 Good morning to you. So before I start with my introduction and with my presentation let discuss something about the recent facts and the recent attacks. So as you guys know that thousands of attacks has been made every year on web applications or any website like GitHub, the largest online repository which we use to make our project centralized. So last year GitHub was attacked by DTOS, Daniel Agnial Observice Attack. So you can imagine that how can it make impact on any company's business. Take another example of eBay. eBay was a victim of cross-site scripting where what attackers did they injected their script to the home page of eBay. So when you launch the URL of eBay it will show you a fake or the false login page and if you enter your credentials there it will take you the false home page or your credential will directly go to the attackers. So they have all the access of your account. Facebook. Facebook organized bug bounty program every year where they elect a technician tester or ethical hacker to find any vulnerability in their application. So last year in such a bug bounty program, a penetration tester named OrangeTSI has discovered a backdoor in Facebook server and the most interesting thing is that that backdoor has already placed by another attacker and with the code which can exploit the critical information of Facebook staff. So this kind of attacks can make a big impact of any website's business. So guys I am Sarvesh Sivastava. I am from Qnfatec, Noida. I have been working in testing domain especially in automation testing from last two years. So you all must have a brief idea about the security testing. What are the security concerns and how we to perform security testing manually. So I took the next step towards it and at Qnfatec in last ten months I have developed a framework and integrated it with our existing Selenium framework which we are using for functional test scripts to amulkemate security testing with it. Do it in automated way actually. So as we already discussed that with increasing cyber threats and online attacks, continuous security testing has become inevitable and making sure that all vulnerabilities are unleashed regularly is highly significant. So the presentation has proposed a solution where automated security testing could be achieved in conjunction with functional testing carried out Selenium API. So I think I should start my presentation with a disclaimer that I am not a security expert but a true believer that finding product vulnerability is also a responsibility of all associated communities because security is also part of quality and I think it is more important to make security testing as a daily habit as we do regression testing, regression functional testing. So let me take you through the agenda. First of all we will discuss then that why do we really need automated security testing. Then we will discuss about the spectrum of some available tools which is for automated security scanning and testing. And from those tools which specific tool I am picking as a core component of this framework. Then the detailed architecture of this framework, the framework coverage, this framework provides what coverage and versus OBS top 10 list and then I will let you through a quick demo then analysis and reporting of this framework and at last overall message that if I am able to take on security testing with this framework being more expert you all can take it too. What is security testing? In very simple words we can say security testing is a process of finding vulnerability and loopholes in any web application which can cause an unauthenticated and unauthorized access by outside attackers. So as we know how digital things have gone, cyber crimes continue to be on the rise and they and they keep hearing about the stories how attackers attack on web applications. So what is happening as of today even to conduct manual security testing we need security experts because it requires a lot of understanding of each and every security scenario like what is what is ethical hacking, what kind of traits available and it is much more complex to even conduct security tests, manual security tests. So I think most of us work on agile methodology where we have continuous releases after the specific time period. So it takes lots of effort, cost and time to perform manual security testing and no readily automated framework is available for security testing. So the question arises here, how can we reduce this effort, cost, time, everything, is this possible to automate this process, yes but how we will go through the presentation. So here are the tools which are available, here are the famous tools which are available to market or say automated security scanning and security testing. So let me ask you one question. How many of you are familiar about these automated tool, anyone, are you work on verb soot? I think verb soot is yes, not for scan, yes, anyone else, that is very famous, which one? Say again, is it paid? So these are some famous tools, Metasploit, Mechanetics, MetaSparker, Retina. But the common thing about these tools are that these tools are paid and the license cost is very high for these tools. And also they do not provide any API so you cannot write a program or implement or integrate these tools in your framework or programs. But there is a tool in the middle, OVASP ZEP, Open Web Application Security Project Z-Atec proxy. So do you know what is OVASP and even here about the OVASP, it is a community which always works for concerns all over the web, security concerns and OVASP provides a list of top ten vulnerabilities every after three years, last, I think last vulnerability list in the 2016 and we are expecting in 2016 next list. So why we picked this OVASP ZEP, what is the reason? So let's discuss about it. So Z-Atec proxy ZEP is a penetration testing tool for any web application and it is an open source and free of cost. So we can customize it according to our requirement and also it is cross-fledged form. So ZEP is available for Linux, Windows and Mac as well and it is very easy to use and install. The only thing is it requires Java 1.7 or higher and also ZEP it provides a very good API for programming which allows you to interact with ZEP programmatically and it easily integrates with Selenium. So what we did? We integrated ZEP with our existing Selenium framework which we are using for functional testing. So the same framework can perform functional testing and security testing as well with the help of functional test scripts. It is the detailed architecture of this framework that how ZEP and Selenium work together. So here is Selenium, a browser and ZEP and the web application which is under test. So as we all know Selenium can perform some actions on browser and here we can see ZEP is working as a proxy between browser and the web application under test. So it means every action which is performed on browser will definitely go through the ZEP before it will reach on the server, web applications server. So what we did? We execute Selenium functional test scripts on browser and ZEP will record and capture all the traffic which will date between browser and web application, all the traffic, all the HTTP request, response, all the data. So it will store and after it is done it will thoroughly scan the web application, it will perform active scan and passive scan and even know what is active scanning and what is passive scan. Actually in passive scanning it will not modify and change any request, it will just monitor, just capture and then analysis, then make analysis for these all traffic request responses. But in active scanning it can change and modify request, response, data. So the active scanning is more effective. So after the scanning is done it will generate a detailed report about each and every vulnerability in different kind of format like XML, JSON and HTML. I will show you the detailed report later. So here is a piece of code where we can easily understand how Selenium can interact with ZEP. So first of all we need to bypass all of your web driver actions through a proxy on or on a port on which ZEP is listening. So at last this is the final web driver which is ready to interact with ZEP. So ZEP will, all web driver actions first go through the ZEP and go through the ZEP before it will reach to the application server. By default ZEP works on 80000 port like you can see is in a port line but later we can reconfigure it on any other port as per our requirement. So here is the framework coverage. This framework covers approximately 80% of OBS top 10 list not all but approximately 80% and these are not all. This framework can cover another vulnerabilities which are not listed here but these vulnerabilities are from the OBS top 10 list like different kind of injections, cross-site scripting, broken application and session management, insecure direct object differences, cross-site request poetry, security misconfiguration, missing function level access control and invalid security directs and passwords. You can easily go to the website of OBS and you can find how many vulnerabilities ZEP can cover actually. So for demo I am using this website demo.test.net actually it is a demo website which is available online for penetration testing and security testing. So here is a warning that please do not try to attack or penetrate any website without permission because it is illegal. You can use any of said there are lots of website available online so where you can practice for the penetration testing and also you can host your own website on local server and try on it. So it is a demo online banking website. This is a login page so I am starting my script here. So scanning is started, a spider actually a spider will crawl into your application and it will collect all the URL, all the URLs, all the URLs, Selenium script will go through the URLs and that URLs it will collect and store. After spider will done the active scanning will take place. So it will take some time actually. So I have a report which I have already, yes, yes how the spider will uncover the URLs, ZEP will scan on a network URL, so it is a parallel process, yes I will try to do that. It needs URL so you can manually explore the website which is a very complex thing and actually very time taking. So that is why we integrated it with our functional test so Selenium script will take place. So here is the detailed report in HTML format. So as actually this report is very easy to understand, a non-security expert person can easily understand the details which is in this report like the description, URLs and also it provides the possible solution of the vulnerability like it says in this application 6 high level vulnerabilities and 67 medium priority vulnerabilities and 183 low level vulnerabilities. So here is the description that what is cross-eyed scripting we can read it out and it provides the URL on which this vulnerability is found and the parameter is on what web element this vulnerability and what kind of attack it verified and also the evidence and also it provides the possible solution so can easily read it out and understand all the things. So let us check that these vulnerabilities are really exist in the web application or not. So let us check the cross-eyed scripting. So it says on this URL the cross-eyed scripting exists so let me launch this one yes tool is different. So this is the login page let me login with the wrong credentials. So as my credentials are wrong I am not able to login with the application. So let me try with this cross-eyed script so means the cross-eyed scripting is really exist in the web application. So let us try with another vulnerability like as well injection yes launch this one as I have no login potential in this web application so let try to login to this application. So it means this report is correct. You can ignore low-level priorities if you want in the report actually this report is customized so we can customize it and say again yes I copied the SQL query from the report so it says on this URL by attacking by entering this SQL query so this report actually very easy to understand and you can read out it and easily understand it. UID is a user ID user name field yes actually the both fields are attackable like see parameter UID and here the parameter pass we can attack with the same query on both the fields so both fields are attackable let us try this query also there is this search field this is also vulnerable or I think the cross-eyed script this is search field that is parameter text search so in my organization I am working on a project so I implemented this framework and tried to scan that project and found this report it does not has it does not have any high priority vulnerability but it has medium priority vulnerability and low priority vulnerability. So what we did I went to my manager and told him that we can send this report to our client on a daily basis that without any extra cost and effort so what we did we started to send these reports to the clients and client was happy that he do not need to pay any extra cost for it so this is what I will tell you this in the limitation part. However all these things will take care by the tools yes so you can you need to make a special configuration for that actually you can rely on this tool because I do not know what was the that survey actually in a survey this tool came first place in 2015 I go in 2014 it was in second place it was in 2015 it was again in 2015 so OBSP is a very famous community actually so we can rely on not completely but so the analysis and reporting so as we already seen that this framework can generate a detailed report about all possible vulnerabilities in XML, HTML and JSON format and also you can pass the XML and JSON and customize these reports like earlier I mentioned that you can ignore low priority vulnerabilities if you want and medium priority vulnerabilities so it is totally customizable also graphical representation is also possible for the reports or easily interpretation limitation and feature scope so there is no answer so you need to install ZEP on the local machine on which you are going to execute these scripts and ZEP is totally free actually free of cost so you can install it from OBSP website and local system so you need special configuration for authentication but in this case you do not need to worry about it because Selenium script will take care of it in Selenium script you provide the credential for login and all the authentication or authorization process so you do not need to worry about it but if you are not using Selenium script so you need special configuration for authentication and authorization process also I am working to integrate ZEP and this framework for mobile apps as well so this framework will be capable to perform security testing for mobile apps as well in future actually so here is the take-aways final it is more important to make security testing as a habit or performance on a daily basis rather than performing it only after the release site so it is more important actually we are using our existing function Selenium test scripts so we do not need to do any extra effort or any extra cost for it it will run parallely with the Selenium function test script so just good actually and with syncing with the DevOps we can integrate it with the continuous integration pool like Jenkins for the automated triggering and scheduling of the scripts and open invitation to all team to try this tool and the finally overall message that if I am able to take on security testing with this tool being more expert so you certainly you all can take it too actually this API is available for Java and Python and Ruby as well and Shesha but I have used Java because I am working in Java it is not that easy as well I do need to wrote different packages and different files this is our independent frameworks I can just give you an idea about it so you can explore these things actually Burp Shooter is not a vulnerability scanner it will just interpret your request so you can change request and send to the server and what response comes to the server you can make change and send back to the browser but it will not scan for the vulnerabilities like SQL ingestion, cross-site scripting it is not a scanner actually for scanning or just monitoring network traffic it is a scanning so actually I do not have an idea about this tool is it paid or free open source that is the difference but I think it is possible memory leakage memory leakage yes definitely it will impact on a total execution time it depends on the size of application so it the size of application is a bit heavier so it will take extra yes so obviously it will take some extra time later or wait for some time so actually it will be we configured these reports so it will mail you these reports on your internet yes you need to go through the documentation of ZAP yes ZAP ZAP try to inject different different escalation yes good post attack that means I did multi-threaded pass send can this yes you can find the link