Hi everyone! welcome to pentestguy. In this article we are going to learn about how to do automate pentesting with zap and selenium. There are multiple ways to perform pentesting in automatic way using tools but using automate pentesting with owasp zap and selenium is more effective.
Many testers talk about security testing using selenium and OWASP ZAP. Now the question is does it beneficial? and the answer is yes, somehow it will increase the chances of finding more bugs. We are talking about automated stuff, like usual tester gives a URL to zap or any other tool and performs spidering and then scanning. But we don’t know it does the tool cover everything or may some web application may block automated requests generated by the scanner. and as we know that web applications require authorization to access certain endpoints/functionality.
Individuals level it may not so much useful because most of the testers explore the website while the proxy is on, so zap/burp will capture all requests, this method will increase the task. But at the organizational level, have separate functional testers which build scripts using selenium, so it’s already there and pentesters can use that script.
Install Selenium
Here I used python and selenium to write a simple login code but we can explore the functionality. First, need to install python3 and install selenium using pip.
pip install selenium
Can download drivers from the selenium website itself, under the section “platform supported by selenium”. – https://chromedriver.chromium.org/downloads Make sure to download the drivers of correct version with respective the browser version.
I used chromedriver in the sample code given below, and also added proxy along with port number 8082 which will captured by OWASP ZAP.
from selenium import webdriver
from selenium.webdriver.chrome.service import Service
from selenium.webdriver.common.by import By
from selenium.webdriver.common.proxy import Proxy, ProxyType
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
proxy_ip_port = “localhost:8082”
proxy = Proxy()
proxy.proxy_type = ProxyType.MANUAL
proxy.http_proxy = proxy_ip_port
proxy.ssl_proxy = proxy_ip_port
options = webdriver.ChromeOptions()
options.add_argument(‘–proxy-server=http://localhost:8082’)
options.add_argument(‘–proxy-server=https://localhost:8082’)
ser_obj = Service(r”D:\drivers\chromedriver.exe”) # download driver and replace the path
driver = webdriver.Chrome(service=ser_obj, options=options)
driver.get(“http://demo.testfire.net/login.jsp”)
uid_element = WebDriverWait(driver, 10).until(EC.visibility_of_element_located((By.ID, “uid”)))
uid_element.send_keys(“admin”)
driver.find_element(By.ID, “passw”).send_keys(“admin”)
driver.find_element(By.NAME, “btnSubmit”).click()
act_title = driver.title
exp_title = “Altoro Mutual”
if act_title == exp_title:
print(“Login Test passed”)
else:
print(“Login Test Failed”)
driver.close()
Save the code with any name like SimpleTest.py and to run this code open cmd and run the command given below.
python SimpleTest.py
Check response captured by owasp zap and we can use the scanner to perform a regular scan, with help of this we will get some good result.
I hope, this post will help you in some way, and can also use any alternative tool instead of owasp zap. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
