Forum Discussion

etan1's avatar
etan1
New Contributor
12 years ago

How to add security tests to REST requests with JSON content

Ok, let me explain my problem:

I have REST request with few parameters, POST method, service accept only JSON content, so I changed Media Type to application/json and put values to the request body by this way:
{
"param1" : "${param1}"
"param2" : "${param2}"
}


Everything works fine (functional tests), but...

...when I trying add security tests: I choose my request in SecurityTest window > Add SecurityScan > SQL Injection > Adds a parameter > choosing param1 from the list > etc

And when I running that tests I getting informations like that one:
[SQL Injection] Request 1 - OK - [param1=' or '1'='1]: took 17 ms

But when looking on the request body in Message Viewer window, it seems I still sending default values, not SQL Injections:
{
"param1" : "value1"
"param2" : "value2"
}


And when I looking to my server logs I really getting standard requests.

So, the question is: why SoapUI doesn't overwrites this parameters? Bug on your side, or I do something wrong? Maybe because you not support natively JSON in requests and I must create request circuitous way?

Thank you for any help,
Regards!
  • nmrao's avatar
    nmrao
    Champion Level 3
    12 years ago
    Have you noticed request, responses in soapui log files? Are you sure that always sending the default values?
  • etan1's avatar
    etan1
    New Contributor
    12 years ago
    Yes, I'm sure, I checked it directly in server logs.

    When I do the same for more "static" properties (directly placed in request body, like authorization header) everything works fine (they are replaced by SQL Injection strings), problem occurs only for parameters that I put in the request by editor under the table of parameters.
  • nmrao's avatar
    nmrao
    Champion Level 3
    12 years ago
    Ok about the server logs.

    You might notice that i was referring to soapui logs. Also is it possible to check the Raw request it is sending?
    Is it possible to show the screen shot how parameter values are being set for the test?
  • etan1's avatar
    etan1
    New Contributor
    12 years ago
    Ok, here you can see how I set parameter values:



    Here is my SecurityScan configuration:



    Screen from Security log after running tests:



    And Raw request, as you can see "exter*" property still have default value:



    And quick look on Properties > SecurityChangedParameters - he think he do everything right:

  • etan1's avatar
    etan1
    New Contributor
    12 years ago
    Sorry for second post, attachments limit.

    Last screen, when I doing exactly the same for Authorization property everything works fine:

  • kiranb's avatar
    kiranb
    New Contributor
    11 years ago
    Is this probelm got resolved??? even i am facing same issue?? Please respond asap?
  • kiranb's avatar
    kiranb
    New Contributor
    11 years ago
    what is the outcome of this post??? i am also facing same problem???