![]() ![]() If (System.getProperty('ZAP_PROXY_HOST') & System.OWASP Zed Attack Proxy (ZAP) is an integrated tool dedicated to penetration testing that allows to identify vulnerabilities in Web apps and Websites. Geb-based functional tests through oovy in the following way: When the system properties specified by the plugin are present. It's important to note that you should configure your functional tests to use the ZAP proxy Enable debug in the REST based API interactions with ZAP Timeout in millisecond the proxy will wait for ZAP to start .Alert) that will fail if not present. requiredAlerts specify a collection of alerts (instances of new Alert('Content-type header missing', null) new Alert('X-Frame-Options header not set', null), new Alert('X-Content-Type-Options header missing', null), Another example to ignore three specific security alerts: ignoredAlerts will ignore all alerts of risk Low or Informational: Missing elements match everything, so the following collection of .Alert) that will be ignored if reported ignoredAlerts specify a collection of alerts (instances of Subdirectory of test reports dir where ZAP sessions will be stored ProxyPortSystemProperty = 'ZAP_PROXY_PORT' ProxyHostSystemProperty = 'ZAP_PROXY_HOST' to allow you to configure the functional tests to use the ZAP proxy ![]() System properties the plugin will set with proxy host and port values Once installed, the plugin creates the following sample configuration file that you should edit to adapt to your environment: import .Alert You can configure the plugin through the file oovy at the grails-app/conf directory. If you want to see the plugin in action take a look at the sample application using the plugin with Geb-based functional tests. in a headless server) you can specify the option -daemon: grails test-app functional: -zap -daemon Start or stop ZAP proxy Usage: grails start-zap If you want to run the proxy in daemon mode (e.g. Or you can run as security tests only certain functional test types: Usage Run security tests and generates reports Usage: grails * test-app * -zap Examples: grails test-app -zap You can download ZAP proxy from the downloads page. Note that the plugin does not include the own ZAP proxy that should be previously installed in your box. InstallationĪdd the following dependency to your plugins block at oovy: compile ":zap-security-tests:0.1.2" The idea for this plugin was inspired by the Security Testing in Development and QA presentation by Simon Bennetts of the Mozilla Security Team. If any vulnerability has been detected the execution fails outputting the corresponding security alerts.Īs you may be thinking, this plugin is useful to integrate security testing in your continuous integration process. Stores the resulting ZAP session under the test reports directory, so you can inspect security results later.Requests ZAP to launch an active scanning on all the collected URLs.Instructs ZAP to spider through the site to discover more application resources.Establishes system properties to pass proxy's host and port values so your functional tests can be configured to use the specified proxy.Waits for ZAP to be started and listening at the configured port.Starts ZAP (in GUI or daemon mode, after the plugin's configuration).If any vulnerability is detected then the test execution will fail and report the corresponding security warnings. ![]() If functional tests pass successfully then the plugin requests ZAP to actively scan the application by using known attack vectors against the application URLs. This way ZAP can learn the application URLs visited by functional tests. ![]() If you specify the -zap option the plugin controls ZAP programmatically through its REST based API in order your browser-based functional tests run normally, but using ZAP as an HTTP intermediary proxy. The ZAP Security Tests plugin extends the Grails default functional tests behaviour adding a new -zap option that you can pass to convert your functional test suite into security tests. You can find more details about the ZAP features at the project website. ZAP is an easy to use integrated penetration testing tool ideal for developers and functional testers that provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. This plugin supports the ZAP proxy 2.4.3 version you can download from the ZAP Downloads page. The ZAP Security Tests plugin for Grails allows you to run completely automated security tests using the OWASP's Zed Attack Proxy (aka ZAP) to scan your web application for detecting security vulnerabilities. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |