BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.
The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner.
It tests Web Applications and API's from an external point of view and does not require access to the target source code.
OWASP ZAP- OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
SSLyze- SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it.
Nessus Scanner- Nessus is a proprietary vulnerability scanner developed by Tenable.
Steps to use this:
Clone this project from here: https://github.com/continuumsecurity/bdd-security/
Clone RopeyTasks a vulnerable web application that we can run locally. ropeytasks is a simple web application that is deliberately built with a number of included security vulnerabilities. These include: Blind HQL injection, XSS, CSRF, Case insensitive passwords, No SSL, Lack of HttpOnly and secure flags on session cookies.
from command prompt run this: java -jar ropeytasks.jar
After executing the above commands, open your browser at http://localhost:8080 and you should be seeing the login form of the RopeyTask application.
Login to the application with any of the below Credentials:
- Update Config.xml file with Chrome Driver path and application URL. @insert url here@
@package name for application specific steps here@
@insert path to zap folder and direct it the batch file when running locally e.g. C:\Automation\SecurityTesting\bdd-security\zap@
Feature files can be found here: \bdd-security\src\test\resources\features
Execute the program.
gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" test
Sample result from zap scan.
After the scan is done, aside from the usual cucumber report, a comprehensive html report will be generated. The report will state the description alert, Common Weakness Enumeration CWE ID, Web Application Security Consortium WASC ID, recommended solutions etc.