Tutorial: How to Do Security Test Automation using Selenium?

These days’ hackers can intrude the system hence it becomes important to find vulnerabilities so that the system can be robust and secure. In it, we try to find security breaches in the system so that hackers can’t attempt to breach the system. In SDLC life cycle, we don’t care about security testing and this is the reason hackers attack your system. Organizations don’t even have a security team which can look into security testing of the application and due to this unawareness, their system gets hacked.

Selenium Test Automation

So, you must be wondering that how would we find security vulnerabilities. There are tools available in the market which will help you in doing security testing. You will find and fix all the security bugs. Selenium can even help you in dealing with security testing which will find almost all security breaches. It will then eliminate all the OWSP vulnerabilities. 

Let’s see how you can do security testing with Selenium 

For security testing, you have to use a library names OWASP ZAP library. It is an open source tool which is available in the market that looks for security vulnerabilities. For doing this, you must have the setup done in your machine. Let’s have a look at that.

  • Install Java in your machine. 
  • Install ZAP. 
  • Start Zap.
  • Install Jenkins. 
  • Start Jenkins on a localhost server
  • Install Eclipse.
  • Run Eclipse. 

The third step says to start ZAP. How would you do it? You should start a ZAP daemon mode. It should be started on a port number. After running it on a part, you can past ZAP’s host and port number in Desired Capabilities section in selenium tests. It will then act as a proxy who will read all requests and response to see if there are any securities breaches prevailing or not. After integrating Jenkins with selenium tests with ZAP, you can monitor the results on the dashboard. You can even go through the official declaration which is mentioned on the link:

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 


There is a Jenkins shell script which is used to start ZAP to see if the requests which are coming have security breaches or not.

# This command will Start ZAP which will actually specify a new session in the current workspace and this will run as a background process

/opt/zap/zap.sh -daemon -config api.disablekey=true -newsession ${WORKSPACE}/webui -port 9092 &

 

# Saving ZAP's PID which will be used later

ZAP_PID=$!

 

# While ZAP takes times to start, stopping the processes for 1 second.

while [ ! netstat -anp | grep 9090 | grep LISTEN ];

do

    if [ $counter = 300 ];

    then

        exit 1;

    fi;

    echo "sleeping $counter";

    counter=$((counter+1));

    sleep 1s;

done

echo "sleeping done";

 

javac  -cp "lib/*:src/test/java/seleniumTest/workflows/*" -d bin src/test/java/seleniumTest/workflows/*.java src/test/java/seleniumTest/*.java

 

# Run your selenium tests which will provide the host and port of ZAP

java -cp "bin:lib/*" -Dworkspace=${WORKSPACE} -DappURL=http://${PRIVATE_IP}/ -DproxyHost=localhost -DproxyPort=9092 -Dbrowser=Firefox org.testng.TestNG selenium.xml

 

# While ZAP is running to see the request, you can download the html report using the ZAP API

wget -O zapresult.html http://localhost:9092/OTHER/core/other/htmlreport/?

 

# Finally don’t forget to kill the ZAP process

kill $ZAP_PID


If you are not running Jenkins on AWS server and you are doing it locally, then you can start Selenium and ZAP by following commands:

 

$ java -jar selenium-server-standalone-3.15.0.jar -role node -hub http://localhost:4445/grid/register -browser browserName=chrome,version=99

 

$ ./ZAP.sh -daemon -host 0.0.0.0 -config api.key=<apikey>

 

Now, this is the turn to start writing selenium tests. Let’s see the steps that will be involved in writing the tests.

  • First thing is creating a proxy. It will bypass all WebDriver commands. It is going to be the one point solution to your entire webDriver commands. It is actually going o listen to web driver actions. You can start the ZAP at any port and after starting, you have to give that port number in selenium tests. Don’t forget to do these proxy settings.

 

Proxy pr= new Proxy();

          pr.setHttpProxy("localhost:9090");

          pr.setFtpProxy("localhost:9090");

          pr.setSslProxy("localhost:9090");

          DesiredCapabilities cap= new DesiredCapabilities();

          cap.setCapability(CapabilityType.PROXY, pr);

 

  • You don’t even have to hard code your port. Just assign it in a configuration file and then fetch it from there using Properties class.

port = localhost:9090

 

You can get the value of port from configuration file with Properties class. Let’s see how we are actually going to do it.

 

Properties properties = new properties();

FileInputStream fistream = new FileInputStream();

properties .load(fistream);

String Port= Fis.getproperty(“port”);

Proxy.setHttpProxy(port);

 

  • Now, comes the turn to initialize the browser. You have to pass capabilities as a parameter so that it initialize the session what you require. 

driver = new FirefoxDriver(capabilities);

driver.manage().timeouts().implicitlyWait(20, TimeUnit.SECONDS);

 

  • Now the requests which will be coming from browser going towards the web application will be passed through ZAP proxy. Let’s see the flow which is being followed.

 

Selenium -> Browser -> ZAP -> Web Application

 

  • But sometimes, ZAP takes care of unnecessary vulnerability alerts which cause your tests to fail. Hence, we can ignore them in the file - pom.xml. 

 

<VulnerabilityAssessment zapAddress="${zapaddr}" zapPort="${zapport}" debug="true">

    <ignoreAlert alert="Cookie set without HttpOnly flag" />

    <ignoreAlert alert="X-Content-Type-Options header missing" />

    <ignoreAlert alert="X-Frame-Options header not set" />

    <ignoreAlert alert="Application Error disclosure" />

    <ignoreAlert alert="Cookie set without HttpOnly flag" />

    <ignoreAlert alert="Password Autocomplete in browser" />

</VulnerabilityAssessment>

 

  • You can see how the token is generating for every web request. That token is valid for a particular point of times and after that time it expires. You can analyze how the token is changing how a particular point of time and you will even get to know the time period after which it expires.

 

  • Now when you have actually started ZAP server in the background, there will be security reports generated in JSON format. You can access a URL to get all the alerts which will be coming from the web application.

 

http://zap/JSON/core/view/alerts/?baseurl=http%3A%2F%2Fwww.example.com%2F&start=&count= to get all of the alerts reported on www.example.com


  • Below is the link of github where actually a project is located with proper framework which actually looks for all security breaches.

 

The link is: https://github.com/linkeshkanna/SecurityTestAutomation

 

Conclusion

Security testing is easy. Just what it requires is a library and starting of ZAP on a port. You are not putting any extra efforts will increase your headache. ZAP will actually listen to all the WebDriver commands and you can they see the report to see what the security breaces in the application are. It will increase the ROI. ZAP API helps you in testing with selenium. You can even ignore low priority alerts and you can see all reports and alerts on a URL. Selenium Test Automation Services is easy to get and it will help you in maintaining the tests. So, don’t forget to integrate with your tests and remove all the breaches. All the best!! 

A Tutorial Video on "Automated Security Testing" by Selenium Conference


But Before going to start any tests go through these 8 test plans tips by Selenium test automation services providers.