In the previous demo, we used ZAP to do a spider scan and an active scan. The purpose of the spider scan is to explore all potential URLs and web resources. However, there are some web resources that will require manual guidance, such as authenticated resources, user registration, or the shopping business flows.
Therefore, we will need a web UI automation framework, such as Selenium, to guide ZAP through some of the web pages. A testing team who may previously finish the functional automation testing, it's suggested to apply the web security scanner, OWASP ZAP, in proxy mode to reuse the existing automation testing.
In this case study, we use the user registration flow as an example to demonstrate how to apply a Selenium automation framework and ZAP for web security automation testing.
We inspect security issues for the new user registration flow for the vulnerable shopping site at http://hackazon.webscantest.com/. The sign-up flow, Sign Up | New User, is as follows. The Selenium automation framework will do the following steps:
- Visit the home page
- Click Sign Up | New User
- Input the First Name, Last Name, Username, Email Address, Password, and Confirm Password values, and then click Register
During the automated user registration execution by Selenium, we will launch ZAP as a proxy to monitor the security issues:
To complete the automated security testing scenario, we will use SeleniumBase to launch the browser and simulate user behavior to guide ZAP through the registration flow, as shown in the following diagram:
