TEST AUTOMATION WITH A

DROP OF SECURITY

SCANNINGEasy guide how to benefit from WebDriver

automation with proxy security scanners I.e.

OWASP ZAP.

MICHAŁ BUCZKOQUALITY COACH AND SECURITY TESTER

buczko.michal@gmail.com

buczkomichal

@docatisto

My past ...

MICHAŁ BUCZKOTESTING CONSULTANT AND SECURITY

COMMUNITY LEADER

buczko.michal@gmail.com

buczkomichal

@docatisto

My future ...

8 years in Software Testing

4 years in PCI DSS environment

Functional testing

Security Testing

Test procedures

Consulting

Technical Support Sales

My testing context …

AGENDA:

Why security is important?

Test automation

Security scanners

Efficient combination

WHY SECURITY

IS

IMPORTANT?

Don’t get Yourself

hacked..

HOW MUCH IS STORED ONLINE ?

FIRST

CONCLUSIONS

1.) Too MUCH code…

2.) Too FEW experts…

3.) WE ARE HACKED !!

THE THREAT IS

REAL..

#INFOSEC

LANDSCAPE

REPORT Q1

THE THREAT IS

REAL..

#INFOSEC

LANDSCAPE

REPORT Q2

THE THREAT IS

REAL..

#INFOSEC

LANDSCAPE

REPORT Q3

THE THREAT IS

REAL..

#INFOSEC

LANDSCAPE

REPORT Q4

HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES

5 BIGGEST

ATTACKS,

SO FAR…

TEST

AUTOMATION

Just brief

introduction to

WebDriver

SELENIUM portable software-testing

framework for web applications.

provides a record/playback tool for authoring

provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.

The tests can then run against most modern web browsers.

deploys on Windows, Linux, and OS X platforms.

It is open-source software, released under the Apache 2.0 license

SELENIUM AUTOMATION CODE SAMPLE

SECURITY

SCANNERS

First steps in

vulnerability

identification

OWASP ZAP▪ open-source web application security scanner.

▪ It is also fully internationalized and translated into over 25 languages.

▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

▪ This cross-platform tool is written in Java and is available in all of the popular operating systems

▪ Some of the built in features include:

➢ Intercepting proxy server,

➢ Traditional and AJAX Web crawlers,

➢ Automated scanner,

➢ Passive scanner,

➢ Forced browsing,

▪ It has a plugin-based architecture and an online ‘marketplace’.

ZAP SSL

CERTIFICATE

IN FIREFOX Open up OWASP ZAP

go to Tools -> Options

In the Certificates section, click on Generate

Save the certificate in some location

Navigate to the Preferences of your browser

Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates

Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate

Check all the boxes

Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.

UI EXAMPLE

REPORT EXAMPLE

EFFICIENT

COMBINATION

Easy connection

between

WebDriver and

OWASP ZAP

DRIVER

WITH PROXY

SELENIUM 2.0

The simple way to:

Set a manual proxy

Accept all SSL Certs

Run browser with proxy on all popups

DRIVER

WITH PROXY

SELENIUM 3.0

The simple way to:

Set a manual proxy

Accept all SSL Certs

Run browser with proxy on all popups

ANY

QUESTIONS?

Thank You…