Integrating ZED Attack Proxy (ZAP) with WebDriver

The long awaited integration of ZED Attack Proxy with Selenium/WebDriver has now come to reality. The integration with ZED Attack Proxy with WebDriver can help us to automate application security testing process. The Java based application can be successfully integrated with our C# based WebDriver platform. 

To start with this successful journey you should have the following successful components

• Java Run Time (JRE) Version 7 Update 6
• Apache ANT application server version 1.8.4
• ZAP Application 1.4.0.1
• ZAP Client side APIs

  The architecture of the solution is as follows;

The following framework utilizes the REST API calls provided by ZAP Security tool and utilizes Apache ANT application server to call this API calls. It will launch the ZAP Security tool application mode and also headless mode (the ZAP application will be executed at the background) where the passive scan will be done by the tool. It will save the sessions via a simple REST API call. According to the ZAP API development team the report generation API call has not been developed yet and this should be done manually by the tool itself after loading the saved session files (Hope to see this in the future REST API releases). 

This solution can be also extended to do the active scans and also spider functionality in the web pages captured via REST API calls. The calls from the selenium functions can be done via simple batch calls, but can be integrated to the code which will do command line calls from the C# code. 

Currently there are functions for launch zap and save sessions. I will implement the functions for active scan and spider when time permits.