Minor Hello Ludovic,
I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.
General information :
- My webapp for testing is DVWA
- Capture a user sequence using Selenium plugin for Firefox
- Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
- Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.
But it won't show me any High alerts 
(at least, it should show me an SQLI alert)
(cf: jenkins build logs attached)
Am I doing something wrong ?
EDIT : reports CI and Desktop added + job configuration
Cheers,
Farid.
[JENKINS-29265] Active scan not working with selenium
Farid Boukerche
added a comment - Hi Ludovic,
I added files for Jenkins and Desktop analysis.
And, many launches give me always the same results.
Thank you =)
Farid.
Farid Boukerche
added a comment - Hi Ludovic,
I added files for Jenkins and Desktop analysis.
And, many launches give me always the same results.
Thank you =)
Farid. 
Ludovic Roucoux
added a comment - Hi Farid,
Thanks for files. Have you tried to launch the Jenkins job without check the "Spider URL" checkbox ?
Normally, you should receive only alerts of pages visited by Selenium.
Tell me your reults with this config.
Regards,
Ludovic.
Ludovic Roucoux
added a comment - Hi Farid,
Thanks for files. Have you tried to launch the Jenkins job without check the "Spider URL" checkbox ?
Normally, you should receive only alerts of pages visited by Selenium.
Tell me your reults with this config.
Regards,
Ludovic. Done but still only medium and low alerts show up. report_zap.html
Maybe I can try to change the version of ZAP on the CI server ?
Thanks,
Farid.
Farid Boukerche
added a comment - - edited Done but still only medium and low alerts show up. report_zap.html
Maybe I can try to change the version of ZAP on the CI server ?
Thanks,
Farid. Ludovic Roucoux
added a comment - You can try to change the ZAP version, but I think you will have the same results.
Especially in ZAP 2.3.1 core version, a library is missing and no passive alerts is raised (maybe it's fixed since).
Can you send me your set_suite.html so I could test ?
Regards,
Ludovic.
Ludovic Roucoux
added a comment - You can try to change the ZAP version, but I think you will have the same results.
Especially in ZAP 2.3.1 core version, a library is missing and no passive alerts is raised (maybe it's fixed since).
Can you send me your set_suite.html so I could test ?
Regards,
Ludovic. Farid Boukerche
added a comment - Test and testsuite added. sel_test.html set_suite.html
You just have to change the location of DVWA inside the selenium test.
Thanks,
Farid.
Farid Boukerche
added a comment - Test and testsuite added. sel_test.html set_suite.html
You just have to change the location of DVWA inside the selenium test.
Thanks,
Farid. Hi Farid,
I finally succeeded to use the Hudson Seleniumhq plugin with ZAProxy. I needed to specify a custom Firefox profile in other options of the Seleniumhq plugin (see picture in attachment ).
This custom profile is already configure with correct proxy host and port. The -Dhhtp.proxyHost and -Dhhtp.proxyPort doesn't work for me.
So, when I launch a build with this config, I get High alerts containing SQL Injection. However, I launched the build several times and the alerts number is not everytime the same. I obtained the same result with ZAP GUI (not ever the same alerts number). So, I think this is a ZAProxy's behaviour (see https://groups.google.com/forum/#!topic/zaproxy-users/lYfhbrTb5Uo)
Regards,
Ludovic.
Ludovic Roucoux
added a comment - - edited Hi Farid,
I finally succeeded to use the Hudson Seleniumhq plugin with ZAProxy. I needed to specify a custom Firefox profile in other options of the Seleniumhq plugin (see picture in attachment ).
This custom profile is already configure with correct proxy host and port. The -Dhhtp.proxyHost and -Dhhtp.proxyPort doesn't work for me.
So, when I launch a build with this config, I get High alerts containing SQL Injection. However, I launched the build several times and the alerts number is not everytime the same. I obtained the same result with ZAP GUI (not ever the same alerts number). So, I think this is a ZAProxy's behaviour (see https://groups.google.com/forum/#!topic/zaproxy-users/lYfhbrTb5Uo )
Regards,
Ludovic. Hi Ludovic,
Thank you for your work, I have now the same configuration (using firefox profile). Using Java worked but we can't convert all html tests cases in our project...
EDIT : by modifying the policy, I got high alerts now =) thanks !
Can you post your build logs from jenkins ?
Can we see requests captured in the log of ZAP proxy ? Mine shows nothing, it's an extract :
—
12:16:04.597 INFO - Launching a standalone Selenium Server
12:16:04.627 INFO - Java: Oracle Corporation 25.45-b02
12:16:04.628 INFO - OS: Linux 4.0.5-boot2docker amd64
12:16:04.638 INFO - v2.46.0, with Core v2.46.0. Built from revision 87c69e2
12:16:04.700 INFO - Driver provider org.openqa.selenium.ie.InternetExplorerDriver registration is skipped:
registration capabilities Capabilities [
] does not match the current platform LINUX
12:16:04.701 INFO - Driver class not found: com.opera.core.systems.OperaDriver
12:16:04.701 INFO - Driver provider com.opera.core.systems.OperaDriver is not registered
12:16:04.847 WARN - Caution: '/usr/bin/firefox': file is a script file, not a real executable. The browser environment is no longer fully under RC control
jar:file:/usr/lib/selenium/selenium-server-standalone-2.46.0.jar!/customProfileDirCUSTFFCHROME
12:16:04.954 INFO - Preparing Firefox profile...
12:16:06.063 INFO - Launching Firefox...
8084 [ZAP-ProxyThread-8] INFO org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions - Added new session token for site '192.168.59.103:35001': PHPSESSID
8085 [ZAP-ProxyThread-8] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 0, active=false, tokenValues='']
12:16:08.600 INFO - Received posted results
sel_test.html
<a href="sel_test.html">sel_test</a></td></tr>
</tbody></table>
12:16:09.066 INFO - Killing Firefox...
12:16:09.130 INFO - Shutting down...
Perform ZAProxy
Skip loadSession
Skip spidering the site http://192.168.59.103:35001
Scan the site http://192.168.59.103:35001
Scan url http://192.168.59.103:35001 with the following policy [Important]
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected)
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent)
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules
9526 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
9529 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected)
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent)
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect
9532 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection
9533 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering
9533 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
9534 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
9534 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules
Status scan = 0%
—
Thanks,
Farid.
Farid Boukerche
added a comment - - edited Hi Ludovic,
Thank you for your work, I have now the same configuration (using firefox profile). Using Java worked but we can't convert all html tests cases in our project...
EDIT : by modifying the policy, I got high alerts now =) thanks !
Can you post your build logs from jenkins ?
Can we see requests captured in the log of ZAP proxy ? Mine shows nothing, it's an extract :
—
12:16:04.597 INFO - Launching a standalone Selenium Server
12:16:04.627 INFO - Java: Oracle Corporation 25.45-b02
12:16:04.628 INFO - OS: Linux 4.0.5-boot2docker amd64
12:16:04.638 INFO - v2.46.0, with Core v2.46.0. Built from revision 87c69e2
12:16:04.700 INFO - Driver provider org.openqa.selenium.ie.InternetExplorerDriver registration is skipped:
registration capabilities Capabilities [
{ensureCleanSession=true, browserName=internet explorer, version=, platform=WINDOWS}
] does not match the current platform LINUX
12:16:04.701 INFO - Driver class not found: com.opera.core.systems.OperaDriver
12:16:04.701 INFO - Driver provider com.opera.core.systems.OperaDriver is not registered
12:16:04.847 WARN - Caution: '/usr/bin/firefox': file is a script file, not a real executable. The browser environment is no longer fully under RC control
jar: file:/usr/lib/selenium/selenium-server-standalone-2.46.0.jar!/customProfileDirCUSTFFCHROME
12:16:04.954 INFO - Preparing Firefox profile...
12:16:06.063 INFO - Launching Firefox...
8084 [ZAP-ProxyThread-8] INFO org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions - Added new session token for site '192.168.59.103:35001': PHPSESSID
8085 [ZAP-ProxyThread-8] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 0, active=false, tokenValues='']
12:16:08.600 INFO - Received posted results
sel_test.html
<a href="sel_test.html">sel_test</a></td></tr>
</tbody></table>
12:16:09.066 INFO - Killing Firefox...
12:16:09.130 INFO - Shutting down...
Perform ZAProxy
Skip loadSession
Skip spidering the site http://192.168.59.103:35001
Scan the site http://192.168.59.103:35001
Scan url http://192.168.59.103:35001 with the following policy [Important]
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include
9521 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected)
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent)
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing
9522 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
9523 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules
9526 [ZAP-ProxyThread-27] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
9529 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Path Traversal
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote File Inclusion
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Include
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Reflected)
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent)
9530 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin SQL Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Server Side Code Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Remote OS Command Injection
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Directory Browsing
9531 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin External Redirect
9532 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin CRLF Injection
9533 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Parameter Tampering
9533 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Prime
9534 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Cross Site Scripting (Persistent) - Spider
9534 [Thread-67] INFO org.parosproxy.paros.core.scanner.PluginFactory - loaded plugin Script active scan rules
Status scan = 0%
—
Thanks,
Farid. Farid Boukerche
added a comment - This issue can be abandoned, everything works fine.
Cheers,
Farid.
Farid Boukerche
added a comment - This issue can be abandoned, everything works fine.
Cheers,
Farid. 
Hi Farid,
I think this problem is not due to the ZAProxy Jenkins Plugin but to ZAP itself.
Have you tried to relaunch scan via GUI and Jenkins many times ? Results are still the same for both ?
Can you send me your selenium sequence and your reports from ZAP GUI and from ZAProxy Jenkins ?
Finally, can you send me a print screen of your Jenkins job (most particularly your Selenium config) ?
Regards,
Ludovic.