[4.6.4] REST + Invalid Type scan + MATRIX param + JSON = bug
Hi!
We have set up security scans against a REST interface. When we run Invalid Type security test scans, soapUI's test runner hangs for some tests when it's sending a request and setting certain matrix parameters to 255 (i.e. UNSIGNED_BYTE). It does not hang for all parameters, though. (We just tried to remove that UNSIGNED_BYTE entry from the advanced tab, and SoapUI did send a String in, but the whole thing still hangs.)
If we run the same test manually as a Test Step (and insert the 255 ourselves), it runs fine. But SoapUI reproducibly hangs when we have the Invalid Types scan send that request for certain parameters. Other tests against other parameters seem to pass fine. We used Fiddler2 as a local proxy and can confirm the web service responded with the JSON-formatted message we were expecting. SoapUI just never picks it up and never displays the affected test step (i.e. the result for that particular request) in the security test's log. If we have it test other parameters first, it'll do that just fine.
Other scans affected are the SQL and XPath Injection tests.
One oddity in the invalid types window: we see the message
One of the parameters affected has a default value of false, is of style Matrix and of level Resource; the type is defined as String.
The http log clearly shows that SoapUI did send the request and receive a response.
All other logs are empty.
Fiddler 2 reports on its RAW inspection tab that
The last few lines in Fiddler2's RAW view show the following (first line shown below trunkated):
SoapUI's http log sows them (with the first line shown trunkated) as
Any idea why SoapUI chooses to reproducibly pass out for certain parameters? Might it have to do with what seems to be the line/file ending's encoding?
Other lines usually end with
Kind regards,
Christian
We have set up security scans against a REST interface. When we run Invalid Type security test scans, soapUI's test runner hangs for some tests when it's sending a request and setting certain matrix parameters to 255 (i.e. UNSIGNED_BYTE). It does not hang for all parameters, though. (We just tried to remove that UNSIGNED_BYTE entry from the advanced tab, and SoapUI did send a String in, but the whole thing still hangs.)
If we run the same test manually as a Test Step (and insert the 255 ourselves), it runs fine. But SoapUI reproducibly hangs when we have the Invalid Types scan send that request for certain parameters. Other tests against other parameters seem to pass fine. We used Fiddler2 as a local proxy and can confirm the web service responded with the JSON-formatted message we were expecting. SoapUI just never picks it up and never displays the affected test step (i.e. the result for that particular request) in the security test's log. If we have it test other parameters first, it'll do that just fine.
Other scans affected are the SQL and XPath Injection tests.
One oddity in the invalid types window: we see the message
when selecting a parameter...
- no parameter selected ->
One of the parameters affected has a default value of false, is of style Matrix and of level Resource; the type is defined as String.
The http log clearly shows that SoapUI did send the request and receive a response.
All other logs are empty.
Fiddler 2 reports on its RAW inspection tab that
Response is encoded and may need to be decoded [...]
The last few lines in Fiddler2's RAW view show the following (first line shown below trunkated):
:"2013-11-07T15:10:35.000Z"}}}
0000
SoapUI's http log sows them (with the first line shown trunkated) as
:"2013-11-07T15:10:35.000Z"}}}"
Tue Feb 04 12:13:54 GMT 2014:DEBUG:<< "[\r][\n]"
Tue Feb 04 12:13:54 GMT 2014:DEBUG:<< "0000[\r][\n]"
Tue Feb 04 12:13:54 GMT 2014:DEBUG:<< "[\r][\n]"
Any idea why SoapUI chooses to reproducibly pass out for certain parameters? Might it have to do with what seems to be the line/file ending's encoding?
Other lines usually end with
0fe8
Kind regards,
Christian