Oktaliem/WebSecurityScanningSample

This repository is dedicated to the Indonesia Software Quality Assurance members for online learning material.

SOFTWARE TESTING ENTHUSIAST

WebSecurityScanningSample

ZAP Security Scanning Life cycle

Workflow-1

Spider --> Spider with AJAX --> Active Scan ---> Alerts --> HTML Report

Workflow-2

Spider --> Spider with AJAX --> Passive Scan ---> Alerts --> HTML Report

Precondition (prepare test environment)

1. Application Under Test : Damn Vulnerable Web Application (DVWA) in Docker

$ docker run --rm -it -p 3000:80 vulnerables/web-dvwa

2. Open OWASP ZAP Proxy Desktop (Ubuntu)

$ zap.sh

Run Automated Security Scanning

Workflow-1 (Active Scan with or without Authentication)

$ mvn clean test -Dtest=SecurityTest#activeScanWithoutAuthentication
$ mvn clean test -Dtest=SecurityTest#activeScanWithAuthentication

Workflow-2

$ mvn clean test -Dtest=SecurityTest#passiveScanWithoutAuthentication
$ mvn clean test -Dtest=SecurityTest#passiveScanWithAuthentication

Demo in Youtube - Ubuntu

References

• https://www.zaproxy.org/getting-started/
• https://www.zaproxy.org/docs/api/?java#documentation-structure
• https://www.zaproxy.org/docs/desktop/start/pentest/