Accelerating App Security Testing by integrating OWASP ZAP with Selenium

Quality and Security are quintessential gates for any product release. It is imperative to have a Go To Market strategy that embraces both these aspects gracefully. However, both Quality and security come at a cost, and a product company like Halodoc needs to strike a balance between the two, to ensure timely shipment of products/features to our customers.

In this article, we've outlined how we achieved faster GTM by leveraging OWASP ZAP security automation tests in place with existing Selenium scripts.

Problem statement

As with every fast-growing development environment like us, application security is an integral part of our SDLC process. We using In-Sprint Automation for functional testing, but the security testing was done manually with the necessary scanning tools such as BurpSuite, OWASP Zap, etc. Manual security routine tests take time to test and fix the issues, which in turn impacts the deadline.

How did we overcome this

We have a large amount of sanity and regression Selenium and Cucumber tests in place that are run using Jenkins. We are using this setup for evaluating our application in the early development process and take appropriate actions for the same. In a fast-paced development environment like us, test automation is the solution to accelerate to our application testing while ensuring that all the required security checks are in place within the product.  We leveraged OWASP ZAP security automation tests and integrated them with existing Selenium scripts. This helped us to automate our application security testing while ensuring we maintain the quality bar for our product(s).

What is OWASP ZAP?

OWASP (Open Source Web Application Security Project) ZAP(Zed Attack Proxy)  is one of the world’s most popular open-source security tools. It's an integrated penetration testing tool for finding vulnerabilities in web applications. It's also a great tool for pen-testers to use for manual security testing.

Importance of OWASP ZAP

1. OWASP Zed Attack Proxy provides the ability to detect all kinds of threats ex: sensitive data exposure, cross-site scripting, under-protected APIs, broken authentication, and session management.
2. Cross-platform — works across all OS (Linux, Mac, Windows).
3. Provides comprehensive report.

Why selenium - ZAP integration?

1. Selenium is used for web automation testing, but it's certainly not limited to just that. We can make use of the existing selenium scripts to drive ZAP.
2. ZAP is a free open-source tool, that is easy to set up and use.
3. Features that require authentication may not be properly scanned, with default ZAP scans. Selenium knows how to log in and crawl through all features, whereas ZAP knows how to find security issues in crawled pages. Combining both will give better results.
4. Maintenance of scripts and adding new pages for scanning is minimal.
5. Easy integration with Jenkins.

ZAP Spider, Passive & Active scan

Spider is used to discover new resources (URLs) on a web app automatically. Spider visits these URLs to identify all the hyperlinks on the page and adds them to the list of URLs to visit and the process continues recursively until new resources are found.

Passive scan checks the requests and responses sent to a web app and creates alerts for detected vulnerabilities. Passive scan only examines the HTTP requests and responses, making it good at finding vulnerabilities such as missing security headers or missing anti-CSRF tokens.

Active scan actively modifies the recorded requests and responses to determine further vulnerabilities. This helps us in finding vulnerabilities such as SQL Injection and XSS (cross-site scripting).

How to achieve security testing with OWASP ZAP?

1. Download and install ZAP.
2. Add dependency in pom.xml.

3. Add a method to validate proxy and to add ZAP proxy details to the browser. if the proxy is set to true, automation scripts will run with security scan else automation scripts will run without security scan.

4. Add a method to do an active scan or spider scan in the util class. Sample code snippet added below.

5.  Add a method to generate ZAP reports in the util class. The report will be generated in the security reports folder once the security scan is completed.

6. Use the security scan step as below in the feature file to scan the page.

As shown above, the security scan step will call scan methods defined in util class to scan URLs on that page.

7. Integration With Jenkins

 a. Launch the EC2 instance and install docker.

 b. Start running ZAP as a docker container with the help of the below commands.

    1. docker pull owasp/zap2docker-stable

      2. docker run -u -d  zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -configapi.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

  c. Use ZAP port and EC2 instance Ip in selenium script for interaction.

  d. Once the scanning is completed we will get the report in HTML format.

Sample Report

The above sample HTML report shows the summary of security alerts based on risk level and their details. Alert Detail section shows, security issues with parameters, evidence & other details. It also shows an appropriate solution with references to fix the identified issues.

Conclusion

In this post, we discussed, how we are ensuring, identifying, and rectification of vulnerability areas early in the application development process by Driving Security Testing with OWASP ZAP using existing selenium scripts.

Come join us

Scalability, reliability, and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers/architects/testers and if solving hard problems with challenging requirements is your forte, please reach out to us with your resumé at careers.india@halodoc.com.

About Halodoc

Halodoc is the number 1 all-around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke.
We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 2500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allows patients to book a doctor appointment inside our application.
We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, Gojek, Astra, Temasek, and many more. We recently closed our Series C round and In total have raised USD 180 million for our mission.
Our team works tirelessly to make sure that we create the best healthcare solution personalized for all of our patient's needs and are continuously on a path to simplify healthcare for Indonesia.