Currently, we use python selenium to launch firefox, and also configure the firefox proxy setting to go through ZAP proxy.
capabilities = webdriver.DesiredCapabilities.FIREFOX
capabilities['proxy'] = {
'proxyType': "manual",
'httpProxy': "127.0.0.1:8080",
'ftpProxy': "127.0.0.1:8080",
'sslProxy': "127.0.0.1:8080"
}
self.driver = webdriver.Firefox(desired_capabilities=capabilities)
But I also see ZAP contains its own browser, JxBrowser
How to use JxBrowser in ZAP seleium...? is there any document about that ?
Let's say, if we login the site with seleium, how could I trigger the spider to scan all the post login pages...? Could ZAP helps me to do that..?
Thanks !
You can use JxBrowser as one of the options with the ZAP ajax spider.
We havnt added an option to launch JxBrowser outside of ZAP as this might break the licensing agreement we have with them - see https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsJxbrowserJxbrowser#licensing for more details. However I'd have no problem launching JxBrowser from ZAP for the user to control via selenium, we'd just need to work out a way to do it that allows the user to take control.
Logging in with selenium and then launching the ZAP spider is a good option. ZAP has a powerful API that allows you to control nearly all of the ZAP features. In this case you'll probably need to find and flag the session the selenium tests started as 'active' - see https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions for more details.
Related
Is there any way to run OWASP zap in CMD mode?
I have selenium scripts it opens the browser and runs.
When running it auto record all the requests to Zap (already completed).
Now I need to run the OWASP zap zed using Jenkins or using selenium.
Is there any way to do this?
Change the standard mode to attack mode and execute the attack, then email the HTML report.
Yes there is! You can use the zap CLI for that. The CLI let you start an active scan and get the report. There is also the base line scan that is bundled in the docker image, and you can always use the API directly. Each one of these approaches can let you achieve what you want - besides sending an email. This can be done (I hope) with Jenkins.
I have a problem on Zap plugin of Jenkins. Assume I have my selenium UI testing code, it will launch a browser and set a proxy automatically. What I need is to launch the test from Jenkins, and use the zap plugin to open the zap proxy and generate report.
The process in Jenkins should be :
1. Open ZAP proxy, add alert filter to ZAP.
2. Execute UI test (which will go through the ZAP proxy automatically)
3. ZAP generate report and send back to Jenkins.
4. Shut down ZAP proxy.
My confusion is when I use the zap plugin in Jenkins, there is a starting point which is necessary to put. But I don't want an active scanning, I only need a passive scanning from what go through the zap proxy by UI test. Is there a way to walk around it?
I found another way by using ZAP API to do the job https://medium.com/#PrakhashS/security-testing-for-apis-using-zap-5df8ec07a131. But I don't manage to make a alert filter by API. Can someone help?
I am newbie of Jenkins, I would like to know which way is proposed to meet my need. By executing zap from zap plugin, or by executing shell from zap API?
Thank you!
If you just want passive scanning then why not try the ZAP Baseline scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
Theres now an option to add a delay for other tests to proxy through ZAP. I need to update the wiki ;)
I did something similar - I had an existing UI automation tests, and I was able to proxy them through Zap. You can find an example here, using webdriver.io (which is basically selenium). If this is what you're looking for, I can help you set this up.
I want to use Sikuli with PhantomJS.Because web application which we are testing have so many http authenticate pop Ups. We are automating those pop ups by using Sikuli when we were using Selenium. But now we want to use PhantomJS because user is not able to do any other work while selenium web driver is performing testing on web application. Basically we don't want to block User for doing any other activity. So we are trying to use PhantomJS.
But as we know that PhantomJS is headless browser and Sikuli is image based testing tool . So can we use Sikuli With PhantomJS? If yes, then how can We use it? I know how to use Sikuli with PhantomJS Webdriver?
Thanks In Advance
No, you can't. As you stated PhantomJS is headless browser and Sikuli is image based testing tool, so there's no GUI to interact with.
Get some Virtual Machines and run tests on them, so no user is blocked.
I'm using selenium to test a production site. The test activity screws with the analytics.
Can I disable the analytics using JavaScript after the page has loaded, via Selenium? I know I can execute JS via Selenium. The question is, how to disable the GA code?
Here are few options you might try. Some were taken from this blog post -
Exclude Selenium WebDriver traffic from Google Analytics.
Option 0: Avoid testing live production sites
Ideally automated Selenium UI testing is preferred to test against some kind of testing environment, instead of mess around live production databases. As live production sites only need some manual exploratory/smoke testing. In this case, when setting up the testing environment, use a different Google Analytics tracker or even avoid using Google Analytics.
Option1: Disable JavaScript
Since Google Analytics tracking is done by executing a snippet of JavaScript code, disable JavaScript in browsers would do. But this isn't practical, because surely this will impact the functionality of the site.
Option2: Set user agent and exclude user agent
Set a special testing user agent when start WebDriver, then in your source, use JavaScript to exclude that user agent.
For example, your GA should be:
if (user agent != your special testing user agent) {
your GA code
}
Option3: Exclude IP/ISP
Set it in your GA's admin settings
Option4: Opt-out plugins
Start your WebDriver a GA opt-out plugin (only possible with ChromeDriver and FirefoxDriver). Google Analytics Opt out Add ons
Option5: Custom variables (cookies) with JavaScript
See "Set a Cookie with JavaScript" section in Best Ways to Exclude Internal Traffic in Google Analytics
Option6: Use a proxy like BrowserMob Proxy
BrowserMob Proxy allows manipulating HTTP requests and responses, capturing HTTP content, and exporting performance data as a HAR file. It supports blacklisting which can be used as a way of blocking data sent to Google Analytics.
require 'browsermob/proxy'
require 'selenium-webdriver'
server = BrowserMob::Proxy::Server.new("./browsermob-proxy-2.1.4/bin/browsermob-proxy", :log => true)
server.start
proxy = server.create_proxy
proxy.blacklist("https?:\/\/www\.google-analytics\.com\/.*", 404)
profile = Selenium::WebDriver::Firefox::Profile.new
profile.proxy = proxy.selenium_proxy
driver = Selenium::WebDriver.for :firefox, :profile => profile
proxy.new_har "browsermob"
driver.get 'http://yizeng.me/'
har = proxy.har
har.entries.first.request.url
har.save_to "./browsermob.har"
proxy.close
driver.quit
Option7: Remove GA code using Selenium JavaScriptexecutor
Your idea, but not sure if this is possible, once GA code is loaded, it's been executed, using Selenium to remove to code has to be somehow after that?
By the power of --host-resolver-rules
let chrome = require("selenium-webdriver/chrome");
const chromeOptions = new chrome.Options();//.headless();
chromeOptions.addArguments('--host-resolver-rules=MAP www.google-analytics.com 127.0.0.1');
var $browser = new $driver.Builder()
.forBrowser("chrome")
.setChromeOptions(chromeOptions)
I learned it from Can I automate Chrome request blocking using Selenium-webdriver for Ruby? and it is working great.
Somewhat late, but a low tech option if you're using a view engine, e.g. Razor, is to have a property on the view model such as IsTestEnvironment. Set this at run-time based on a configuration or Environment value and then test for it in the JavaScript, e.g.
#if (!Model.IsTestEnvironment){
// Google Analytics tracking code.
}
Then the tracking script will only be included on your chosen environments.
I want to test the code that must run when the browser does not have / does not allow me to use the local storage feature. Is there any way to mock this behavior on Selenium side?
Take a look at this question and the answers:
How can I browse with localstorage disabled?
It's not specifically about selenium, but it tells you how to configure the browsers to disable local storage; using that, you should be able to run selenium with a browser using that configuration.