A comprehensive Java-based security testing framework using Selenium WebDriver to automate OWASP Top 10 vulnerability testing.
- SQL Injection Testing -- Tests login forms and input fields for SQL injection vulnerabilities.
- XSS Testing -- Cross-Site Scripting vulnerability detection.
- Authentication Testing -- Tests for authentication bypass and broken access control.
- Session Management Testing -- Session fixation, timeout, and cookie security tests.
- Sensitive Data Exposure Testing -- HTTPS enforcement, password masking, etc.
- CSRF Testing -- Cross-Site Request Forgery token validation.
- OWASP ZAP Integration -- Optional integration with OWASP ZAP proxy for deeper scanning
SecurityTestFramework/
│── pom.xml
│── README.md
│── src/
│ ├── main/java/com/security/
│ │ ├── config/
│ │ │ └── ConfigReader.java
│ │ ├── pages/
│ │ │ ├── BasePage.java
│ │ │ └── LoginPage.java
│ │ ├── utils/
│ │ │ ├── DriverFactory.java
│ │ │ ├── SecurityPayloads.java
│ │ │ ├── ReportManager.java
│ │ │ └── ZapIntegration.java
│ ├── test/java/com/security/tests/
│ │ ├── BaseTest.java
│ │ ├── SqlInjectionTest.java
│ │ ├── XssTest.java
│ │ ├── AuthenticationTest.java
│ │ ├── SessionManagementTest.java
│ │ ├── SensitiveDataExposureTest.java
│ │ └── CsrfTest.java
│ └── test/resources/
│ ├── config.properties
│ ├── log4j2.xml
│ └── payloads/
│ ├── sql_injection_payloads.txt
│ └── xss_payloads.txt
│── testng.xml
- Java 17 or higher
- Maven 3.6+
- Chrome or Firefox browser
- (Optional) OWASP ZAP for proxy-based testing
git clone <repository-url>Edit:
src/test/resources/config.properties
base.url=https://your-target-app.com
browser=chrome
headless=falsemvn clean install -DskipTestsmvn testmvn test -Dtest=SqlInjectionTest
mvn test -Dtest=XssTest
mvn test -Dtest=AuthenticationTestmvn test -Dbrowser=firefoxmvn test -Dheadless=true- Login form injection
- Search field injection
- URL parameter injection
- Error-based injection detection
- Reflected XSS
- Stored XSS
- DOM-based XSS
- Input sanitization verification
- Direct URL access without login
- Session token validation
- Password policy enforcement
- Account lockout testing
- Session ID regeneration after login
- Session timeout verification
- Cookie security flags (HttpOnly, Secure)
- Concurrent session handling
- HTTPS enforcement
- Password field masking
- Sensitive data in URL parameters
- Autocomplete disabled for sensitive fields
- CSRF token presence
- Token validation on form submission
zap.sh -daemon -port 8080zap.enabled=true
zap.host=localhost
zap.port=8080Traffic will be proxied through ZAP for additional scanning.
Test reports are generated in:
-
ExtentReports:
test-output/SecurityTestReport.html -
TestNG Reports:
target/surefire-reports/
Add payloads to:
src/test/resources/payloads/
sql_injection_payloads.txtxss_payloads.txt
- Create a new test class extending
BaseTest - Use the
@Testannotation with appropriate groups - Add it to
testng.xmlif required
- Only test applications you have permission to test
- Use in controlled environments (dev/staging)
- Never test production systems without explicit authorization
- Review and comply with your organization's security testing policies
🚀 Built for DevSecOps & Security Automation Excellence