Dynamic Security Testing

Owned by Joseph Hamdan
Last updated: Aug 08, 2023
2 min read

Security testing is performed using Owasp Zap which should be installed on your machine to execute the test cases. Note that a license is required in order to show the main commands that perform security testing. The commands are:

  1. Active_web_security_check: Attempts to find potential vulnerabilities by using known attacks against the selected targets.
  2. Passive_web_security_check: Passively scans all HTTP messages (requests and responses) sent to the web application


Installation

  1. Download and install Owasp Zap using standard settings
  2. Start Owasp Zap manually
  3. Click Tools menu and select Options
  4. Click API on the left side of the window and disable the checkbox Web UI Enabled
  5. Click NetworkLocal Servers/Proxies on the left side of the window and set the port. By default, Subject7 uses port 8081
  6. Click OK and close Owasp Zap.
  7. If this menu appears at anytime, select this option and enable the checkbox so that it will not interrupt execution and click Start.


Execution

  1. Before performing an execution, you will need to modify your local player file. Locate the installation path of your local player and open conf folder
  2. Using Notepad, open the file player.properties
  3. Add "zap.proxy=http://localhost:8081" to the end of the file (excluding double quotes)
  4. Save the file
  5. On the platform, click User Execution Preferences icon under your username
  6. Click Advanced tab

  7. Next to OWASP ZAP Options, click the Restore zap settings to default icon in order to make sure you have the right configuration added. The port should match what you set on your Owasp Zap settings, otherwise it will not work. By default, you should see these configurations:

    "C:\Program Files\OWASP\Zed Attack Proxy\ZAP.exe" -config api.disablekey=true -config proxy.port=8081 -config hud.showWelcomeScreen=false
  8. Save your settings and start your local player
  9. On your test case, the first step should always use Wait command for 10 seconds to allow Owasp Zap application to start properly
  10. The second step should navigate to the URL where you will be performing your testing.
  11. The third and fourth steps can include the security commands Active_web_security_test or Passive_web_security_test
  12. Run your test case and wait for the analysis to complete. Once finished, click More on the platform and you will see a link with the analysis results displayed in a PDF file

The following video demonstrates execution: