CODEWITHSUNDEEP
seleniumowaspzapsecurity-testing
CuriousLearner
CuriousLearner

Reputation: 1702

Automated testing for OWASP A1-A10

I am wondering out of OWASP top 10 (A1-A10) which all can be automated. Is it possible to automate their testing using Selenium, if not which tool can be used to automate them ? Also are there any documents or guidelines or any examples that can be followed or referred.

Thanks in advance.

Upvotes: 0

Views: 613

Answers (2)

lauda
lauda

Reputation: 4173

There are a lot of tools that do this automated.

If you are asking this you either don't have enough experience in security or you don't have enough experience in automation.

Is one thing to know security and another to write some effective automated scenarios. What you could do is to automate some specific scenarios resulted as regression.

For security purpose please use existing tools to scan for vulnerabilities + manual testing and analysis.

As a conclusion: Yes, as @psiinon said, you can automate, and is better to have an automated scan, but in terms of implementing manually it will require a lot of efforts to do this in an efficient way with a good coverage.

Make sure you are understanding completely what you are trying to automate, make a plan and investigate further more to see what are the options. Also check if you have any related security libraries to use based on the used programming language.

Upvotes: 2

Simon Bennetts
Simon Bennetts

Reputation: 6234

I'd say:

  1. Injection: automation is pretty effective
  2. Auth / Session mgmt: tools help but manual testing is really needed
  3. XSS: automation is pretty effective
  4. IDOR: tools help but manual testing is really needed
  5. Sec misconfig: ditto
  6. Data exposure: can be automated to a fair degree by manual verification important
  7. Missing AC: elements can be automated, but def needs significant manual involvement
  8. CSRF: automation is pretty effective
  9. Comps with vulns: automation can be effective but you'll need prob static + dynamic scanning
  10. Fwds and redir: automation is pretty effective

Finding security vulnerabilities is hard, automation should be seen as a way to cut down the time and effort spent doing manual testing rather than replacing it. One of the advantages of automated testing is that you can do it at any time (eg as part of CI/CD) rather than waiting until near the end and getting the pentesters in.

In all cases manual verification of any potential vulnerabilities found using automation is important.

Have a look at https://www.owasp.org/index.php/ZAPpingTheTop10 which is focused on ZAP. Automation is definitely a focus for ZAP (and one of the key ways we use it in Mozilla) and not surprisingly its something I'd recommend using (I'm the ZAP project lead;)

Upvotes: 2

Related Questions