Soluto / webdriverio-zap-proxy

Demo - how to easily build security testing for Web App, using Zap and Glue
MIT License
58 stars 13 forks source link
automation docker owasp owasp-juice-shop owasp-zap security selenium testing webdriverio

Description

An example project of integrating zap into existing automation tests that are developed with Webdriver.io framework. Zap is a great tool and can be used to spider your webapp and report security vulnerabilities it found. By integrating it into the automation test, you gain better coverage of your webapp, as every page that is covered with your tests will be also scanned with Zap. I presented this project at a Webinar, you can find the slidedeck here. In this example I used OWASP Juice Shope for demonstration purpose - the test simply try to open one of the pages so we can see Zap alerts. I am also using OWASP Glue to process the alerts found by Zap. I used docker and docker-compose to make this setup easy by using the following services:

To build the tests I've used this guide. Check it out for a complete walk-through on how to proxy you existing tests through Zap, and adding security tests easily.

Running

The test script (app/test.sh) is what actually run Zap. It is installed on the docker image (see the docker file at app/Dockerfile). Currently it contains the following commands:

Please notice that you can exclude certain urls from zap alerts by editing glue.json.