Forum Discussion

lgermain315's avatar
lgermain315
Occasional Contributor
8 years ago

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi,

 

I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using SoapUI 5.3.0 open source tool.

 

Here is the raw request example below:

 

POST http://ngetest.callminerhq.callminer.net:8080/api/v2/users HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Content-Length: 148
Host: ngetest.callminerhq.callminer.net:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

{
"Email": "sample@test.com",
"FirstName": "sample",
"LastName": "test",
"IsEnabled": 1,
"Password": "test123",
"ChangePassword": true
}

 

See the 'Email' field above, I would like to run a fuzz scan (and other security tests) on this input property. 

 

Here's what I have so far but could not quite understand how to get this working. Currently, the 'Email' field does not change value and simply runs with the body above (result = duplicate email field is prohibited thus we receive a 400).

 

Screenshot

https://www.screencast.com/t/jgOrX51SYkKF

 

Basically, it seems that my XPath string is not correct and I'm not entirely sure how to interface with a request object. Maybe someone could help me break down this XPath string. Any help would be appreciated.

 

Thanks,

 

Luke

 

 

 

 

 

  • HKosova's avatar
    HKosova
    8 years ago

    Hi Luke,

     

    In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

     

    To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

     

    Label: Request
    Type: Request
    XPath: leave empty

     

    Script:

    import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

     

    Here's another script example that shows how to use the values from a file:
    http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
    (Sorry about the missing images - they seem to have gotten lost when the blog moved.)

     

    Hope this helps!

  • HKosova's avatar
    HKosova
    SmartBear Alumni (Retired)
    8 years ago

    Hi Luke,

     

    In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

     

    To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

     

    Label: Request
    Type: Request
    XPath: leave empty

     

    Script:

    import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

     

    Here's another script example that shows how to use the values from a file:
    http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
    (Sorry about the missing images - they seem to have gotten lost when the blog moved.)

     

    Hope this helps!

    • lgermain315's avatar
      lgermain315
      Occasional Contributor
      8 years ago

      Thanks for your input and scripting solution. I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool. 

       

      I will go ahead with the script you have provided as an example.

       

      Thanks again,

       

      Luke

       

       

      • HKosova's avatar
        HKosova
        SmartBear Alumni (Retired)
        8 years ago
        lgermain315 wrote:

        I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool.

        It's actually possible to use XPath for JSON in some other places, such as test step assertions, but unfortunately not in security scans.