Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Security Testing With ZAP and Iridium

DZone's Guide to

Security Testing With ZAP and Iridium

By integrating security testing into the same scripts that validate your web applications, Iridium and ZAP provides an easy way for developers to ensure that security vulnerabilities don’t creep into new releases.

· Web Dev Zone
Free Resource

Learn how to build modern digital experience apps with Crafter CMS. Download this eBook now. Brought to you in partnership with Crafter Software

If you are just getting started with Iridium, please read the article An Introduction to Iridium, an Open Source Selenium and Cucumber Testing Tool.

The Zed Attack Proxy (ZAP) is an OWASP project that has been designed to automatically find security vulnerabilities in your web applications while you are developing and testing. ZAP works by exposing a proxy that your browser can be configured to send requests through, with passive scanners inspecting the requests and responses to find common security issues, while a more invasive active scanner probes the application looking for weaknesses.

We’ve already seen how a proxy has been integrated into Iridium to provide a way to modify requests as an automated test is run. ZAP has been integrated in much the same way, with Iridium optionally creating an instance of the Zed Attack Proxy at startup and routing requests to the web app being tested through both BrowserMod and ZAP. At the end of the test, ZAP will save the results of the passive scan, or initiate an active scan.

To run this example, right click, download and run this Web Start file. If you have not already done so, ensure that you have trusted the location where the Iridium JAR file is downloaded from using the instructions in the installation chapter of the getting started guide.

The ability to integrate a security scan into your Cucumber tests is a very convenient way to ensure that you haven’t introduce a security vulnerability as you roll out new features. And Iridium makes this very easy.

Before you can use any features of ZAP, you need to enable it by setting the startInternalProxy system property to zap.

<property name="javaws.startInternalProxy" value="zap"/>

Once enabled, you need to start the ZAP scanner. The easiest way to start the scanner is to enable all the ZAP policies. This enabled all the passive and active policies. Be aware that just because you have enabled the active scan policies, ZAP will not actually initiate an active scan until you instruct it to do so.

 Scenario: Launch App
        Given a scanner with all policies enabled

You’ll find this step “Given a scanner with all policies enabled” at the start of your feature. Once enabled, requests made to your web app will be run through ZAP and through the all the passive policies that have been bundled with ZAP.

From this point, the test is run as normal.

Once the test has completed, we’ll have a scenario that initiates the ZAP spider (which is used to find the URLs that make up your web app), saves the ZAP XML report file, and then fails the test if any security vulnerabilities were found.

Scenario: Save the results
        And the application is spidered timing out after "15" seconds
        And the ZAP XML report is written to the file "zapreport.xml"
        Then no "Low" or higher risk vulnerabilities should be present for the base url "^https://dzone.com"

You can also initiate the active scan at this point, but be aware that an active scan is actually an active attack on a web site, so don’t do this unless you have the authority to attack the site you are testing.

Scenario: Save the results
   And the application is spidered timing out after "15" seconds
   And the attack strength is set to "HIGH"
   And the active scanner is run
   And the ZAP XML report is written to the file "zapreport.xml"
   Then no "Low" or higher risk vulnerabilities should be present for the base url "^https://bodgeit.herokuapp.com"

I have found most web sites have a lot of security vulnerabilities considered low risk by ZAP. It is not uncommon to have hundreds or thousands of these low risk vulnerabilities, but these are just the same few issues reported over and over again.

Screen Shot 2016-07-17 at 5.17.32 PM.png

To remove these low risk vulnerabilities, use set the reporting threshold to “Medium” or “High”. 

Then no "Medium" or higher risk vulnerabilities should be present for the base url "^https://bodgeit.herokuapp.com"

By integrating security testing into the same scripts that validate your web applications, Iridium and ZAP provides an easy way for developers to ensure that security vulnerabilities don’t creep into new releases. With just a few extra steps in a test script, you get the benefit of one of the most popular open source security scanners running as part of your regular integration tests.

Crafter is a modern CMS platform for building modern websites and content-rich digital experiences. Download this eBook now. Brought to you in partnership with Crafter Software.

Topics:
security vulnerabilities ,web app ,policies ,attack ,proxy ,security ,scanner ,vulnerabilities ,risk

Published at DZone with permission of Matthew Casperson, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}