Security Testing With ZAP and Iridium
By integrating security testing into the same scripts that validate your web applications, Iridium and ZAP provides an easy way for developers to ensure that security vulnerabilities don’t creep into new releases.
Join the DZone community and get the full member experience.Join For Free
If you are just getting started with Iridium, please read the article An Introduction to Iridium, an Open Source Selenium and Cucumber Testing Tool.
The Zed Attack Proxy (ZAP) is an OWASP project that has been designed to automatically find security vulnerabilities in your web applications while you are developing and testing. ZAP works by exposing a proxy that your browser can be configured to send requests through, with passive scanners inspecting the requests and responses to find common security issues, while a more invasive active scanner probes the application looking for weaknesses.
We’ve already seen how a proxy has been integrated into Iridium to provide a way to modify requests as an automated test is run. ZAP has been integrated in much the same way, with Iridium optionally creating an instance of the Zed Attack Proxy at startup and routing requests to the web app being tested through both BrowserMod and ZAP. At the end of the test, ZAP will save the results of the passive scan, or initiate an active scan.
To run this example, right click, download and run this Web Start file. If you have not already done so, ensure that you have trusted the location where the Iridium JAR file is downloaded from using the instructions in the installation chapter of the getting started guide.
The ability to integrate a security scan into your Cucumber tests is a very convenient way to ensure that you haven’t introduce a security vulnerability as you roll out new features. And Iridium makes this very easy.
Before you can use any features of ZAP, you need to enable it by setting the startInternalProxy system property to zap.
<property name="javaws.startInternalProxy" value="zap"/>
Once enabled, you need to start the ZAP scanner. The easiest way to start the scanner is to enable all the ZAP policies. This enabled all the passive and active policies. Be aware that just because you have enabled the active scan policies, ZAP will not actually initiate an active scan until you instruct it to do so.
Scenario: Launch App Given a scanner with all policies enabled
You’ll find this step “Given a scanner with all policies enabled” at the start of your feature. Once enabled, requests made to your web app will be run through ZAP and through the all the passive policies that have been bundled with ZAP.
From this point, the test is run as normal.
Once the test has completed, we’ll have a scenario that initiates the ZAP spider (which is used to find the URLs that make up your web app), saves the ZAP XML report file, and then fails the test if any security vulnerabilities were found.
Scenario: Save the results And the application is spidered timing out after "15" seconds And the ZAP XML report is written to the file "zapreport.xml" Then no "Low" or higher risk vulnerabilities should be present for the base url "^https://dzone.com"
You can also initiate the active scan at this point, but be aware that an active scan is actually an active attack on a web site, so don’t do this unless you have the authority to attack the site you are testing.
Scenario: Save the results And the application is spidered timing out after "15" seconds And the attack strength is set to "HIGH" And the active scanner is run And the ZAP XML report is written to the file "zapreport.xml" Then no "Low" or higher risk vulnerabilities should be present for the base url "^https://bodgeit.herokuapp.com"
I have found most web sites have a lot of security vulnerabilities considered low risk by ZAP. It is not uncommon to have hundreds or thousands of these low risk vulnerabilities, but these are just the same few issues reported over and over again.
To remove these low risk vulnerabilities, use set the reporting threshold to “Medium” or “High”.
Then no "Medium" or higher risk vulnerabilities should be present for the base url "^https://bodgeit.herokuapp.com"
By integrating security testing into the same scripts that validate your web applications, Iridium and ZAP provides an easy way for developers to ensure that security vulnerabilities don’t creep into new releases. With just a few extra steps in a test script, you get the benefit of one of the most popular open source security scanners running as part of your regular integration tests.
Published at DZone with permission of Matthew Casperson, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.