Surabhi Gokte

Surabhi Gokte

Recent Posts

An intro to OWASP Zed Attack Proxy

Posted by Surabhi Gokte on Dec 15, 2017 2:38:00 PM

I am currently working with a new security testing tool, ZAP. Previously, we were performing security testing with a paid tool. Some exploration of open source alternatives led us to the OWASP Zed Attack Proxy(ZAP). 

ZAP is an open source tool which is offered by OWASP (Open Web Application Security Project), for penetration testing of your website/web application. It helps you find the security vulnerabilities in your application.

Why use OWASP Zed Attack Proxy?

Security testing is a vital part of web application testing. Here are the OWASP top 10 security threats that your website/application might face:

  • SQL injection

  • Broken authentication and session management

  • Cross-site scripting (XSS)

  • Broken access control

  • Security misconfiguration

  • Sensitive data exposure

  • Insufficient attack protection

  • Cross-site request forgery (CSRF)

  • Using components with known vulnerabilities.

  • Underprotected APIs


OWASP Zed Attack Proxy provides you with the ability to detect these threats. And it’s open-source, so you can use it free of charge. 

Other than that, ZAP is an easy-to-use tool. Following are some more reasons for using ZAP:

  • Ideal for both beginners and professionals

  • Cross-platform - works across all OS (Linux, Mac, Windows)

  • Reusable

  • Can generate reports of the results

How does it work?

ZAP creates a proxy server and makes your website traffic pass through that server. It comprises of auto scanners that help you intercept the vulnerabilities in your website.


You can give specific Contexts (more on Contexts in a follow-up blog) for the data being screened, so as to avoid the unnecessary heavy traffic.

Some Terminologies

Session:  A session simply means whatever you do in your ZAP, i.e. navigating through the website you want to attack. This is done so as to make ZAP browser understand the depth in which URLs are to be hit. You can also use any other browser like Firefox, by changing the proxy settings of that browser.
You can save your session in ZAP with the extension .session and reuse it.

Context: A context is the manner of grouping the URLs. When you need to hit the specific set of URLs with particular user(s), host(s) etc. in your website, a context can be created in ZAP which will ignore the rest and attack only the ones mentioned. This will help you avoid the unnecessary heavy data coming your way.

Attacks in ZAP: The purpose of this tool is to penetrate through the site, attack (hit) its URLs, scan the URLs hit, and check how prone the site is to the various risks/attacks.


Following are the types of attacks which ZAP provides:

  • Quick Attack: This helps you test the application using ZAP in the quickest way possible. Under the tab Quick Start, put the URL in the URL to attack field and click on the 'Attack' button. 

    ZAP will use its spider to crawl through the application, which will automatically scan all of the pages discovered. It will then use the active scanner to attack all of the pages. This is a useful way to perform an initial assessment of an application.

  • Spider: It is used to automatically discover new resources/URLs on your website. It visits those URLs, identifies the hyperlinks and adds them to the list.

  • Active Scan: It is used to find the potential vulnerabilities by using the known attacks against the selected targets. It gets its targets from the spider attack.

  • There are more attacks which ZAP provides, other than the ones mentioned above; like AJAX Spider, Fuzz, Forced Browse Site etc.

Alerts: Alerts are thrown as results of attacks performed by Spider/Active Scan (or any other attack). Alerts are the potential vulnerabilities which are flagged as High, Medium, or Low according to the risk level.

Steps to Configure

Note: Use ZAP on a website only if you have permissions to perform testing on it, otherwise you might run into legal difficulties.

  • Download ZAP: Download the ZAP installer, according to your OS. I work on MacBook, so I have MAC OS/X Installer installed, but ZAP works same on all systems.

    The only dependency is Java 7. If you don’t have Java installed in your system, first get that installed and then start with ZAP.

  • Launch ZAP: Open the downloaded file (installer) and follow the instructions.

Start using! 

Steps to Run

  • Open / Launch ZAP 
  • Crawl the Browser: Either you can use ZAP’s browser or any other browser you want to. 

    For using any other browser, go to the browser and go to Tools Menu -> Options -> Advanced tab -> Network -> Settings -> Select Manual Proxy configuration - HTTP Proxy = Port = 8080.

    You just need to open the browser, hit the URL of your website (to be attacked) and crawl throughout the website. For crawling you can either use a tool or do it manually.

    The more you crawl the website, the more URLs ZAP will be able to find.
  • Create a session: It is not mandatory to save a session. But if required, a session can be saved and used again in future after you are done with scanning the application. This is done before you start working on ZAP. As soon as you launch ZAP, it asks you if you want to persist your session and you can select the option accordingly.

  • Create a context: To create a new context right click on the site (to be attacked) and click on “Include in context”. 

    Then click on “New Context” and a modal will open for you. In the context, you can add specifics like Users, Authentication, Hostname etc. as per your requirements.

You can always work with the default context available, but it is a good practice to make a new context of your own and include that in your site.

  • Attack the site: To perform an attack, right click on the site (present under Sites), hover on Attack and click on the attack you would like to perform (eg. Spider… or Active Scan…). 

    As soon as you click it, the attack will start.

    Generally, the recommended sequence is that:
    - the site is crawled in the browser 
    - the context is set 
    - you run the Spider attack which gets you the URLs 
    - you run the Active Scan for those URLs
  • Check the Alerts: Once the attack is completed, you can check the results in the Alerts tab. The alerts are classified as high, medium or low.

That’s all folks! 

In this blog, I have just talked about what ZAP is, how it works, and how to configure and start using it.what ZAP is, how it works, and how to configure and start using it. Stay tuned for the next post, where we dive into a step-wise OWASP ZAP tutorial to on how to attack a particular website. Stay tuned.

Till then, you can check out our guides to a few other popular testing tools like Behat, Selenium, and A11ym. You could also view our webinar covering the mobile test automation tool, Appium.

And if you have used the OWASP Zed Attack Proxy and have some cool tips to share, do share in the comments below.

Topics: Framework and Libraries

Behat: Introduction & installation

Posted by Surabhi Gokte on Nov 9, 2016 1:13:00 PM

I got the opportunity to learn and work on Behat for one of the internal projects at and I found it easy and interesting. During my learning phase, I noticed that there is not much documentation available on Behat over the internet. And hence this blog.

Hope it fills in some of the gaps in Behat’s supporting literature.

What is Behat?

Behat is a Behaviour Driven Development (BDD) tool which is used to test the behaviour of the application from end user’s point of view. It’s a popular open source tool for automation testing of business cases, using human readable scenarios to map onto the PHP framework.

Behat was inspired by Ruby’s Cucumber project. Both Behat and Cucumber are based on BDD. That’s the only similarity. Cucumber supports many languages (Ruby, Python, Java etc.) but Behat is just supported by PHP.

We use Gherkin, a language quite like English, to write various scenarios/features for testing an application. Behat can also be extended by writing custom PHP functions. These functions are written in FeatureContext.php file which is created inside the bootstrap folder.

Who Should Use Behat?

Behat was developed for Business Analysts (BA) and developers, so as to bridge the gap between business stakeholders and the development team.

It is also used by testers for testing websites. As Behat uses Gherkin language to write it’s scenarios, it becomes easy for testers to map it with the acceptance criteria of the project. This results in fulfilment of the client requirements to the best of our ability..

When to use Behat?

Behat helps completely achieve the client requirements because it works according to the Acceptance Criteria of the project. It uses English like, human understandable language to write Behat steps. That’s the best part, because it can be understood by anyone, whether it’s a project manager, a developer or any other business stakeholder.

It is best suited when:

  • Testing the data/content on the webpage
  • Testing actions (like links, buttons etc.)
  • Testing forms
  • In migration state of any website from one CMS to other
  • For end to end testing (i.e. flow of an application from start to finish)
  • For Functional, Regression, Smoke, and Sanity Testing

When not to use Behat?

Behat is a great tool with easy installation, but it lags behind in terms of documentation. Also it is not a great option if you are testing:

  • Dynamic data
  • Images
  • Http response of links throughout the website

Steps for Behat Ins  tallation  

Before we get down to the steps, we are assuming you have done the following:

  • Installed Composer in the system. If not, find the steps here to install composer.
  • Made a folder and named it ‘behat’ (or any name you wish) at any location in your system.
  • Opened terminal and typed cd Desktop/behat (here we are assuming that ‘behat’ folder is created on Desktop. If you create it at some other location, go to that directory through terminal using ‘cd’ command).
  • Typed the following commands to install and run behat (these commands are same for Windows, Mac or any other Linux based system):

1. touch composer.json

The ‘touch’ command is used to create empty files in Mac and Linux systems. For Windows, you can create composer.json manually inside the project folder (in our case it is named behat). Once the file ‘composer.json’ is created, add the code below:

The above code is in json format and hence indentation needs to be taken care of. It consists of various dependencies that Behat requires.

2. touch behat.yml

Now it's time to move onto the next step in Behat. Create a behat.yml file using command “touch behat.yml” inside the behat  folder. Once the file behat.yml is created, add the following code:      

3. composer install

Now it’s time to update the composer in our system. We are almost done by now. Just a step away from completing the installation process.

Execute “composer install” from your terminal. This command will read the ‘composer.json’ file from the current directory and execute it. It will install/update all the dependencies and its versions specified in composer.json file.

At this point, Behat is installed in your system. Now the steps below will help you initialize and run behat.

4. bin/behat --init

The command “bin/behat --init” initializes Behat. This is to be run only once. It will create a directory structure as shown below:

This command creates a directory (folder) called ‘features’ inside which we create our .feature files. The .feature filecontains a feature, it’s overview, and scenarios. Scenario is a structure of Gherkin that consists of various steps as per the acceptance criteria.
Inside ‘features’ directory, there is a another directory present called ‘bootstrap’. Inside this directory you will find a php file called ‘FeatureContext.php’. This is the heart of your behat, as it consists of the code that is mapped with the steps written within the scenarios in .feature file(s).

5. bin/behat features/name_of_featurefile.feature

This command is used to run the feature files (here name_of_featurefile represents the name which you will give to your feature file) and features is the folder created inside the project folder.

If only a particular scenario is to be run, tags can be used. Following is an example:

> bin/behat features/name_of_featurefile.feature --tags 1

If more than one scenarios are to be run, the tags associated can be separated using comma (,). Following is an example:

> bin/behat features/name_of_featurefile.feature --tags 1, 2

Behat Components

Browser Emulators

Browser Emulators are used for testing the responsiveness of a website. These can be of two types:

  • Browser Controllers
  • Headless Browsers

When we run the command  bin/behat features/name_of_featurefile.feature, it is run on headless browser. To run our features on a real time browser (like Firefox, Chrome etc.) we need browser controllers (like Selenium etc.). In some cases we might require specific drivers like chromedriver for Chrome browser.

If using selenium, following is the command:

> java -jar selenium-server-standalone-2.53.1.jar

This command will run the selenium jar file which can be downloaded from Selenium’s official website. To run a jar file, java should be installed in the system.

It can be run on a particular browser by downloading it’s driver which is easily available online. To run selenium on chrome browser, following is the command:

> java -jar selenium-server-standalone-2.53.1.jar"/home/mp0zxhb/chromedriver"
Here ‘/home/mp0zxhb/chromedriver’ represents the path where chromedriver is downloaded in the system.

About Mink

Mink is a browser emulator for a web application, written in PHP. We use Mink library in behat so as to control our browser. Here's all the information on mink.

To use mink, PHP 5.3+ should be installed in the system.

Terms in Behat


Gherkin is an English like language which is business readable and domain specific, that is specially designed to describe the behaviour. It is also available in other languages (like French).

Gherkin is used to write the scenario(s) in the feature file(s). It has a defined structure and is indentation sensitive. Following are the keywords used in Gherkin:

Given, When, Then, And, But




A feature gives the overview  of the functionality that would be covered in the specific feature file. We write features in a text file with .feature extension. One .feature file contains a single feature, but can have multiple scenarios within that feature.



A scenario consists of a short summary (which starts with keyword Scenario) and step definitions. The step definitions are written in Gherkin format.



It is a file which is written in YAML format, which consists of all configurations required for Behat. This file is loaded by default.

Example: An example of behat.yml file is given in Behat Installation Steps section above.


Composer is a tool which is used to declare various dependencies of our project and manage their installations (and/or updations). It can be called a dependency management tool, but definitely not a package manager.

We use commands like composer install, composer update etc. to install/update project libraries/dependencies through composer.

Behat Commands

Following are the generally used commands in behat:

bin/behat -h When you run this command, you get all available commands and options in behat.

bin/behat -dl- When you run this command, you get list of available step definitions that can be used in scenarios. When any custom step is written, it gets added to this list.

bin/behat --dry-run --append-snippets-When this command is run, the snippet (custom PHP function body) gets added in FeatureContext.php file inside which custom PHP function is to be written.

That’s all folks! Hope this helps you get started with Behat. You can check out one of our QA webinars on how to leverage Behat to tell stories through your code, and build the right product.



You could also take a look at how we used Behat on one of our client projects for an insurance company.

Topics: Framework and Libraries, QA and Testing


Write to us

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms Of Service apply. By submitting this form, you agree to our Privacy Policy.

See how our uniquely collaborative work style, can help you redesign your business.

Contact us