Is there any way to run OWASP zap in CMD mode?
I have selenium scripts it opens the browser and runs.
When running it auto record all the requests to Zap (already completed).
Now I need to run the OWASP zap zed using Jenkins or using selenium.
Is there any way to do this?
Change the standard mode to attack mode and execute the attack, then email the HTML report.
Yes there is! You can use the zap CLI for that. The CLI let you start an active scan and get the report. There is also the base line scan that is bundled in the docker image, and you can always use the API directly. Each one of these approaches can let you achieve what you want - besides sending an email. This can be done (I hope) with Jenkins.
Related
Currently, we use python selenium to launch firefox, and also configure the firefox proxy setting to go through ZAP proxy.
capabilities = webdriver.DesiredCapabilities.FIREFOX
capabilities['proxy'] = {
'proxyType': "manual",
'httpProxy': "127.0.0.1:8080",
'ftpProxy': "127.0.0.1:8080",
'sslProxy': "127.0.0.1:8080"
}
self.driver = webdriver.Firefox(desired_capabilities=capabilities)
But I also see ZAP contains its own browser, JxBrowser
How to use JxBrowser in ZAP seleium...? is there any document about that ?
Let's say, if we login the site with seleium, how could I trigger the spider to scan all the post login pages...? Could ZAP helps me to do that..?
Thanks !
You can use JxBrowser as one of the options with the ZAP ajax spider.
We havnt added an option to launch JxBrowser outside of ZAP as this might break the licensing agreement we have with them - see https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsJxbrowserJxbrowser#licensing for more details. However I'd have no problem launching JxBrowser from ZAP for the user to control via selenium, we'd just need to work out a way to do it that allows the user to take control.
Logging in with selenium and then launching the ZAP spider is a good option. ZAP has a powerful API that allows you to control nearly all of the ZAP features. In this case you'll probably need to find and flag the session the selenium tests started as 'active' - see https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions for more details.
I have a problem on Zap plugin of Jenkins. Assume I have my selenium UI testing code, it will launch a browser and set a proxy automatically. What I need is to launch the test from Jenkins, and use the zap plugin to open the zap proxy and generate report.
The process in Jenkins should be :
1. Open ZAP proxy, add alert filter to ZAP.
2. Execute UI test (which will go through the ZAP proxy automatically)
3. ZAP generate report and send back to Jenkins.
4. Shut down ZAP proxy.
My confusion is when I use the zap plugin in Jenkins, there is a starting point which is necessary to put. But I don't want an active scanning, I only need a passive scanning from what go through the zap proxy by UI test. Is there a way to walk around it?
I found another way by using ZAP API to do the job https://medium.com/#PrakhashS/security-testing-for-apis-using-zap-5df8ec07a131. But I don't manage to make a alert filter by API. Can someone help?
I am newbie of Jenkins, I would like to know which way is proposed to meet my need. By executing zap from zap plugin, or by executing shell from zap API?
Thank you!
If you just want passive scanning then why not try the ZAP Baseline scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
Theres now an option to add a delay for other tests to proxy through ZAP. I need to update the wiki ;)
I did something similar - I had an existing UI automation tests, and I was able to proxy them through Zap. You can find an example here, using webdriver.io (which is basically selenium). If this is what you're looking for, I can help you set this up.
I want to test the code that must run when the browser does not have / does not allow me to use the local storage feature. Is there any way to mock this behavior on Selenium side?
Take a look at this question and the answers:
How can I browse with localstorage disabled?
It's not specifically about selenium, but it tells you how to configure the browsers to disable local storage; using that, you should be able to run selenium with a browser using that configuration.
Pretty much exactly what it says on the tin: I have a Loadrunner script and I would like to convert it to a Neoload one. There's no way to do this automatically, obviously, but my idea was to capture traffic created by a loadrunner playthrough and then somehow reroute it (or export it?) to Neoload, and then do the manual extraction/whatever later.
The answer given here gives some tantalizing hints on how to do it, but the problem is that I can't figure out how to get Neoload to accept anything other than manual recording (the answer is given for Webtest because Fiddler can export a Webtest file, but there's no such option for Neoload). Is there a viable way to make this approach work, or is there a different option I could explore?
NeoLoad records the HTTP traffic through a Proxy (default recording method). All you need to do is:
Tell LoadRunner to play the script through a Proxy: NeoLoad machine, port 8090 (default NeoLoad recording port)
Launch a NeoLoad recording (you can uncheck "Launch Browser")
Launch the LoadRunner playback of 1 VU
Stop NeoLoad recording
I hope this helps,
Christophe
Neotys
There no good conversion between the scripts.
Creating a script in that way would generate only the HTTP requests.
It would NOT generate:
1. Script changes (conditions, loops, etc)
2. Library attachments
3. Parameterizations
4. Validations
and extra stuff
Since Neoload 6.5.0 there is a new tool called
LoadRunner Converter.
The LoadRunner converter provides the capability to convert LoadRunner HTTP scripts to their NeoLoad equivalent for those organizations that currently use LoadRunner and want to move on to NeoLoad.
See:
https://www.neotys.com/neoload/whats-new
On my linux box somewhere in the United States, it's running Selenium Grid 2.
Currently 3 people will be regularly running parallel tests, but there's potential for more people to join and running more parallel tests....
now they are in other parts of the world, they need to submit an xml file which contains the test data, and the server needs to parse this and figure out the rules.
How can the client invoke a test to run on the remote server? via HTTP POSTing the xml file to the url in which the grid is running on?
Is it cheaper to just rent out a fast linux server and then buy more as number of parallel tests increase?
Or should I right off the bat, hook it up to Amazon ec2? If there are parallel tests on an ajax heavy web applications running 24/7, would it be cheaper to go with the single dedicated box or amazon? google app engine (no plugins for grid?)?
I am not sure I understood the xml submitting part in your question. However, I can tell you an example which will help to you understand how to submit the tests to grid.
Three people, PersonA, PersonB and PersonC are creating selenium tests in their local machine. They currently run the test using an ANT build (or something similar) against the selenium server jar which is in their local machine. In their code they would be having a line of code which tells which selenium instance should be used to run this test. This will be mostly like
new DefaultSelenium("localhost",port,browsername,URL)
Now these people want to move to selenium grid (1 or 2). Here is what they will have to do to use the grid
All they have to do is change the command
new DefaultSelenium("localhost",port,browsername,URL)
to
new DefaultSelenium("hubIPAddress",portInWhichHubWasStarted,browsername,URL)
Note:- browserName - Make sure there is a remote node registered in Hub for the same browserName.
Now all the commands will be sent to Selenium Hub and Hub would execute the commands using the remote nodes.
Hope this helps. Please post if you have any questions.