Skip to main content

Security Testing

 Introduction:

As part of the Java Test Automation framework migration into JavaScript using Cypress, we had to also perform security testing. This project covers my work to implement security testing for the eCommerce product.

The following are tools I used to implement security testing:

Dependabot

Dependabot is a security testing tool which can be integrated into Github actions to create pull requests (PRs) and keep dependencies secure and up-to-date. Dependabot has been acquired by Github and it’s free of charge. It sends PRs to your projects against dependencies whenever they change. It pulls down dependency files and looks for any outdated or insecure requirements. If any dependencies are out-of-date, Dependabot opens individual pull requests to update each one, review and check your tests have passed, scan the included changelog and release notes, then merge with confidence.

Penetration Testing

According to Zapproxy website, Security Testing is the process of assessing and testing a system to discover security risks and vulnerabilities of the system and its data.

Security Testing can be broken down into 4 categories:

Vulnerability Assessment – When the system is scanned and analysed for security issues.

Penetration Testing – When the system undergoes attack and analysis from simulated malicious attackers.

Runtime Testing -When the end-user analyses and performs security testing on the system.

Code Review: Detailed analysis and review of the system code for security vulnerabilities.

In this penetrating testing, I am the attacker looking to break into the system in the hope to steal data or carry out some sort of denial-of-service attack on the system.

Stages of Pentesting

Explore – As a tester, I will attempt and learn about what sort of system I testing, it’s endpoints, the software in use, any patches installed, searching site for hidden content, known vulnerabilities and indications of weaknesses.

Attack – As a tester, I will be attempting to explore and prove that known vulnerabilities exist.

Report – I will report back results including vulnerabilities, how it was explored and how difficult it was and the severity of the exploration.

 

Ultimately the goal is to search for vulnerabilities so these can be addressed. Also, it can be done to confirm the system is not vulnerable to a known class or specific defects or verify that a known vulnerability has been fixed.

Zap is an open-source pentest tool, ideal for beginners but also used by professionals. Ideal to use for automating tests, and it works well with other tools.

Active and Passive Scanners

The passive scanner just examines the requests and responses, but it can still detect certain types of problems just on that basis. The passive scanner runs all of the time, and it's completely safe to use on any site as it does not perform any attacks.

The active scanner performs a wide range of attacks and should only be used on apps you have permission to test. It is a real attack and can put targets at risk.

Spider - can be used to crawl the app, for example, to find pages that you have missed, have been hidden from you. It can also enter basic default data onto forms.

For Ajax Applications use Zap’ AJAX spider.

Report Generation – Report on issues found, including advice and links for more info about the problems and how to solve them.

To start using Zap for pen-testing, I downloaded the Zap pentest tool, I followed the instructions to install it. 

Scenarios:-

1.    1. Traditional Spider and Ajax Scan

I selected ‘no to persist at the moment’, clicked on the start button and chose the ‘Automated scan’ button via the Quick Start tab. I entered our test URL for the URL to attack. I left default settings for ‘Use traditional spider’, ticked, left the ‘Use ajax spider’, checkbox as ticked, and selected chrome as the browser. I then clicked on the ‘Attack’ button.

This selection carries out a crawl attack using a spider and passive scan. The traditional spider will discover links by examining the HTML in the response from the web application. Then since our websites make use of AJAX applications, I chose the ‘Use ajax spider’, as it’s likely to be more effective, by exploring the web application and following the links the Ajax generates. After the scan was completed, I generated an HTML report under the Report menu for the stakeholders:


The above report shows the severity of the alert, the URL, Description, and the source solution to the problem. This will be useful to the stakeholders. The above report only covers spider and Ajax spider scan.

1.   2.  An Active scan

Below is the HTML generated Report.



1.   3.  Full manual scan

The manual scan provides the user with the Head Unit Display Interface of which users can view the automation execution of the scan.


I added instructions on how to reproduce the report on the Jira ticket and the ReadME.md file of the automation.

Integrating Zap into GitHub Actions














Labels:

Comments

Post a Comment

Popular posts from this blog

Working with Dropdownbox elements in Selenium WebDriver

How to select element from a Dropbox We are going to use Selenium webDriver and chrome driver to test this. In addition, this test was created on Mac.  I assume you have installed and setup java in your system path.  Also, install Eclipse for jee. 1. First let's take a look at a quick test case: Test case: TC_1. Register on http://automationpractice.com/index.php TC_1.1: Launch hope page -http://automationpractice.com/index.php TC_1.2 : Click on link ‘Sign in’ TC_1.3 : Under “Create Account” subheading, enter Email address in ‘Email address’ textfield TC_1.4 : Click on ‘Create an account’ button. —————————————————————————————— Test data: Email address: gorgeous12@hotmail.com http://automationpractice.com/index.php ---------------------------------------------------------------- Expected : http://automationpractice.com/index.php?controller=my-account ———————————------------ 2. Next, create a maven project in Eclipse 3....
Post a Comment
Read more

Cypress UI Automation - part 1

Java to Cypress-JavaScript Automation Migration Introduction: Across Cancer Research UK engineering department, we currently use a Java automation framework for our User interface and API testing. The framework has evolved in the last 3 to 4 years and currently, we have 19 products/project, (running approximately 1350 test scenarios) using the framework to run the respective sanity/regression packs. The project/products extend across different technology stacks such as Drupal, Symphony, React JS, .Net, OBI and Siebel CRM.   The Quality Assurance (QA) test team are currently under the process to be transformed into a fully-fledged Quality Assurance function.   As part of this transformation, we would like to have a comprehensive, automated test suite that can be maintained by developers and testers. Furthermore, our front-end web development is moving into JavaScript, now is the right time to migrate our automation framework also from java into JavaScript. The introduction ...
Post a Comment
Read more

Performance Testing

  Performance Testing As part of the Quality Assurance Test Approach, each tester has to implement performance testing within its product team. In this section of the project, I will be using Apache JMeter as the testing tool for the test approach. Apache JMeter is an open-source performance testing tool for load, stress and many more testing. Screenshot from: https://www.youtube.com/watch?v=817zU_bXh9Y&list=PLUDwpEzHYYLs33uFHeIJo-6eU92IoiMZ7 JMeter works by creating a request to a target server(website), the server then responds, saves responses, collects, calculate statistics, return results to request and then generate reports.
Post a Comment
Read more