How to do a security scan of an Orchard Core app - Orchard Core Nuggets

You don't want malicious people to crack your web apps to use them for spamming, cryptocurrency mining, and spreading malware, nor do you want them to get access to your users' personal data (if you actually do want to cooperate with criminals, you don't need to read further). Thus, you want your app to be secure. One aspect of achieving this is to do penetration testing on your app. Thankfully, much of this can be automated, and with the help of Lombiq UI Testing Toolbox for Orchard Core and Zed Attack Proxy (ZAP) you can conveniently do this for your Orchard Core app. Let's see how!

  1. First, install v8.2.1-alpha.6.osoe-351 or greater of the UI Testing Toolbox from NuGet because that's the one that added security scanning. There are a couple of minor breaking changes that should affect nobody, really, in this, so it'll be part of the upcoming v.9.0.0 (but for that, we're waiting for Orchard Core 1.8).
  2. Set up UI testing as explained in the UI Testing Toolbox's documentation. While we're focusing on security scanning here, the UI Testing Toolbox can do a lot, and I really mean a lot more, including one-liners to test if the basic Orchard Core features still work in your app, or unleashing automated monkey testing to try to break your app. We never work on an Orchard Core app without its safety net!
  3. Add one or more test cases to run ZAP's security scan. Since all the configuration of ZAP is available to you, customization is unlimited, but to give you a glimpse, this is how a basic security scan that's already a good start would look like:
[Fact]
public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync());

And that's it!

OK, I might have omitted the last step here:

4. Fix all the security issues ZAP finds, because it'll definitely find at least a couple of them!

This was just a short teaser, but be sure to check out the UI Testing Toolbox's security scanning documentation, because we tried to summarize everything necessary to get you going there, including samples that you can just copy-paste. Do you want to see security scanning in action? Check out the demo video too!

Also, security starts with quality code. Check out our Lombiq .NET Analyzers project to get automated checks for your code too, including pointing out potential security issues even before running the app.

Did you like this post? It's part of our Orchard Core Nuggets series where we answer common Orchard questions, be it about user-facing features or developer-level issues. Check out the other posts for more such bite-sized Orchard Core tips and let us know if you have another question!