Security Testing using BDD Security
Raghwendra Sonu
Posted on October 14, 2019
BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.
The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner.
It tests Web Applications and API's from an external point of view and does not require access to the target source code.
OWASP ZAP- OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
SSLyze- SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it.
Nessus Scanner- Nessus is a proprietary vulnerability scanner developed by Tenable.
Steps to use this:
Clone this project from here: https://github.com/continuumsecurity/bdd-security/
Clone RopeyTasks a vulnerable web application that we can run locally. ropeytasks is a simple web application that is deliberately built with a number of included security vulnerabilities. These include: Blind HQL injection, XSS, CSRF, Case insensitive passwords, No SSL, Lack of HttpOnly and secure flags on session cookies.
https://github.com/continuumsecurity/RopeyTasks
from command prompt run this: java -jar ropeytasks.jar
After executing the above commands, open your browser at http://localhost:8080 and you should be seeing the login form of the RopeyTask application.
Login to the application with any of the below Credentials:
admin/password
bob/password
alice/password
- Update Config.xml file with Chrome Driver path and application URL. @insert url here@
@package name for application specific steps here@
@insert path to zap folder and direct it the batch file when running locally e.g. C:\Automation\SecurityTesting\bdd-security\zap@
Feature files can be found here: \bdd-security\src\test\resources\features
-
Execute the program.
cd bdd-security
gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" test Sample result from zap scan.
After the scan is done, aside from the usual cucumber report, a comprehensive html report will be generated. The report will state the description alert, Common Weakness Enumeration CWE ID, Web Application Security Consortium WASC ID, recommended solutions etc.
References:
Posted on October 14, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.