Dynamic Security Testing

Security testing is performed using Owasp Zap which should be installed on your machine to execute the test cases. Note that a license is required in order to show the main commands that perform security testing. The commands are:

  1. Active_web_security_check: Attempts to find potential vulnerabilities by using known attacks against the selected targets.

  2. Passive_web_security_check: Passively scans all HTTP messages (requests and responses) sent to the web application

 

Installation

  1. Download and install Owasp Zap using standard settings

  2. Start Owasp Zap manually

  3. Click Tools menu and select Options

  4. ZAP may perform some updates, some time is expected.

  5. Click API on the left side of the window and disable the checkbox Web UI Enabled

  6. Click Network > Local Servers/Proxies on the left side of the window and set the port. By default, Subject7 uses port 8081

  7. Click OK and close Owasp Zap.

  8. If this menu appears at anytime, select this option and enable the checkbox so that it will not interrupt execution and click Start.

    image-20240902-175104.png

 

Execution

  1. Before performing an execution, you will need to modify your local player file. Locate the installation path of your local player and open conf folder

  2. Using Notepad, open the file player.properties

  3. Add "zap.proxy=http://localhost:8081" to the end of the file (excluding double quotes)

  4. Save the file

  5. On the platform, click User Execution Preferences icon under your username

  6. Click Advanced tab

  7. Next to OWASP ZAP Options, click the Restore zap settings to default icon in order to make sure you have the right configuration added. The port should match what you set on your Owasp Zap settings, otherwise it will not work. By default, you should see these configurations:

    "C:\Program Files\ZAP\Zed Attack Proxy\ZAP.exe" -config api.disablekey=true -config proxy.port=8081 -config hud.showWelcomeScreen=false
  8. Save your settings and start your local player

  9. On your test case, the first step should always use Wait command for 10 seconds to allow Owasp Zap application to start properly

  10. The second step should navigate to the URL where you will be performing your testing.

  11. The third and fourth steps can include the security commands Active_web_security_test or Passive_web_security_test

  12. Run your test case and wait for the analysis to complete. Once finished, click More on the platform and you will see a link with the analysis results displayed in a PDF file

The following video demonstrates execution: