A comprehensive Java-based security testing framework using Selenium WebDriver to automate OWASP Top 10 vulnerability testing.
- SQL Injection Testing -- Tests login forms and input fields for SQL injection vulnerabilities.
- XSS Testing -- Cross-Site Scripting vulnerability detection.
- Authentication Testing -- Tests for authentication bypass and broken access control.
- Session Management Testing -- Session fixation, timeout, and cookie security tests.
- Sensitive Data Exposure Testing -- HTTPS enforcement, password masking, etc.
- CSRF Testing -- Cross-Site Request Forgery token validation.
- OWASP ZAP Integration -- Optional integration with OWASP ZAP proxy for deeper scanning
SecurityTestFramework/
βββ pom.xml
βββ README.md
βββ src/
β βββ main/java/com/security/
β β βββ config/
β β β βββ ConfigReader.java
β β βββ pages/
β β β βββ BasePage.java
β β β βββ LoginPage.java
β β βββ utils/
β β β βββ DriverFactory.java
β β β βββ SecurityPayloads.java
β β β βββ ReportManager.java
β β β βββ ZapIntegration.java
β βββ test/java/com/security/tests/
β β βββ BaseTest.java
β β βββ SqlInjectionTest.java
β β βββ XssTest.java
β β βββ AuthenticationTest.java
β β βββ SessionManagementTest.java
β β βββ SensitiveDataExposureTest.java
β β βββ CsrfTest.java
β βββ test/resources/
β βββ config.properties
β βββ log4j2.xml
β βββ payloads/
β βββ sql_injection_payloads.txt
β βββ xss_payloads.txt
βββ testng.xml
- Java 17 or higher
- Maven 3.6+
- Chrome or Firefox browser
- (Optional) OWASP ZAP for proxy-based testing
git clone <repository-url>Edit:
src/test/resources/config.properties
base.url=https://your-target-app.com
browser=chrome
headless=falsemvn clean install -DskipTestsmvn testmvn test -Dtest=SqlInjectionTest
mvn test -Dtest=XssTest
mvn test -Dtest=AuthenticationTestmvn test -Dbrowser=firefoxmvn test -Dheadless=true- Login form injection
- Search field injection
- URL parameter injection
- Error-based injection detection
- Reflected XSS
- Stored XSS
- DOM-based XSS
- Input sanitization verification
- Direct URL access without login
- Session token validation
- Password policy enforcement
- Account lockout testing
- Session ID regeneration after login
- Session timeout verification
- Cookie security flags (HttpOnly, Secure)
- Concurrent session handling
- HTTPS enforcement
- Password field masking
- Sensitive data in URL parameters
- Autocomplete disabled for sensitive fields
- CSRF token presence
- Token validation on form submission
zap.sh -daemon -port 8080zap.enabled=true
zap.host=localhost
zap.port=8080Traffic will be proxied through ZAP for additional scanning.
Test reports are generated in:
-
ExtentReports:
test-output/SecurityTestReport.html -
TestNG Reports:
target/surefire-reports/
Add payloads to:
src/test/resources/payloads/
sql_injection_payloads.txtxss_payloads.txt
- Create a new test class extending
BaseTest - Use the
@Testannotation with appropriate groups - Add it to
testng.xmlif required
- Only test applications you have permission to test
- Use in controlled environments (dev/staging)
- Never test production systems without explicit authorization
- Review and comply with your organization's security testing policies
π Built for DevSecOps & Security Automation Excellence