ZAPStepDefinitions (IridiumApplicationTesting API)

java.lang.Object
- au.com.agic.apptesting.steps.ZAPStepDefinitions

@Component
public class ZAPStepDefinitions
extends java.lang.Object

These are Cucubmber steps that are used by ZAP

Constructor Summary

Constructors
Constructor and Description

ZAPStepDefinitions()

Constructors
Constructor and Description
`ZAPStepDefinitions()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`activeSession()` Creates an empty ZAP session
`void`	`checkVulnerabilities(java.lang.String risk, java.lang.String baseUrl)` Check to see if any risks were identified during the scan
`void`	`disableAllScanners()` This configures ZAP with no scanners, neither passive nor active
`void`	`enableActiveScanner()` Enables only the active scanner.
`void`	`enableAllScanners()` This configures ZAP with all scanners, both passive and active
`void`	`enablePassiveScanner()` Enables only the passive scanner.
`void`	`enablePolicy(java.lang.String policyName)` Enabled the given active scan policy
`void`	`excludeUrlsFromScan(java.util.List<java.lang.String> excludedRegexes)` Defines a list of URL regular expressions that are excluded from the ZAP scan
`void`	`processVulnerabilities(java.lang.String risk, java.lang.String baseUrl, boolean reportOnly)`
`void`	`removeFalsePositives(java.util.List<ZAPFalsePositive> falsePositives)` Define a list of false positives to be excluded from the scan results
`void`	`reportVulnerabilities(java.lang.String risk, java.lang.String baseUrl)` Report any risks were identified during the scan without throwing an error
`void`	`runScanner(java.lang.String appName)` Runs the ZAP active scanner
`void`	`setAlertThreshold(java.lang.String threshold)` Sets the alert threshold for all active scanners
`void`	`setAttackStrength(java.lang.String strength)` Sets the attack strength
`void`	`startSession()` Creates an empty ZAP session
`void`	`theApplicationIsSpidered(java.lang.Integer depth, java.lang.Integer timeout)` Starts the ZAP spider.
`void`	`writeXmlReport(java.lang.String path)` This step will save the ZAP report to disk with the given filename

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- ZAPStepDefinitions
```
public ZAPStepDefinitions()
```

Method Detail

startSession

@When(value="I create an empty ZAP session")
public void startSession()
                                                               throws org.zaproxy.clientapi.core.ClientApiException

Creates an empty ZAP session

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

activeSession

@When(value="I set the active ZAP session")
public void activeSession()
                                                               throws org.zaproxy.clientapi.core.ClientApiException

Creates an empty ZAP session

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

writeXmlReport

@When(value="the ZAP XML report is written to the file \"(.*?)\"")
public void writeXmlReport(java.lang.String path)
                                                                                       throws java.io.IOException,
                                                                                              org.zaproxy.clientapi.core.ClientApiException

This step will save the ZAP report to disk with the given filename

Parameters:: path - The name of the report, like "zapreport.xml"
Throws:: java.io.IOException - When the report file could not be written; org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

enableAllScanners

@Given(value="a scanner with all policies enabled")
public void enableAllScanners()
                                                                           throws org.zaproxy.clientapi.core.ClientApiException

This configures ZAP with all scanners, both passive and active

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

disableAllScanners

@Given(value="a scanner with all policies disabled")
public void disableAllScanners()
                                                                             throws org.zaproxy.clientapi.core.ClientApiException

This configures ZAP with no scanners, neither passive nor active

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

enablePassiveScanner

@Given(value="the passive scanner is enabled")
public void enablePassiveScanner()
                                                                         throws org.zaproxy.clientapi.core.ClientApiException

Enables only the passive scanner. The active scanner is disabled.

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

enableActiveScanner

@Given(value="the active scanner is enabled")
public void enableActiveScanner()
                                                                       throws org.zaproxy.clientapi.core.ClientApiException

Enables only the active scanner. The passive scanner is disabled.

Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

enablePolicy

@Given(value="the \"(.*?)\" policy is enabled")
public void enablePolicy(java.lang.String policyName)
                                                                  throws org.zaproxy.clientapi.core.ClientApiException

Enabled the given active scan policy

Parameters:: policyName - The name of the active scan policy
Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

setAttackStrength

@Given(value="the attack strength is set to \"(.*?)\"")
public void setAttackStrength(java.lang.String strength)

Sets the attack strength

Parameters:: strength - The ZAP attack strength

setAlertThreshold

@Given(value="the alert threshold is set to \"(.*?)\"")
public void setAlertThreshold(java.lang.String threshold)
                                                                               throws org.zaproxy.clientapi.core.ClientApiException

Sets the alert threshold for all active scanners

Parameters:: threshold - The ZAP alert threshold
Throws:: org.zaproxy.clientapi.core.ClientApiException - when the ZAP API threw an exception

excludeUrlsFromScan

@Given(value="the following URL regular expressions are excluded from the scanner")
public void excludeUrlsFromScan(java.util.List<java.lang.String> excludedRegexes)
                                                                                                             throws org.zaproxy.clientapi.core.ClientApiException

Defines a list of URL regular expressions that are excluded from the ZAP scan

Parameters:: excludedRegexes - A list of URL regular expressions to exclude
Throws:: org.zaproxy.clientapi.core.ClientApiException - when the ZAP API threw an exception

runScanner

@When(value="the active scanner is run(?: from \"([^\"]*)\")?")
public void runScanner(java.lang.String appName)
                                                                                throws org.zaproxy.clientapi.core.ClientApiException

Runs the ZAP active scanner

Parameters:: appName - the optional name of the URL whose URL will be used to launch the scan.
Throws:: org.zaproxy.clientapi.core.ClientApiException - when the ZAP API threw an exception

removeFalsePositives

@When(value="the following false positives are ignored")
public void removeFalsePositives(java.util.List<ZAPFalsePositive> falsePositives)
                                                                                   throws org.zaproxy.clientapi.core.ClientApiException

Define a list of false positives to be excluded from the scan results

Parameters:: falsePositives - The false positives to be removed
Throws:: org.zaproxy.clientapi.core.ClientApiException - when the ZAP API threw an exception

checkVulnerabilities

@Then(value="^no \"(.*?)\" or higher risk vulnerabilities should be present(?: for the base url \"(.*?)\")?$")
public void checkVulnerabilities(java.lang.String risk,
                                                                                                                                                java.lang.String baseUrl)
                                                                                                                                         throws org.zaproxy.clientapi.core.ClientApiException

Check to see if any risks were identified during the scan

Parameters:: risk - The level of risk. Either HIGH, MEDIUM or LOW; baseUrl - An optional regex that can be used to match the url that a risk is assoicated with
Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

reportVulnerabilities

@Then(value="^I report any \"(.*?)\" or higher risk vulnerabilities (?: for the base url \"(.*?)\")?$")
public void reportVulnerabilities(java.lang.String risk,
                                                                                                                                          java.lang.String baseUrl)
                                                                                                                                   throws org.zaproxy.clientapi.core.ClientApiException

Report any risks were identified during the scan without throwing an error

Parameters:: risk - The level of risk. Either HIGH, MEDIUM or LOW; baseUrl - An optional regex that can be used to match the url that a risk is assoicated with
Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

processVulnerabilities

public void processVulnerabilities(java.lang.String risk,
                                   java.lang.String baseUrl,
                                   boolean reportOnly)
                            throws org.zaproxy.clientapi.core.ClientApiException

Throws:: org.zaproxy.clientapi.core.ClientApiException

theApplicationIsSpidered

@And(value="^the application is spidered(?: to a depth of\"(\\d+)\")?(?: timing out after \"(\\d+)\" seconds)?$")
public void theApplicationIsSpidered(java.lang.Integer depth,
                                                                                                                                                       java.lang.Integer timeout)
                                                                                                                                                throws org.zaproxy.clientapi.core.ClientApiException

Starts the ZAP spider.

Parameters:: depth - How far to search into the application; timeout - How long to wait for a timeout
Throws:: org.zaproxy.clientapi.core.ClientApiException - When the ZAP API threw an exception

Class ZAPStepDefinitions

Constructor Summary