGENDA:
![Page 4: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/4.jpg)
AGENDA:
Why security is important?
![Page 5: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/5.jpg)
AGENDA:
Why security is important?
Test automation
![Page 6: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/6.jpg)
AGENDA:
Why security is important?
Test automation
Security scanners
![Page 7: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/7.jpg)
AGENDA:
Why security is important?
Test automation
Security scanners
Efficient combination
![Page 8: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/8.jpg)
WHY SECURITY
IS
IMPORTANT?
Don’t get Yourself
hacked..
![Page 9: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/9.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 10: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/10.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 11: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/11.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 12: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/12.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 13: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/13.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 14: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/14.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 15: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/15.jpg)
FIRST
CONCLUSIONS
1.) Too MUCH code…
2.) Too FEW experts…
3.) WE ARE HACKED !!
![Page 16: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/16.jpg)
THE THREAT
IS REAL..
#INFOSEC
![Page 17: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/17.jpg)
HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES
![Page 18: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/18.jpg)
![Page 19: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/19.jpg)
![Page 20: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/20.jpg)
![Page 21: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/21.jpg)
![Page 22: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/22.jpg)
![Page 23: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/23.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 24: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/24.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 25: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/25.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 26: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/26.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 27: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/27.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 28: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/28.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 29: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/29.jpg)
TEST
AUTOMATION
Just brief
introduction to
WebDriver
![Page 30: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/30.jpg)
SELENIUM portable software-testing
framework for web applications.
provides a record/playback tool for authoring
provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.
The tests can then run against most modern web browsers.
deploys on Windows, Linux, and OS X platforms.
It is open-source software, released under the Apache 2.0 license
![Page 31: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/31.jpg)
SELENIUM AUTOMATION CODE SAMPLE
![Page 32: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/32.jpg)
SECURITY
SCANNERS
First steps in
vulnerability
identification
![Page 33: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/33.jpg)
OWASP ZAP▪ open-source web application security scanner.
▪ It is also fully internationalized and translated into over 25 languages.
▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it,
including traffic using https.
▪ This cross-platform tool is written in Java and is available in all of the popular operating systems
▪ Some of the built in features include:
➢ Intercepting proxy server,
➢ Traditional and AJAX Web crawlers,
➢ Automated scanner,
➢ Passive scanner,
➢ Forced browsing,
▪ It has a plugin-based architecture and an online ‘marketplace’.
![Page 34: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/34.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX Open up OWASP ZAP
![Page 35: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/35.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
go to Tools -> Options
![Page 36: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/36.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
In the Certificates section, click on Generate
![Page 37: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/37.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Save the certificate in some location
![Page 38: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/38.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Navigate to the Preferences of your browser
![Page 39: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/39.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates
![Page 40: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/40.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate
![Page 41: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/41.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Check all the boxes
![Page 42: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/42.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX
Browse sites with HTTPS enabled. You're no
longer prompted with the SSL Security Exception
Error message.
![Page 43: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/43.jpg)
UI EXAMPLE
![Page 44: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/44.jpg)
REPORT EXAMPLE
![Page 45: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/45.jpg)
EFFICIENT
COMBINATION
Easy connection
between
WebDriver and
OWASP ZAP
![Page 46: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/46.jpg)
DRIVER
WITH PROXY
SELENIUM 2.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
![Page 47: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/47.jpg)
DRIVER
WITH PROXY
SELENIUM 3.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
![Page 48: TEST AUTOMATION WITH A DROP OF SECURITY SCANNING · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over 25 languages](https://reader034.vdocuments.site/reader034/viewer/2022042922/5f6ce781a2f6921d1a79bf12/html5/thumbnails/48.jpg)
ANY
QUESTIONS?
Thank You…