forked from AutoGeneral/IridiumApplicationTesting
-
Notifications
You must be signed in to change notification settings - Fork 3
Security Testing
Matthew Casperson edited this page Aug 2, 2019
·
1 revision
To enable the Zed Attack Proxy, you need to set the system property startInternalProxy to zap e.g. -DstartInternalProxy=zap.
Once enabled, you can initialise ZAP with the step
@ZAP
Scenario: Initialise ZAP
Given a scanner with all policies enabled
This step needs to be executed before any other steps that interact with the application, as it is this interaction that ZAP uses to passively scan for vulnerabilities and to build up a list of URLs for active attacks.
Once all the steps that that interact with the web application has been completed, you can run an active ZAP scan with the step
@ZAP
Scenario: Save the results
And the application is spidered
And the attack strength is set to "HIGH"
And the active scanner is run
And the ZAP XML report is written to the file "zapreport.xml"
Then no "Medium" or higher risk vulnerabilities should be present for the base url
"^https://([0-9a-zA-Z-]+\.)?(secure\.budgetdirect|ecommerce\.disconline|\.disconline)\
.com\.au"
These steps will instruct ZAP to:
- use its integrated spider to find additional URLs that can be attacked
- set the active attack string to HIGH, which means each URL is subject to more attacks
- run the active scanner, during which ZAP will probe the URLs it knows about (via those passed through it during the passive scan and through the spidering process) for various known vulnerabilities
- save the report file
- fail the Cucumber test if any medium level or higher vulnerabilities were found
Not all browser drivers support the use of a proxy. See the Proxies chatpter for more details.