Add script to run Juice Shop's own API/E2E tests through ZAP

[bkimminich]

As Juice Shop already has a complete set of API integration and end-to-end vulnerability exploit tests, it would be cool to be able to run them through your pipeline as well.

API integration tests

npm run frisby runs all the API tests. It starts a server of its own so you might want to run them instead directly with jasmine-node test/api

End-to-end tests

npm run protractor runs the e2e tests. These cover the entire application using Protractor (which is based on Webdriver) to exploit all the vulns in the app to get a 100% score board. They also start their own server so you might want to run protractor protractor.conf.js instead given that all your Webdriver/Selenium stuff is set up properly.

The fact that the e2e tests are not functional tests but rather exploitability tests makes it a bit different from usual setups of webapps with their e2e suites. But as you rely on the passive mode of ZAP only, it should not make so much of a difference, as it doesn't heavily check for attack signatures really - I guess - because it does not expect to be used like this.

(cc: @zaproxy, @psiinon, @thc202)

[omerlh]

This is a good idea, I was not aware of those tests. It is a better demonstration of what I am trying to do. I also looked at it, and it should be pretty easy to configure Protractor to use selenium hub instead of local selenium. The only complex part is to create a docker file with the test code, but it is not too complex.