Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web...
Transcript of Test automation with a drop of security scanning...2018/04/04 · OWASP ZAP open-source web...
TEST AUTOMATION WITH A
DROP OF SECURITY
SCANNINGEasy guide how to benefit from WebDriver
automation with proxy security scanners I.e.
OWASP ZAP.
MICHAŁ BUCZKOQUALITY COACH AND SECURITY TESTER
buczkomichal
@docatisto
My past ...
MICHAŁ BUCZKOTESTING CONSULTANT AND SECURITY
COMMUNITY LEADER
buczkomichal
@docatisto
My future ...
8 years in Software Testing
4 years in PCI DSS environment
Functional testing
Security Testing
Test procedures
Consulting
Technical Support Sales
My testing context …
AGENDA:
Why security is important?
Test automation
Security scanners
Efficient combination
WHY SECURITY
IS
IMPORTANT?
Don’t get Yourself
hacked..
HOW MUCH IS STORED ONLINE ?
FIRST
CONCLUSIONS
1.) Too MUCH code…
2.) Too FEW experts…
3.) WE ARE HACKED !!
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q1
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q2
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q3
THE THREAT IS
REAL..
#INFOSEC
LANDSCAPE
REPORT Q4
HTTPS://HAVEIBEENPWNED.COM/PWNEDWEBSITES
5 BIGGEST
ATTACKS,
SO FAR…
TEST
AUTOMATION
Just brief
introduction to
WebDriver
SELENIUM portable software-testing
framework for web applications.
provides a record/playback tool for authoring
provides a test domain-specific language (Selenese) to write tests in a number of popular programming languages, including C#, Groovy, Java, Perl, PHP, Python, Ruby and Scala.
The tests can then run against most modern web browsers.
deploys on Windows, Linux, and OS X platforms.
It is open-source software, released under the Apache 2.0 license
SELENIUM AUTOMATION CODE SAMPLE
SECURITY
SCANNERS
First steps in
vulnerability
identification
OWASP ZAP▪ open-source web application security scanner.
▪ It is also fully internationalized and translated into over 25 languages.
▪ Used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.
▪ This cross-platform tool is written in Java and is available in all of the popular operating systems
▪ Some of the built in features include:
➢ Intercepting proxy server,
➢ Traditional and AJAX Web crawlers,
➢ Automated scanner,
➢ Passive scanner,
➢ Forced browsing,
▪ It has a plugin-based architecture and an online ‘marketplace’.
ZAP SSL
CERTIFICATE
IN FIREFOX Open up OWASP ZAP
go to Tools -> Options
In the Certificates section, click on Generate
Save the certificate in some location
Navigate to the Preferences of your browser
Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates
Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate
Check all the boxes
Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
UI EXAMPLE
REPORT EXAMPLE
EFFICIENT
COMBINATION
Easy connection
between
WebDriver and
OWASP ZAP
DRIVER
WITH PROXY
SELENIUM 2.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
DRIVER
WITH PROXY
SELENIUM 3.0
The simple way to:
Set a manual proxy
Accept all SSL Certs
Run browser with proxy on all popups
ANY
QUESTIONS?
Thank You…