How to set up ZAP plugin in Jenkins - selenium

I have a problem on Zap plugin of Jenkins. Assume I have my selenium UI testing code, it will launch a browser and set a proxy automatically. What I need is to launch the test from Jenkins, and use the zap plugin to open the zap proxy and generate report.
The process in Jenkins should be :
1. Open ZAP proxy, add alert filter to ZAP.
2. Execute UI test (which will go through the ZAP proxy automatically)
3. ZAP generate report and send back to Jenkins.
4. Shut down ZAP proxy.
My confusion is when I use the zap plugin in Jenkins, there is a starting point which is necessary to put. But I don't want an active scanning, I only need a passive scanning from what go through the zap proxy by UI test. Is there a way to walk around it?
I found another way by using ZAP API to do the job https://medium.com/#PrakhashS/security-testing-for-apis-using-zap-5df8ec07a131. But I don't manage to make a alert filter by API. Can someone help?
I am newbie of Jenkins, I would like to know which way is proposed to meet my need. By executing zap from zap plugin, or by executing shell from zap API?
Thank you!

If you just want passive scanning then why not try the ZAP Baseline scan: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
Theres now an option to add a delay for other tests to proxy through ZAP. I need to update the wiki ;)

I did something similar - I had an existing UI automation tests, and I was able to proxy them through Zap. You can find an example here, using webdriver.io (which is basically selenium). If this is what you're looking for, I can help you set this up.

Related

How do I Rerun test from perforce swarm api?

Swarm's web section has a Rerun test button to do this when I pass a review and want to restart other review tests, but I didn't find a way to do so in swarm's api.
What I'm doing right now is, PATCH method in swarm api was used to change the current state of testruns to running, and then ${swarm_URL}/ API /v10/${id}/testrun/${uuid}, the combination of testruns data obtained by curl, was used as parameter to remotely start the construction of jenkins.

OWASP zap run in command promt

Is there any way to run OWASP zap in CMD mode?
I have selenium scripts it opens the browser and runs.
When running it auto record all the requests to Zap (already completed).
Now I need to run the OWASP zap zed using Jenkins or using selenium.
Is there any way to do this?
Change the standard mode to attack mode and execute the attack, then email the HTML report.
Yes there is! You can use the zap CLI for that. The CLI let you start an active scan and get the report. There is also the base line scan that is bundled in the docker image, and you can always use the API directly. Each one of these approaches can let you achieve what you want - besides sending an email. This can be done (I hope) with Jenkins.

how to use ZAP JxBrowser in ZAP selenium?

Currently, we use python selenium to launch firefox, and also configure the firefox proxy setting to go through ZAP proxy.
capabilities = webdriver.DesiredCapabilities.FIREFOX
capabilities['proxy'] = {
'proxyType': "manual",
'httpProxy': "127.0.0.1:8080",
'ftpProxy': "127.0.0.1:8080",
'sslProxy': "127.0.0.1:8080"
}
self.driver = webdriver.Firefox(desired_capabilities=capabilities)
But I also see ZAP contains its own browser, JxBrowser
How to use JxBrowser in ZAP seleium...? is there any document about that ?
Let's say, if we login the site with seleium, how could I trigger the spider to scan all the post login pages...? Could ZAP helps me to do that..?
Thanks !
You can use JxBrowser as one of the options with the ZAP ajax spider.
We havnt added an option to launch JxBrowser outside of ZAP as this might break the licensing agreement we have with them - see https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsJxbrowserJxbrowser#licensing for more details. However I'd have no problem launching JxBrowser from ZAP for the user to control via selenium, we'd just need to work out a way to do it that allows the user to take control.
Logging in with selenium and then launching the ZAP spider is a good option. ZAP has a powerful API that allows you to control nearly all of the ZAP features. In this case you'll probably need to find and flag the session the selenium tests started as 'active' - see https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions for more details.

Jmeter recording in NON GUI mode for Selenium testing

I would like to record the network requests of a Selenium test. Rather than using jmeter GUI, I would like to automate this process in a script. The idea would be to run a selenium test and record it simultaneously. Is there a built in way to do this?
GUI Jmeter is ideally for development of scripts, which are then run headless to get true performance figures.
You can develop selenium webdriver tests as junit tests, which integrate to JMeter very easily.
Running a recorded Selenium IDE test would not be so straightforward, better to export it as Java Webdriver.
Make sure you follow junit naming conventions and annotations (depending which version you use). Write the test class, including junit 'test' methods, then create a jmeter test plan with a junit sampler, and configure the junit sampler to run your test method[s].
maven and plugins can be used to make it all run seamlessly in headless mode on any host.
Once you have developed one of these, it will be easy to review the jmx test script and automate the process of creating more jmeter tests, if that is what you meant by automating the process.
Start JMeter's Proxy Server
Configure your Selenium script to use JMeter as a proxy. See Using a Proxy guide for configuration details for each driver
Run Selenium test - all requests should be recorded by JMeter.
Add the next test elements to JMeter test plan:
HTTP Cookie Manager - to represent browser cookies
HTTP Cache Manager - to represent browser cache
follow recommendations from How to make JMeter behave more like a real browser to properly configure embedded resources retrieval, user agent, request defaults, etc.
Configure Thread Group parameters according to your load scenario.
Replay the test.
I expect that you will need to apply some correlation, but it may be not required.

steps for recording the selenium events on jmeter proxy

I am presently working on a project for which selenium scripts are prepared and i want my jmeter proxy should record the steps executed by selenium browser. I tried running selenium and jmeter proxy server on same port but while doing that proxy server of jmeter refuse to start on same port. I read somewhere that this is possible but i am not getting the steps needs to follow.
You should do the same what you will do for simple test recording through Jmeter proxy:
setup Jmeter HTTP Proxy Server;
start configured Jmeter Proxy;
configure and enable proxy settings in your test browser (used by selenium) to use Jmeter Proxy.
Then run your selenium tests as usual, via configured test browser - HTTP Proxy Server will record execution.
To exclude all the steps performed in the "selenium-server" window try to add the following to 'URL Patterns to Exclude' in HTTP Proxy Server settings:
^/selenium-server/.*
Useful point here is to separate recorded execution into different Thread Groups - e.g. separate Thread Group in Jmeter for each recorded selenium testcase.
Step-by-step guideline you may found here.
To tell the truth such the "re-recording" may appear not very useful and effective: JMeter is not a browser, and does not interpret the JavaScript in downloaded pages.
As per Jmeter wiki:
JMeter does not process Javascript or applets embedded in HTML pages.
JMeter can download the relevant resources (some embedded resources
are downloaded automatically if the correct options are set), but it
does not process the HTML and execute any Javascript functions.
If the page uses Javascript to build up a URL or submit a form, you
can use the Proxy Recording facility to create the necessary sampler.
If this is not possible, then manual inspection of the code may be
needed to determine what the Javascript is doing.
So if you need Jmeter possibilities to implement load/performance-testing based on existent Selenium functional scripts better for you then use run Selenium scripts from Jmeter.