I already develop a Selenium code to perform the web application testing. But i need to perform the security testing for the same application. So Please suggest me how to perform the security testing with selenium code .
Please help to integrate the selenium with ZAP.
Proxy your Selenium tests through ZAP and then use ZAP to test your app.
Exploring apps effectively is always a challenge for automated scanners, but a good set of Selenium tests are a great way to teach a scanner like ZAP about how your app works. You can either not bother using the ZAP Spiders or just use them to catch areas of you app that dont have enough tests. By proxying your tests via ZAP you will automatically get passive scanning, and once they have finnished you can use active scanning to run the more agressive attacks.
ZAP has a very powerful API so can be completely automated for this sort of testing.
Related
I am trying to find a better automation tool to perform the websites testing automatically to identify the bugs using various mobile devices and browsers.
Tried with various no code automation tools and Browserstack and Lambdatest as well. but not able to acheive it perform automatically.
Selenium seems to be the most popular option. However, I suggest Playwright. It has unique features to be able to open new pages, new tabs, new browsers and new windows with its Browser, BrowserContext and Page concept.
Lighthouse, a part of the Chrome Developer Tools, provides great reports and analytics for the app frontend code.
I'm curious to know, is it possible to apply Lighthouse on a code, running on Node.js, in other words, is it possible to use a power of Lighthouse for analyzing a backend?
Lighthouse wouldn't work for NodeJS. There a lot of things in lighthouse that wouldn't be applicable to backend code, such as SEO improvements etc.
I have a java application, that only communicates via websocket on port 1234. I'd like to use ZAP for some fuzz testing. The thing is I can't make OWASP ZAP to see my application. If I want to add it as a site, it won't let me because I can add only http sites. I can't scan "ws://127.0.0.1:1234". How can I do that? I checked the ZAP Wiki, and blogs about adding "websocket sites", but they all added it via http, but I can't do that. I tried a few other tools as well, none seems to work.
Any help is appreciated.
We've got some changes in the pipeline that might make this easier. I'll aim to get back to you asap.
We are looking to replace our Selenium approach to automated web data collection and have been recommended Puppeteer or Chromeless.
One of the things I like is the ability to go headless with chrome running on AWS lambda. That reason was sold as the main reason for going with Chromeless or Puppeteer. However, I see posts online indicating that the same can be done with Selenium. If that is true, what over advantages do Chromeless and Puppeteer offer over Selenium ?
We are going to be using NodeJS
Having used both Selenium and Puppeteer, these would be my observations as to why it's currently being recommended so highly:
Puppeteer is really easy to configure and execute. No setting specific drivers required. Just write your test scripts, point node towards your scripts and watch it go. Everything even runs in parallel!
It's a zero setup framework in that it comes bundled with the version of Chromium which it runs best with.
Another benefit is speed. Puppeteer is really fast since it uses headless Chrome.
It integrates very nicely with other popular test frameworks such as jest and mocha.
Using Puppeteers API is really straightforward. Everything is simple to write, easy to understand and basically allows for simple user interactions to be automated using a single line of code.
It's really easy to debug your automation scripts. Simply set headless to false and turn slowMo up from 0 to, say, 250 and you can easily see what's going on and fix any problems you may have.
It's easy to pick up and use no matter what your previous experience levels: on the team I'm working on, everyone (even those with no real automation test script writing experience) has found working with Puppeteer a really nice and relaxed experience. Everyone is getting the grasp of it within a few minutes of basic research and getting scripts running quickly and with no hassle or stress.
It should be noted that Selenium does do everything that Puppeteer does (and vice versa) but that's not the point of Puppeteer. Puppeteer allows for a team to build a large library of automation scripts very quickly using an easy to use API and get tests running now rather than having to deal with building ultra-robust test frameworks which work cross browser and / or cross device.
If you really must have cross browser testing then Selenium or perhaps InternJS (a personal favourite of mine) are still the choices to make.
Puppeteer only supports executing tests on Chrome but, at the end of the day, it's much better to have a lot of tests running (even if it's just on Chrome) as opposed to having none.
I used OWASP ZAP to scan an application I developed. The scan report lists out vulnerabilities, if any. If not, nothing gets printed. Does ZAP provide a list of tests that passed? How to obtain such a report?
You can use the API to get all the scan rules (<zap_host>/JSON/pscan/view/scanners/?zapapiformat=JSON&formMethod=GET
or <zap_host>/JSON/ascan/view/scanners/?zapapiformat=JSON&formMethod=GET&scanPolicyName=&policyId=), which is similar to all the tests. Another option is to get all URLs scanned by Zap (<zap_host>/JSON/core/view/urls/?zapapiformat=JSON&formMethod=GET&baseurl=). Hope that helps...