Skip to content
BDD Automated Security Tests for Web Applications
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
gradle/wrapper
lib
src/test
zap
.dockerignore Initial Dockerfile Apr 21, 2017
.gitignore
.travis.yml Create .travis.yml Jun 5, 2018
Dockerfile
README.md
build.gradle add htmlunit dependence May 23, 2018
config.xml Update the ssl feature Jun 4, 2018
gradlew
gradlew.bat
license.txt
log4j.properties

README.md

Build Status

BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.

The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner.

It tests Web Applications and API's from an external point of view and does not require access to the target source code.

Documentation on the Wiki

Version 2.2 Changelog

  • Upgraded to OWASP ZAP 2.6.0
  • Upgraded ZAP Client API to 1.2.0 from maven central
  • Corrected bugs with ambiguous step definitions

Version 2.1 Changelog

  • Upgraded to OWASP ZAP 2.5.0
  • Upgraded ZAP Client API to 1.0.0 from maven central

Version 2.0 Changelog

  • Cucumber-JVM replaced JBehave
  • Gradle replaced Ant
  • Rearranged files to fit Gradle/Maven conventions
  • Removed command line runners. Tests run from gradle

Legacy JBehave version is available on the jbehave branch

v0.9.2 Changelog

  • Integrated with OWASP ZAP 2.4.3.
  • Support setting an API KEY for ZAP

v0.9.1 Changelog

  • HtmlUnitDriver support, it is also the default driver if no other driver is specified in config.xml. BIG speed improvements.
  • Support for testing non-browser based web services and APIs. See the getting started guide for more details.
  • Removed all TestNG tests.

v0.9 Changelog

  • Moved tables that are auto-generated during startup into the stories/auto-generated folder. Tables that are user editable stay in the stories/tables folder.
  • Hosts and expected open ports are defined in the config.xml. Nessus and port scanning stories now read the target data from these files
  • Moved the Nessus false positives to tables/nessus.false_positives.table
  • Moved the OWASP ZAP false positives to tables/zap.false_positives.table
  • Fixed bug in the portscan story
  • Enabled portscanning of multiple hosts
You can’t perform that action at this time.