Monday 16 February 2015

Generating HTML Alerts Report through ZAP API

In our previous post we have seen how to use ZAP API for automated security testing. This post deals with generating the alert report.

 When the user automates the security testing, he/she looks for below kind of reporting.

  • alerts based on id 
  • alerts for the baseurl
  • html consolidated report 
    
        With the help of getAlerts() method of zaproxy class, we can generate the alerts based on id and url. For generating the consolidated report, API doesn't support HTML report generation as it does by ZAP tool. But it generates xml report. As a work around we can generate this xml report and convert that into HTML with the help of XSLT file.

 Users can get the XSLT file from the below path:
https://code.google.com/p/zaproxy/source/browse/trunk/src/xml/report.html.xsl

 The below code snippet will be handy in converting xml report into HTML report
        public void generateHTMLReport() throws ClientApiException, TransformerException, IOException{
TransformerFactory tFactory=TransformerFactory.newInstance();
InputStream is = ZAProxyScanner.class.getResourceAsStream("<XSLT REPORT PATH>");
Source xslDoc=new StreamSource(is);
Source xmlDoc=new StreamSource(new ByteArrayInputStream(clientApi.core.xmlreport("")));
OutputStream htmlFile=new FileOutputStream("<PATH TO GENERATE HTML>");
Transformer trasform=tFactory.newTransformer(xslDoc);
trasform.transform(xmlDoc, new StreamResult(htmlFile));
htmlFile.close();
         }
Happy Testing :)
Posted by at No comments:

Automated Security Testing with ZAP API

      The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

      It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

 Zed Attack Proxy Features:
The latest version of ZAP 2.x is a client that runs on Windows, Linux and MacOS and requires Java 7. Here is a list of the main features:
  • Intercepting Proxy
  • Automated Scanner
  • Passive Scanner
  • Brute Force Scanner
  • Fuzzer
  • Port Scanner
  • Spider
  • Web Sockets
  • REST API
To know more about ZAProxy Tool, please visit: https://code.google.com/p/zaproxy/

 Legal disclaimer: Only run ZAP against your own environments, i.e. Test, Staging environments. It is illegal to attack websites from competitors or other people.

 In this post we will discuss about Automating Security Testing with the help of Selenium and ZAP API.
      ZAP provides a REST Application Programming Interface (API) which allows you to interact with ZAP programmatically.The REST API can be accessed directly or via one of the client implementations detailed below.In order to be able to use the API when using the ZAP UI you have to first enable it.

 You can do this via the Options API screen:
Tools / Options... / API
     If you run ZAP in 'headless' or 'daemon' mode (by starting ZAP via the command line and using the -daemon flag) then the API will be automatically enabled.

Download ZAProxy tool and install it. 

 Download Sample automated project from the below path:
https://github.com/continuumsecurity/zap-java-api/
Install POM.xml in local system and keep the project ready to run.

 Now to start ZAP in headless mode, go to C:\Program Files\OWASP\Zed Attack Proxy where your ZAP got installed. From the directory open zap.bat and paste the below code and save it.

 java -Xmx512m -XX:PermSize=256M -jar zap.jar -daemon

 Now in the code use the below command to invoke the ZAP with headless mode:
Process p =  Runtime.getRuntime().exec("cmd /c zap.bat", null, new File("C:/Program Files/OWASP/Zed Attack Proxy/"));

 From the dowaloaded github code, 'ZAProxyScanner.java' is the most important class which holds all the methods related to ZAP.

       Use spider method before scanning of the Application. This spidering can uncover the URL which we are not visting as part of the test execution.

 This project structure can be used to write our own test cases with TestNG integration framework.

 For the information related to Test results please check the other post. :)
Posted by at 4 comments:

Image reading with Tesseract OCR API

       Tesseract is an open-source OCR engine that was developed at HP between 1984 and 1994.It is an optical character recognition engine for various operating systems(Includes windows, linux and Mac).It is free software, released under the Apache License, Version 2.0, and development has been sponsored by Google since 2006.Tesseract is considered one of the most accurate open source OCR engines currently available.

        This can be used effectively with Selenium for reading text from images, where sikuli may not be effective. Along with English, it also supports native languages such as Turkish, Spanish, Hindi, Swedish etc. This has typical architecture where we can feed the train data for the image recognitions.

The Process of integrating Tesseract OCR with java project is as below
Step1:
We need a JNA wrapper to use tesseract in our java project. We can use tess4j for this. It can be downloaded from here http://tess4j.sourceforge.net/

Step2:
Now extract the contents of the tess4j archive to workspace location.

 Step3:
From eclipse, Open the Tess4j project.

Step4:
Now open a new project in eclipse and type below code:

import java.io.*;
import net.sourceforge.tess4j.*;
public class MySample {
public static void main(String[] args) {
File imageFile = new File(“<path of your image>”);
Tesseract instance = Tesseract.getInstance(); 
try {
String result = instance.doOCR(imageFile);
System.out.println(result);
} catch (TesseractException e) {
System.err.println(e.getMessage());
}
}
}
}

Step5:
Now expand the Tess4j project and expand source packages; inside you will find 3 packages. Copy all of them into your project’s source packages. It should now look like as shown below.


















Here "OCR" is the project I created.

Step 6:
Right click on the project. Go to Build Path--> Configure Build Path--> Add external JARs.


















Navigate to the location where you extracted the tess4j archive. Open the folder (Tess4j) and navigate to lib. There you will see 4 jar files. Choose all of them and click open. Your project space should look like as shown below now. 


 Step 7:
Now you will find 2 dll files in the Tess4j folder (The folder which you extracted) namely liblept168.dll and libtesseract302.dll. Copy these two files into the src package and it should now look like as shown below.
















 Thats it…!!! You are done. When you run this code, it should display the text content in console window of Eclipse.
Posted by at 2 comments:
Subscribe to: Posts (Atom)