An example project of integrating zap into existing automation tests that are developed with Webdriver.io framework. Zap is a great tool and can be used to spider your webapp and report security vulnerabilities it found. By integrating it into the automation test, you gain better coverage of your webapp, as every page that is covered with your tests will be also scanned with Zap. I presented this project at a Webinar, you can find the slidedeck here. In this example I used OWASP Juice Shope for demonstration purpose - the test simply try to open one of the pages so we can see Zap alerts. I am also using OWASP Glue to process the alerts found by Zap. I used docker and docker-compose to make this setup easy by using the following services:

Selenium hub and chrome official images - to run the tests.
Zap stable
OWASP Juice Shop
Test - A service that actually run your automation tests

To build the tests I've used this guide. Check it out for a complete walk-through on how to proxy you existing tests through Zap, and adding security tests easily.

Running

Clone this repo and browse to the checkout folder
Run ./scripts/run_tests.sh. This step is running the e2e tests and is passing. Zap will proxy the test and persist the session.
Run ./scripts/run_security_tests.sh. This step will query Zap's passive scan results and will output them using Glue.
Modify ./glue/juice-shop to ignore specific findings. Take a look on the guide for more details on different ways to ignore findings. Behind the scene ========================= The magic is done by requesting the proxy capability in webdriver.io config (see the whole file under app/wdio.conf.js, I used the basic file from the documentation and changed it a bit):

var proxy = "http://zap:8090";
...
capabilities: [{
        browserName: 'chrome',
        proxy: {
                httpProxy: proxy,
                sslProxy: proxy,
                ftpProxy: proxy,
                proxyType: "MANUAL",
                autodetect: false
            },
        'chrome.switches': [
          '--ignore-certificate-errors'
        ]
    }],

where http://zap:8090 is the Zap container address (see networking documentation).

The test script (app/test.sh) is what actually run Zap. It is installed on the docker image (see the docker file at app/Dockerfile). Currently it contains the following commands:

./wait-for-it.sh zap:8090 -t 40000 wait until zap complete loading
npm test to run the test
ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://juice-shop --finding-file-path /usr/src/wrk/glue.json to process Zap's alert using Glue.

Please notice that you can exclude certain urls from zap alerts by editing glue.json.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Soluto / webdriverio-zap-proxy

Programming Languages

Labels

Projects that are alternatives of or similar to webdriverio-zap-proxy

Description

Running