Forum Discussion

svedman's avatar
svedman
New Contributor
13 years ago

SQL Injection on HTTP doesn't respect "All at Once"

I have created a simple HTTP Test Request using POST and two parameters, and it works fine when run. I'm trying to run an SQL Injection Test on that HTTP Test Request, and it also works fine as long as the Strategy is set to One by One.

But when I set the Strategy to All at Once, SoapUI will not replace any of the parameter values, sending only the default values from HTTP Test Request. Any ideas on why?

4 Replies

  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    Icon for Alumni rankAlumni
    13 years ago
    I just run this test in SoapUI v4.6.2 and seems to work fine for me. It replaced all of the parameters in the same request with the injection string snippet.

    If you are still encountering the issue, please provide some screenshots of you SQL Injection security test setup.

    Thanks,
    Michael Giller
    SmartBear Software
  • svedman's avatar
    svedman
    New Contributor
    13 years ago
    Thank you very much for your reply, sorry for the delay.

    I'm also using SoapUI 4.6.2, and I have attached screenshots of my setup.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    Icon for Alumni rankAlumni
    13 years ago
    Thanks for including the screenshots. So now as you run your security test, look in the "Security Log" tab. As you double click on each of the requests, you can see what data was passed in and received.

    "All at Once" setting will make sure that for 'lemail' and 'lticket' both values are set to the injection token - e.g. "' or '1'='1". Whereas the 'One by One' strategy would first set 'lemail' to "' or '1'='1" and then send another request where 'lticket' is "' or '1'='1".

    Are you seen different behvaior?

    Thanks,
    Michael Giller
    SmartBear Software
  • svedman's avatar
    svedman
    New Contributor
    13 years ago
    Yes, I am seeing different behavior.

    When running the Security Test with Strategy set to One by One, this is what the Security Log says:


    [SQL Injection] Request 1 - FAILED - [lemail=' or '1'='1]: took 4936 ms


    (Nevermind the FAIL, that's due to my assertions.) The LEMAIL parameter is being listed in the log, and looking at the server response, I can tell that SoapUI has successfully mutated the LEMAIL parameter.

    Now, when I run the Security Test with Strategy set to All at Once, this is what the log says;


    [SQL Injection] Request 1 - FAILED: took 4843 ms


    Notice that there are no parameters listed in the log. When looking at the server response, I can also tell that SoapUI never sent the SQL Injection parameters, but the default HTTP Request parameters.

    As you can see from the screenshot the default HTTP Request parameters are blank, but if I set them to any of the SQL Injection Strings, those exact parameters will be sent to the server for all the requests in the Security Test.

    Any ideas, am I doing something wrong, or is this a bug?