Security Testing in SoapUI

Let’s understand Security Testing in SoapUI. The Security Testing features introduced in SoapUI 4.0 make it extremely easy for you to validate the functional security of your target services. Further, this allows you to assess the vulnerability of your system for common security attacks. In addition, this is especially critical if your system is publically available. Still if that is not the case, ensuring an altogether secure environment is equally important.

Create a Functional TestCase (or use an existing one)

We’ll start with the trustworthy included Sample Project. First of all, import it into your workspace and open the first TestCase:

Adding a Security Test

You can see an empty “Security Tests” node in the left tree. Firstly,  right-click it and select the “New SecurityTest” option, this opens the following dialog

• First of all, “Empty Test” will simply create an empty Security Test, requiring you to manually configure the desired Security Scans.
• Secondly, “Automatic” will generate a default setup with common Security Scans and default assertions
• Lastly, “Full Control” will give you fine-grained control of which Security Scans to add and how they should be configured initially

Once added, double-click a Security Test to see its main configuration and execution window. This window has a layout similar to the TestCase window (top to bottom);

• First thing first, A toolbar with actions related to execution, reports, etc
• Secondly, a progress bar at the top for tracking progress of the Security Test as it executes
• Subsequently, a toolbar and list of the TestSteps in the underlying TestCase, with additional information on execution progress and configured Security Scans for each TestStep
• In addition, the usual inspectors for adding a description, properties and setup/teardown scripts to the Security Test
• Now, a number of log tabs for viewing results from the execution of the Security Test
• Lastly, select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press “Next.

A summary of all the Security Scans and Assertions SoapUI will add to the Security Test are listed, press OK to create the Security Test with the described configuration and open the Security Test window.

Run the Security Test

To run a Security Test, make sure all your scans are configured as desired. Further, press the run button in the top left. The following will now happen:

 

• First of all, each TestStep in the underlying TestCase will be executed and asserted as usual – the results of the functional test are visible in the “TestCase Log” at the bottom of the Security Test window
• Subsequently, for each TestStep, its configured Security Scans will be executed also. Their individual progress and results will be shown in the Security Test window and the Security Run Log at the bottom of the Security Test window
• After this, run the Test by pressing the green arrow on the top left. After this, you will see ongoing progress for each TestStep and configured Security Scans in the Security Test window.

You will see ongoing progress in the main window as the different Security Scans are executed. Moreover, more detailed information is available in the Security Log at the bottom.

Analyze the Results

The Security Log at the bottom of the Security Test window shows detailed information on failed Security Scans, click on a Security Scan in the main window and the log will scroll to that Scans entries:

Check here for unexpected alerts that might indicate a possible security vulnerability in your target service. Double click individual entries to see their actual message exchanges.

Here you can see one of the XPath Injection mutations sent to our logout service operation.

Make your resume stand out and become a Certified SoapUI Testing Professional. Try free practice tests here!

A great career is just a certification away. So, practice and validate your skills to become a Certified SoapUI Testing Professional.