In this chapter, we have demonstrated three technical approaches to NodeGoat security automation testing. The first approach is to use the ZAP-CLI to do a quick scan of the target website. This kind of testing can be used as a smoke test for every release. It helps us to identify potentially serious security issues. We also applied Selenium and JMeter to guide ZAP for authenticated pages and other web UI flows. Selenium can launch the browser to simulate a user's web operation behavior. JMeter sends the HTTP requests and asserts the HTTP responses for the API-level user sign-in flow.

For the selenium approach, it's suggested to use the Selenium IDE to record the sign-in operations and export to a Python unit test script. Once the script is generated, we execute the Selenium script with the OWASP ZAP proxy to identify the security issues.

For the adoption of JMeter, CSV Data Set Config is used to read all the values from a CSV file. HTTP Cookie Manager is applied to manage the authenticated session. HTTP Request is used to send HTTP POST/GET requests to the website. Then, the JMeter script is executed in CLI mode with specified the proxy to OWASP ZAP.

In Chapter 12, Automated Fuzz API Security Testing, we will focus on fuzz API automation testing.