Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web...
Transcript of Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web...
![Page 1: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/1.jpg)
TEST AUTOMATION WITH A
DROP OF SECURITY
SCANNINGEasy guide how to benefit from WebDriver
automation with proxy security scanners I.e.
OWASP ZAP.
![Page 2: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/2.jpg)
MICHAŁ BUCZKOQUALITY COACH AND SECURITY TESTER
buczkomichal
@docatisto
My past ...
![Page 3: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/3.jpg)
MICHAŁ BUCZKOTESTING CONSULTANT AND SECURITY
COMMUNITY LEADER
buczkomichal
@docatisto
My future ...
![Page 4: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/4.jpg)
8 years in Software Testing
4 years in PCI DSS environment
Functional testing
Security Testing
Test procedures
Consulting
Technical Support Sales
My testing context …
![Page 5: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/5.jpg)
AGENDA:
Why security is important?
Test automation
Security scanners
Efficient combination
![Page 6: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/6.jpg)
WHY SECURITY
IS
IMPORTANT?
Don’t get Yourself
hacked..
![Page 7: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/7.jpg)
HOW MUCH IS STORED ONLINE ?
![Page 8: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/8.jpg)
FIRST
CONCLUSIONS
1.) Too MUCH code…
2.) Too FEW experts…
3.) WE ARE HACKED !!
![Page 9: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/9.jpg)
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q1
![Page 10: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/10.jpg)
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q2
![Page 11: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/11.jpg)
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q3
![Page 12: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/12.jpg)
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q4
![Page 13: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/13.jpg)
HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES
![Page 14: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/14.jpg)
5 BIGGEST
ATTACKS,
SO FAR…
![Page 15: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/15.jpg)
TEST
AUTOMATION
Just brief
introduction to
WebDriver
![Page 16: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/16.jpg)
SELENIUM portable software-testing
framework for web applications.
provides a record/playback tool for authoring
provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.
The tests can then run against most modern web browsers.
deploys on Windows, Linux, and OS X platforms.
It is open-source software, released under the Apache 2.0 license
![Page 17: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/17.jpg)
SELENIUM AUTOMATION CODE SAMPLE
![Page 18: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/18.jpg)
SECURITY
SCANNERS
First steps in
vulnerability
identification
![Page 19: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/19.jpg)
OWASP ZAP▪ open-source web application security scanner.
▪ It is also fully internationalized and translated into over 25 languages.
▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
▪ This cross-platform tool is written in Java and is available in all of the popular operating systems
▪ Some of the built in features include:
➢ Intercepting proxy server,
➢ Traditional and AJAX Web crawlers,
➢ Automated scanner,
➢ Passive scanner,
➢ Forced browsing,
▪ It has a plugin-based architecture and an online ‘marketplace’.
![Page 20: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/20.jpg)
ZAP SSL
CERTIFICATE
IN FIREFOX Open up OWASP ZAP
go to Tools -> Options
In the Certificates section, click on Generate
Save the certificate in some location
Navigate to the Preferences of your browser
Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates
Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate
Check all the boxes
Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
![Page 21: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/21.jpg)
UI EXAMPLE
![Page 22: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/22.jpg)
REPORT EXAMPLE
![Page 23: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/23.jpg)
EFFICIENT
COMBINATION
Easy connection
between
WebDriver and
OWASP ZAP
![Page 24: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/24.jpg)
DRIVER
WITH PROXY
SELENIUM 2.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
![Page 25: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/25.jpg)
DRIVER
WITH PROXY
SELENIUM 3.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
![Page 26: Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web application security scanner. It is also fully internationalized and translated into over](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fe33220fc612340f2715ad3/html5/thumbnails/26.jpg)
ANY
QUESTIONS?
Thank You…