The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Zed Attack Proxy Features:
The latest version of ZAP 2.x is a client that runs on Windows, Linux and MacOS and requires Java 7. Here is a list of the main features:
Legal disclaimer: Only run ZAP against your own environments, i.e. Test, Staging environments. It is illegal to attack websites from competitors or other people.
In this post we will discuss about Automating Security Testing with the help of Selenium and ZAP API.
You can do this via the Options API screen:
Tools / Options... / API
Download Sample automated project from the below path:
https://github.com/continuumsecurity/zap-java-api/
Install POM.xml in local system and keep the project ready to run.
Now to start ZAP in headless mode, go to C:\Program Files\OWASP\Zed Attack Proxy where your ZAP got installed. From the directory open zap.bat and paste the below code and save it.
java -Xmx512m -XX:PermSize=256M -jar zap.jar -daemon
Now in the code use the below command to invoke the ZAP with headless mode:
Process p = Runtime.getRuntime().exec("cmd /c zap.bat", null, new File("C:/Program Files/OWASP/Zed Attack Proxy/"));
From the dowaloaded github code, 'ZAProxyScanner.java' is the most important class which holds all the methods related to ZAP.
Use spider method before scanning of the Application. This spidering can uncover the URL which we are not visting as part of the test execution.
This project structure can be used to write our own test cases with TestNG integration framework.
For the information related to Test results please check the other post. :)
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Zed Attack Proxy Features:
The latest version of ZAP 2.x is a client that runs on Windows, Linux and MacOS and requires Java 7. Here is a list of the main features:
- Intercepting Proxy
- Automated Scanner
- Passive Scanner
- Brute Force Scanner
- Fuzzer
- Port Scanner
- Spider
- Web Sockets
- REST API
Legal disclaimer: Only run ZAP against your own environments, i.e. Test, Staging environments. It is illegal to attack websites from competitors or other people.
In this post we will discuss about Automating Security Testing with the help of Selenium and ZAP API.
ZAP provides a REST Application Programming Interface (API) which allows you to interact with ZAP programmatically.The REST API can be accessed directly or via one of the client implementations detailed below.In order to be able to use the API when using the ZAP UI you have to first enable it.
You can do this via the Options API screen:
Tools / Options... / API
If you run ZAP in 'headless' or 'daemon' mode (by starting ZAP via the command line and using the -daemon flag) then the API will be automatically enabled.
Download ZAProxy tool and install it. Download Sample automated project from the below path:
https://github.com/continuumsecurity/zap-java-api/
Install POM.xml in local system and keep the project ready to run.
Now to start ZAP in headless mode, go to C:\Program Files\OWASP\Zed Attack Proxy where your ZAP got installed. From the directory open zap.bat and paste the below code and save it.
java -Xmx512m -XX:PermSize=256M -jar zap.jar -daemon
Now in the code use the below command to invoke the ZAP with headless mode:
Process p = Runtime.getRuntime().exec("cmd /c zap.bat", null, new File("C:/Program Files/OWASP/Zed Attack Proxy/"));
From the dowaloaded github code, 'ZAProxyScanner.java' is the most important class which holds all the methods related to ZAP.
Use spider method before scanning of the Application. This spidering can uncover the URL which we are not visting as part of the test execution.
This project structure can be used to write our own test cases with TestNG integration framework.
For the information related to Test results please check the other post. :)
I'm very interested in this topic. Will you share more how to use ZAP API for security automation testing ?
ReplyDeletehey, I am new to API testing...Can you please share few examples how to test REST api through ZAP.
ReplyDeletekeep sharing...
ReplyDeleteSoftware Testing Training in Chennai | Certification | Online Courses
Software Testing Training in Chennai | Certification | Online Training Course | Software Testing Training in Bangalore | Certification | Online Training Course | Software Testing Training in Hyderabad | Certification | Online Training Course | Software Testing Training in Coimbatore | Certification | Online Training Course | Software Testing Training in Online | Certification | Online Training Course
ReplyDeleteReally nice topics you had discussed above.
selenium training in chennai |
Selenium Training in Chennai | Certification | Online Training Course | Selenium Training in Bangalore | Certification | Online Training Course | Selenium Training in Hyderabad | Certification | Online Training Course | Selenium Training in Coimbatore | Certification | Online Training Course | Selenium Training in Online | Certification | Online Training Course