An example project of integrating zap into existing automation tests that are developed with Webdriver.io framework.
Zap is a great tool and can be used to spider your webapp and report security vulnerabilities it found.
By integrating it into the automation test, you gain better coverage of your webapp, as every page that is covered with your tests will be also scanned with Zap.
I presented this project at a Webinar, you can find the slidedeck here.
In this example I used OWASP Juice Shope for demonstration purpose - the test simply try to open one of the pages so we can see Zap alerts.
I am also using OWASP Glue to process the alerts found by Zap.
I used docker
and docker-compose
to make this setup easy by using the following services:
- Selenium hub and chrome official images - to run the tests.
- Zap stable
- OWASP Juice Shop
- Test - A service that actually run your automation tests
To build the tests I've used this guide. Check it out for a complete walk-through on how to proxy you existing tests through Zap, and adding security tests easily.
- Clone this repo and browse to the checkout folder
- Run
./scripts/run_tests.sh
. This step is running the e2e tests and is passing. Zap will proxy the test and persist the session. - Run
./scripts/run_security_tests.sh
. This step will query Zap's passive scan results and will output them using Glue. - Modify
./glue/juice-shop
to ignore specific findings. Take a look on the guide for more details on different ways to ignore findings. Behind the scene ========================= The magic is done by requesting theproxy capability
in webdriver.io config (see the whole file underapp/wdio.conf.js
, I used the basic file from the documentation and changed it a bit):
var proxy = "http://zap:8090";
...
capabilities: [{
browserName: 'chrome',
proxy: {
httpProxy: proxy,
sslProxy: proxy,
ftpProxy: proxy,
proxyType: "MANUAL",
autodetect: false
},
'chrome.switches': [
'--ignore-certificate-errors'
]
}],
where http://zap:8090
is the Zap container address (see networking documentation).
The test script (app/test.sh
) is what actually run Zap.
It is installed on the docker image (see the docker file at app/Dockerfile
).
Currently it contains the following commands:
./wait-for-it.sh zap:8090 -t 40000
wait until zap complete loadingnpm test
to run the testruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://juice-shop --finding-file-path /usr/src/wrk/glue.json
to process Zap's alert using Glue.
Please notice that you can exclude certain urls from zap alerts by editing glue.json
.