What is OWASP ZAP ?
OWASP (Open Source Web Application Security Project) ZAP(Zed Attack Proxy) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
- Download and Install ZAP
- Add ZAP Maven dependencies to POM.xml
- Add ZAP proxy details to Browser Options as follows
- Here is sample script to test ZAProxy in local
<dependency> <groupId>org.zaproxy</groupId> <artifactId>zap</artifactId> <version>2.8.0</version> </dependency> <dependency> <groupId>org.zaproxy</groupId> <artifactId>zap-clientapi</artifactId> <version>1.7.0</version> </dependency>
private static Supplier<WebDriver> getChromeDriver(boolean isHeadless) { HashMap<String, Object> chromePrefs = new HashMap<>(); chromePrefs.put("profile.default_content_settings.popups", 0); ChromeOptions chOptions = new ChromeOptions(); chOptions.addArguments("--ignore-certificate-errors"); chOptions.addArguments("--allow-running-insecure-content"); chOptions.addArguments("--disable-extensions"); chOptions.addArguments("--start-maximized"); chOptions.setExperimentalOption("prefs", chromePrefs); if (isHeadless) { chOptions.addArguments("--headless --hide-scrollbars --disable-gpu"); } // Set proxy String proxyAddress = "localhost:5555"; Proxy proxy = new Proxy(); proxy.setHttpProxy(proxyAddress) .setSslProxy(proxyAddress); chOptions.setProxy(proxy); return () -> new ChromeDriver(chOptions); }
package com.selcukes.tests; import java.io.File; import java.io.FileOutputStream; import org.openqa.selenium.WebDriver; import org.testng.annotations.AfterTest; import org.testng.annotations.BeforeTest; import org.testng.annotations.Test; import org.zaproxy.clientapi.core.ClientApi; import org.zaproxy.clientapi.gen.Core; import com.selcukes.util.WebDriverFactory; public class ZapMockTest { WebDriver driver; private static final String ZAP_ADDRESS = "localhost"; private static final int ZAP_PORT = 5555; private static final String ZAP_API_KEY ="55ecgpirj864a69sc3mphepf9n"; private void startZap() throws Exception { System.out.println("Starting ZAP..."); ProcessBuilder pb = new ProcessBuilder("java", "-jar","C:/Program Files/OWASP/Zed Attack Proxy/zap-2.8.0.jar","-daemon","-port", ZAP_PORT+""); pb.directory(new File("C:/Program Files/OWASP/Zed Attack Proxy").getAbsoluteFile()); pb.start(); System.out.println("Waiting for ZAP..."); } public void generateZapReport() throws Exception { ClientApi clientApi = new ClientApi(ZAP_ADDRESS, ZAP_PORT, ZAP_API_KEY); Core core = new Core(clientApi); FileOutputStream fos = new FileOutputStream("ZAPReport" + ".html"); fos.write(core.htmlreport()); fos.flush(); fos.close(); core.shutdown(); } @BeforeTest public void beforeTest() throws Exception { startZap(); } @Test public void zapTest() throws InterruptedException { System.setProperty("browser", "chrome"); driver = WebDriverFactory.createWebDriver(); driver.get("https://techyworks.blogspot.com"); } @AfterTest public void afterTest() throws Exception { driver.quit(); generateZapReport(); } }
0 Comments