{"id":70284,"date":"2020-01-04T11:40:28","date_gmt":"2020-01-04T06:10:28","guid":{"rendered":"https:\/\/www.vskills.in\/certification\/tutorial\/?p=70284"},"modified":"2024-04-12T14:33:26","modified_gmt":"2024-04-12T09:03:26","slug":"security-scans","status":"publish","type":"page","link":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/","title":{"rendered":"Security Scans"},"content":{"rendered":"<h1><strong>Learning Security Scans<\/strong><\/h1>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2\" alt=\"security scan\" width=\"1920\" height=\"500\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>Security Scans are useful to identify potential security vulnerabilities in your target services. Each scan sends a number of malicious requests to your service to try to provoke and identify a behavior that could indicate a security vulnerability that needs to be handled.<\/p>\n<p>The following Security Scans are currently available (click on the name for a dedicated page)<\/p>\n<ul>\n<li>Firstly, SQL Injection : tries to exploit bad database integration coding<\/li>\n<li>Secondly, XPath Injection : tries to exploit bad XML processing inside your target service<\/li>\n<li>Thirdly, Boundary Scan : tries to exploit bad handling of values that are outside of defined ranges<\/li>\n<li>Subsequently, Invalid Types : tries to exploit handling of invalid input data<\/li>\n<li>Further, Malformed XML : tries to exploit bad handling of invalid XML on your server or in your service<\/li>\n<li>In addition, XML Bomb : tries to exploit bad handling of malicious XML request (be careful)<\/li>\n<li>Moreover, Malicious Attachment : tries to exploit bad handling of attached files<\/li>\n<li>After this, Cross Site Scripting : tries to find cross-site scripting vulnerabilities<\/li>\n<li>Lastly, Custom Script : allows you to use a script for generating custom parameter fuzzing values<\/li>\n<\/ul>\n<h2><strong>Adding Security Scans<\/strong><\/h2>\n<p>Add a Security Scan to a TestStep in your Security Tests. Further, this is easily done using the \u201cAdding SecurityScan\u201d button or the corresponding TestStep right-click menu option. After this, it will ask which type of Security Scan to add. After this, it opens the corresponding Security Scan configuration window:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-142902 size-full\" src=\"https:\/\/www.vskills.in\/lms\/wp-content\/uploads\/2019\/11\/Image-12-1.png\" alt=\"Adding Security Scans\" width=\"370\" height=\"333\" \/><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>First of all, Assertions : the assertions are useful to validate and check the response for any signs of a successful security exploit<\/li>\n<li>Secondly, Strategy : settings related to how multiple parameters should be permutated against each other<\/li>\n<li>Lastly, Advanced : settings specific for the Security Scan (if applicable)<\/li>\n<\/ul>\n<p>The table of parameters, assertion tab and strategy tab are common for most Security Scans. So, let\u2019s have a look at them in more detail.<\/p>\n<h2><strong>Security Scan Parameters<\/strong><\/h2>\n<p>Most Security Scans require you define the content of the underlying request. For example for a SOAP request you might have a message as follows:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-142903 size-full\" src=\"https:\/\/www.vskills.in\/lms\/wp-content\/uploads\/2019\/11\/Image-13-1.png\" alt=\"Security Scan Parameters\" width=\"294\" height=\"243\" \/><\/p>\n<p class=\"VSKILLbodytext\">When performing a SQL Injection scan with this request, you need to send the malicious SQL statements in both the username and password field. So, this requires you to define these two as parameters in the table. However, in the Pro version, you can easily achieve by pressing the \u201cExtract Parameters\u201d button on the top of the table itself. Further, this will search all available properties in the request and automatically add them to the table if they contain a value:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-142905 size-full\" src=\"https:\/\/www.vskills.in\/lms\/wp-content\/uploads\/2019\/11\/Image-14-1.png\" alt=\"Security Scan Parameters\" width=\"476\" height=\"205\" \/><\/p>\n<p class=\"VSKILLbodytext\">Alternatively, you can use the \u201cAdd Parameter\u201d button which will open a dialog for specifying the Parameter manually:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-142906 size-full\" src=\"https:\/\/www.vskills.in\/lms\/wp-content\/uploads\/2019\/11\/Image-15-1.png\" alt=\"Security Scan Parameters\" width=\"410\" height=\"371\" \/><\/p>\n<p>Here you need to specify the following:<\/p>\n<ul>\n<li>First thing first, the underlying Test Property that contains the parameter value.<\/li>\n<li>Secondly, a unique label for the parameter.<\/li>\n<li>Subsequently, An optional XPath statement specifying where in the Test Property value to find the parameter.<\/li>\n<li>Last but not least, this is for properties containing XML values.<\/li>\n<\/ul>\n<h2><strong>Security Scan Assertions<\/strong><\/h2>\n<p>Assertions are useful to assess the responses for the Security Scan requests. Certainly, these requests contain some kind of content that indicates that the target system has a corresponding vulnerability. Likewise, the mechanism is the same as for standard Test Requests-use the table in the assertions tab to specify which assertion to use and their configuration:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-142907 size-full\" src=\"https:\/\/www.vskills.in\/lms\/wp-content\/uploads\/2019\/11\/Image-16-1.png\" alt=\"Security Scan Assertions\" width=\"573\" height=\"263\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>All the standard assertions are available, but also a number of new ones have been added specifically for this purpose.<\/p>\n<h3><strong>Invalid HTTP Codes\u00a0<\/strong><\/h3>\n<p>Allows you to specify a comma-separated list of HTTP status codes that the target service should return.<\/p>\n<h3><strong>Valid HTTP Codes <\/strong><\/h3>\n<p>Allows you to specify a comma-separated list of HTTP status codes that should return.<\/p>\n<h3><strong>System Information Exposure<\/strong><\/h3>\n<p>Checks the response for content that reveals system information which is helpful to hackers to further exploit any existing vulnerabilities.<\/p>\n<p>The default configuration for this assertion is specific at both the global and project level. So, if you want to add any custom tokens that are useful in the search. Then,\u00a0 it can be done either specifically for the containing Security Scan or at a higher level. After this, soapUI provides the default list. This is visible in the Global Preferences under the \u201cGlobal Sensitive Information Tokens\u201d tab.<\/p>\n<p>The table has two columns:<\/p>\n<ul>\n<li>On one hand, the token itself can either contain a plain string or a regular expression prefixed with a tilde sign.<\/li>\n<li>On the other hand, a description that will be shown in the Security Log if the corresponding token is found.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><strong>Cross Site Scripting Assertion<\/strong><\/h3>\n<p>This assertion is available only for the Cross Site Scripting Scan and automatically adds.\u00a0 Moreover, it checks the response for the same injection strings that is sent with the parameter. Further, this allows you to specify a script that populates a list of URLs to check separately for the send XSS tokens:<\/p>\n<h3><strong>Strategy<\/strong><\/h3>\n<p>The strategy tab allows you to specify how multiple parameters are to be permutated and executed during the execution of the Security Scan:<\/p>\n<p>There are currently two modes of execution:<\/p>\n<ul>\n<li>Firstly, \u201cOne by One\u201d \u2013 mutates one parameter at a time.<\/li>\n<li>Subsequently, \u201cAll at once\u201d \u2013 mutates all parameters at the same time.<\/li>\n<\/ul>\n<p>The \u201cRequest Delay\u201d setting allows you to specify a delay between multiple mutated requests. So, the Security Scan can&#8217;t overload your server. After this, the \u201cApply to Failed TestSteps\u201d option allows you to control.<\/p>\n<h3><strong>Execution<\/strong><\/h3>\n<p>When a Security Scan is run as part of the containing Security Test. After this, it sends the different mutation requests as configured. After this, mutating the defined parameters for each request. Moreover, the Security Log shows specifically which values were sent for each parameter and request, together with any assertion failures.<\/p>\n<p><strong>Make your resume stand out and become a Certified SoapUI Testing Professional. <a href=\"https:\/\/www.vskills.in\/practice\/index.php?route=test\/search&amp;search=SOAP\">Try free practice tests here!<\/a><\/strong><\/p>\n<p><strong>A great career is just a certification away. So, practice and validate your skills to become a <a href=\"https:\/\/www.vskills.in\/certification\/testing\/soapui-testing-certification\">Certified SoapUI Testing Professional.<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learning Security Scans &nbsp; Security Scans are useful to identify potential security vulnerabilities in your target services. Each scan sends a number of malicious requests to your service to try to provoke and identify a behavior that could indicate a security vulnerability that needs to be handled. The following Security Scans are currently available (click&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[8032],"tags":[8119],"class_list":["post-70284","page","type-page","status-publish","hentry","category-soapui","tag-security-scans"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Scans - Vskills Tutorial<\/title>\n<meta name=\"description\" content=\"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Scans - Vskills Tutorial\" \/>\n<meta property=\"og:description\" content=\"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/\" \/>\n<meta property=\"og:site_name\" content=\"Tutorial\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/vskills.in\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-12T09:03:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/\",\"name\":\"Security Scans - Vskills Tutorial\",\"isPartOf\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2\",\"datePublished\":\"2020-01-04T06:10:28+00:00\",\"dateModified\":\"2024-04-12T09:03:26+00:00\",\"description\":\"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!\",\"breadcrumb\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage\",\"url\":\"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2\",\"contentUrl\":\"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security Scans\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"name\":\"Tutorial\",\"description\":\"Vskills - A initiative in elearning and certification\",\"publisher\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\",\"name\":\"Vskills\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"contentUrl\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"width\":73,\"height\":55,\"caption\":\"Vskills\"},\"image\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/vskills.in\/\",\"https:\/\/x.com\/vskills_in\",\"https:\/\/www.linkedin.com\/company-beta\/1371554\/\",\"https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security Scans - Vskills Tutorial","description":"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/","og_locale":"en_US","og_type":"article","og_title":"Security Scans - Vskills Tutorial","og_description":"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!","og_url":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/","og_site_name":"Tutorial","article_publisher":"https:\/\/www.facebook.com\/vskills.in\/","article_modified_time":"2024-04-12T09:03:26+00:00","og_image":[{"url":"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2","type":"","width":"","height":""}],"twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/","name":"Security Scans - Vskills Tutorial","isPartOf":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage"},"image":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage"},"thumbnailUrl":"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2","datePublished":"2020-01-04T06:10:28+00:00","dateModified":"2024-04-12T09:03:26+00:00","description":"Enhance and Upgrade your Security Scans skills for better career opportunities. Become a Certified SoapUI Testing Professional Now!","breadcrumb":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#primaryimage","url":"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2","contentUrl":"https:\/\/cdn.helpsystems.com\/styles\/banner\/storage-api-public\/banner\/pt-network-vulnerability-scan-ibm-i-1920x500_0.jpg?itok=JWonzGH2"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/security-scans\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.vskills.in\/certification\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Security Scans"}]},{"@type":"WebSite","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","name":"Tutorial","description":"Vskills - A initiative in elearning and certification","publisher":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization","name":"Vskills","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","contentUrl":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","width":73,"height":55,"caption":"Vskills"},"image":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/vskills.in\/","https:\/\/x.com\/vskills_in","https:\/\/www.linkedin.com\/company-beta\/1371554\/","https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw"]}]}},"_links":{"self":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/70284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/comments?post=70284"}],"version-history":[{"count":7,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/70284\/revisions"}],"predecessor-version":[{"id":75491,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/70284\/revisions\/75491"}],"wp:attachment":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/media?parent=70284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/categories?post=70284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/tags?post=70284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}