Learning Security Scans
Security Scans are useful to identify potential security vulnerabilities in your target services. Each scan sends a number of malicious requests to your service to try to provoke and identify a behavior that could indicate a security vulnerability that needs to be handled.
The following Security Scans are currently available (click on the name for a dedicated page)
- Firstly, SQL Injection : tries to exploit bad database integration coding
- Secondly, XPath Injection : tries to exploit bad XML processing inside your target service
- Thirdly, Boundary Scan : tries to exploit bad handling of values that are outside of defined ranges
- Subsequently, Invalid Types : tries to exploit handling of invalid input data
- Further, Malformed XML : tries to exploit bad handling of invalid XML on your server or in your service
- In addition, XML Bomb : tries to exploit bad handling of malicious XML request (be careful)
- Moreover, Malicious Attachment : tries to exploit bad handling of attached files
- After this, Cross Site Scripting : tries to find cross-site scripting vulnerabilities
- Lastly, Custom Script : allows you to use a script for generating custom parameter fuzzing values
Adding Security Scans
Add a Security Scan to a TestStep in your Security Tests. Further, this is easily done using the “Adding SecurityScan” button or the corresponding TestStep right-click menu option. After this, it will ask which type of Security Scan to add. After this, it opens the corresponding Security Scan configuration window:
- First of all, Assertions : the assertions are useful to validate and check the response for any signs of a successful security exploit
- Secondly, Strategy : settings related to how multiple parameters should be permutated against each other
- Lastly, Advanced : settings specific for the Security Scan (if applicable)
The table of parameters, assertion tab and strategy tab are common for most Security Scans. So, let’s have a look at them in more detail.
Security Scan Parameters
Most Security Scans require you define the content of the underlying request. For example for a SOAP request you might have a message as follows:
When performing a SQL Injection scan with this request, you need to send the malicious SQL statements in both the username and password field. So, this requires you to define these two as parameters in the table. However, in the Pro version, you can easily achieve by pressing the “Extract Parameters” button on the top of the table itself. Further, this will search all available properties in the request and automatically add them to the table if they contain a value:
Alternatively, you can use the “Add Parameter” button which will open a dialog for specifying the Parameter manually:
Here you need to specify the following:
- First thing first, the underlying Test Property that contains the parameter value.
- Secondly, a unique label for the parameter.
- Subsequently, An optional XPath statement specifying where in the Test Property value to find the parameter.
- Last but not least, this is for properties containing XML values.
Security Scan Assertions
Assertions are useful to assess the responses for the Security Scan requests. Certainly, these requests contain some kind of content that indicates that the target system has a corresponding vulnerability. Likewise, the mechanism is the same as for standard Test Requests-use the table in the assertions tab to specify which assertion to use and their configuration:
All the standard assertions are available, but also a number of new ones have been added specifically for this purpose.
Invalid HTTP Codes
Allows you to specify a comma-separated list of HTTP status codes that the target service should return.
Valid HTTP Codes
Allows you to specify a comma-separated list of HTTP status codes that should return.
System Information Exposure
Checks the response for content that reveals system information which is helpful to hackers to further exploit any existing vulnerabilities.
The default configuration for this assertion is specific at both the global and project level. So, if you want to add any custom tokens that are useful in the search. Then, it can be done either specifically for the containing Security Scan or at a higher level. After this, soapUI provides the default list. This is visible in the Global Preferences under the “Global Sensitive Information Tokens” tab.
The table has two columns:
- On one hand, the token itself can either contain a plain string or a regular expression prefixed with a tilde sign.
- On the other hand, a description that will be shown in the Security Log if the corresponding token is found.
Cross Site Scripting Assertion
This assertion is available only for the Cross Site Scripting Scan and automatically adds. Moreover, it checks the response for the same injection strings that is sent with the parameter. Further, this allows you to specify a script that populates a list of URLs to check separately for the send XSS tokens:
Strategy
The strategy tab allows you to specify how multiple parameters are to be permutated and executed during the execution of the Security Scan:
There are currently two modes of execution:
- Firstly, “One by One” – mutates one parameter at a time.
- Subsequently, “All at once” – mutates all parameters at the same time.
The “Request Delay” setting allows you to specify a delay between multiple mutated requests. So, the Security Scan can’t overload your server. After this, the “Apply to Failed TestSteps” option allows you to control.
Execution
When a Security Scan is run as part of the containing Security Test. After this, it sends the different mutation requests as configured. After this, mutating the defined parameters for each request. Moreover, the Security Log shows specifically which values were sent for each parameter and request, together with any assertion failures.
Make your resume stand out and become a Certified SoapUI Testing Professional. Try free practice tests here!
A great career is just a certification away. So, practice and validate your skills to become a Certified SoapUI Testing Professional.
