TEST AUTOMATION WITH A DROP OF SECURITY SCANNING Easy guide how to benefit from WebDriver automation with proxy security scanners I.e. OWASP ZAP.
TEST AUTOMATION WITH A
DROP OF SECURITY
SCANNINGEasy guide how to benefit from WebDriver
automation with proxy security scanners I.e.
OWASP ZAP.
AGENDA:
AGENDA:
Why security is important?
AGENDA:
Why security is important?
Test automation
AGENDA:
Why security is important?
Test automation
Security scanners
AGENDA:
Why security is important?
Test automation
Security scanners
Efficient combination
WHY SECURITY
IS
IMPORTANT?
Don’t get Yourself
hacked..
HOW MUCH IS STORED ONLINE ?
HOW MUCH IS STORED ONLINE ?
HOW MUCH IS STORED ONLINE ?
HOW MUCH IS STORED ONLINE ?
HOW MUCH IS STORED ONLINE ?
HOW MUCH IS STORED ONLINE ?
FIRST
CONCLUSIONS
1.) Too MUCH code…
2.) Too FEW experts…
3.) WE ARE HACKED !!
THE THREAT
IS REAL..
#INFOSEC
HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES
5 BIGGEST
ATTACKS,
SO FAR…
5 BIGGEST
ATTACKS,
SO FAR…
5 BIGGEST
ATTACKS,
SO FAR…
5 BIGGEST
ATTACKS,
SO FAR…
5 BIGGEST
ATTACKS,
SO FAR…
5 BIGGEST
ATTACKS,
SO FAR…
TEST
AUTOMATION
Just brief
introduction to
WebDriver
SELENIUM portable software-testing
framework for web applications.
provides a record/playback tool for authoring
provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.
The tests can then run against most modern web browsers.
deploys on Windows, Linux, and OS X platforms.
It is open-source software, released under the Apache 2.0 license
SELENIUM AUTOMATION CODE SAMPLE
SECURITY
SCANNERS
First steps in
vulnerability
identification
OWASP ZAP▪ open-source web application security scanner.
▪ It is also fully internationalized and translated into over 25 languages.
▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it,
including traffic using https.
▪ This cross-platform tool is written in Java and is available in all of the popular operating systems
▪ Some of the built in features include:
➢ Intercepting proxy server,
➢ Traditional and AJAX Web crawlers,
➢ Automated scanner,
➢ Passive scanner,
➢ Forced browsing,
▪ It has a plugin-based architecture and an online ‘marketplace’.
ZAP SSL
CERTIFICATE
IN FIREFOX Open up OWASP ZAP
ZAP SSL
CERTIFICATE
IN FIREFOX
go to Tools -> Options
ZAP SSL
CERTIFICATE
IN FIREFOX
In the Certificates section, click on Generate
ZAP SSL
CERTIFICATE
IN FIREFOX
Save the certificate in some location
ZAP SSL
CERTIFICATE
IN FIREFOX
Navigate to the Preferences of your browser
ZAP SSL
CERTIFICATE
IN FIREFOX
Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates
ZAP SSL
CERTIFICATE
IN FIREFOX
Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate
ZAP SSL
CERTIFICATE
IN FIREFOX
Check all the boxes
ZAP SSL
CERTIFICATE
IN FIREFOX
Browse sites with HTTPS enabled. You're no
longer prompted with the SSL Security Exception
Error message.
UI EXAMPLE
REPORT EXAMPLE
EFFICIENT
COMBINATION
Easy connection
between
WebDriver and
OWASP ZAP
DRIVER
WITH PROXY
SELENIUM 2.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
DRIVER
WITH PROXY
SELENIUM 3.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
ANY
QUESTIONS?
Thank You…