Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29265

Active scan not working with selenium

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • zaproxy-plugin

      Hello Ludovic,

      I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.

      General information :

      • My webapp for testing is DVWA
      • Capture a user sequence using Selenium plugin for Firefox
      • Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
      • Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.

      But it won't show me any High alerts (at least, it should show me an SQLI alert)
      (cf: jenkins build logs attached)

      Am I doing something wrong ?

      EDIT : reports CI and Desktop added + job configuration

      Cheers,
      Farid.

        1. SeleniumConfigLudovic.PNG
          SeleniumConfigLudovic.PNG
          17 kB
        2. sel_test.html
          2 kB
        3. set_suite.html
          0.5 kB
        4. report_zap.html
          88 kB
        5. jenkins_2.png
          jenkins_2.png
          35 kB
        6. jenkins_1.png
          jenkins_1.png
          36 kB
        7. report_zap_jenkins.html
          1.18 MB
        8. testresult.html
          5 kB
        9. rapport_desktop.html
          91 kB
        10. stdout.txt
          33 kB

          [JENKINS-29265] Active scan not working with selenium

          Farid Boukerche created issue -

          Ludovic Roucoux added a comment -

          Hi Farid,

          I think this problem is not due to the ZAProxy Jenkins Plugin but to ZAP itself.
          Have you tried to relaunch scan via GUI and Jenkins many times ? Results are still the same for both ?

          Can you send me your selenium sequence and your reports from ZAP GUI and from ZAProxy Jenkins ?
          Finally, can you send me a print screen of your Jenkins job (most particularly your Selenium config) ?

          Regards,
          Ludovic.

          Ludovic Roucoux added a comment - Hi Farid, I think this problem is not due to the ZAProxy Jenkins Plugin but to ZAP itself. Have you tried to relaunch scan via GUI and Jenkins many times ? Results are still the same for both ? Can you send me your selenium sequence and your reports from ZAP GUI and from ZAProxy Jenkins ? Finally, can you send me a print screen of your Jenkins job (most particularly your Selenium config) ? Regards, Ludovic.
          Farid Boukerche made changes -
          Attachment New: report_zap_jenkins.html [ 30144 ]
          Attachment New: testresult.html [ 30145 ]
          Attachment New: rapport_desktop.html [ 30146 ]
          Description Original: Hello Ludovic,

          I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.

          General information :
           - My webapp for testing is DVWA
           - Capture a user sequence using Selenium plugin for Firefox
           - Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
           - Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.

          But it won't show me any High alerts :( (at least, it should show me an SQLI alert)
          (cf: jenkins build logs attached)

          Am I doing something wrong ?

          Cheers,
          Farid.           		New: Hello Ludovic,

          I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.

          General information :
           - My webapp for testing is DVWA
           - Capture a user sequence using Selenium plugin for Firefox
           - Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
           - Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.

          But it won't show me any High alerts :( (at least, it should show me an SQLI alert)
          (cf: jenkins build logs attached)

          Am I doing something wrong ?

          EDIT : reports CI and Desktop added

          Cheers,
          Farid.
          Farid Boukerche made changes -
          Attachment New: jenkins_1.png [ 30147 ]
          Attachment New: jenkins_2.png [ 30148 ]
          Description Original: Hello Ludovic,

          I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.

          General information :
           - My webapp for testing is DVWA
           - Capture a user sequence using Selenium plugin for Firefox
           - Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
           - Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.

          But it won't show me any High alerts :( (at least, it should show me an SQLI alert)
          (cf: jenkins build logs attached)

          Am I doing something wrong ?

          EDIT : reports CI and Desktop added

          Cheers,
          Farid.           		New: Hello Ludovic,

          I'm trying to set up ZAP under Jenkins using Selenium, but I cannot get the same results as ZAP GUI on my desktop.

          General information :
           - My webapp for testing is DVWA
           - Capture a user sequence using Selenium plugin for Firefox
           - Launch a ZAP scan (Default Profile using HIGH and INSANE) via GUI (firefox is wired to the ZAP proxy) using the same sequence, export results
           - Doing the same thing using Jenkins, start ZAP proxy, configure Firefox to go through ZAP proxy, launch selenium tests, launch scans using the Zap plugin.

          But it won't show me any High alerts :( (at least, it should show me an SQLI alert)
          (cf: jenkins build logs attached)

          Am I doing something wrong ?

          EDIT : reports CI and Desktop added + job configuration

          Cheers,
          Farid.

          Farid Boukerche added a comment -

          Hi Ludovic,

          I added files for Jenkins and Desktop analysis.

          And, many launches give me always the same results.

          Thank you =)
          Farid.

          Farid Boukerche added a comment - Hi Ludovic, I added files for Jenkins and Desktop analysis. And, many launches give me always the same results. Thank you =) Farid.

          Ludovic Roucoux added a comment -

          Hi Farid,

          Thanks for files. Have you tried to launch the Jenkins job without check the "Spider URL" checkbox ?
          Normally, you should receive only alerts of pages visited by Selenium.

          Tell me your reults with this config.

          Regards,
          Ludovic.

          Ludovic Roucoux added a comment - Hi Farid, Thanks for files. Have you tried to launch the Jenkins job without check the "Spider URL" checkbox ? Normally, you should receive only alerts of pages visited by Selenium. Tell me your reults with this config. Regards, Ludovic.

          Farid Boukerche added a comment - - edited

          Done but still only medium and low alerts show up. report_zap.html

          Maybe I can try to change the version of ZAP on the CI server ?

          Thanks,
          Farid.

          Farid Boukerche added a comment - - edited Done but still only medium and low alerts show up. report_zap.html Maybe I can try to change the version of ZAP on the CI server ? Thanks, Farid.
          Farid Boukerche made changes -
          Attachment New: report_zap.html [ 30150 ]

          Ludovic Roucoux added a comment -

          You can try to change the ZAP version, but I think you will have the same results.
          Especially in ZAP 2.3.1 core version, a library is missing and no passive alerts is raised (maybe it's fixed since).

          Can you send me your set_suite.html so I could test ?

          Regards,
          Ludovic.

          Ludovic Roucoux added a comment - You can try to change the ZAP version, but I think you will have the same results. Especially in ZAP 2.3.1 core version, a library is missing and no passive alerts is raised (maybe it's fixed since). Can you send me your set_suite.html so I could test ? Regards, Ludovic.

          Farid Boukerche added a comment -

          Test and testsuite added. sel_test.html set_suite.html

          You just have to change the location of DVWA inside the selenium test.

          Thanks,
          Farid.

          Farid Boukerche added a comment - Test and testsuite added. sel_test.html set_suite.html You just have to change the location of DVWA inside the selenium test. Thanks, Farid.
          Farid Boukerche made changes -
          Attachment New: sel_test.html [ 30156 ]
          Attachment New: set_suite.html [ 30157 ]

            ludovicroucoux Ludovic Roucoux
            pythondz Farid Boukerche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: