Value is not applied to parameter in SQL injection test
We have a REST service towards which we want to run SQL injection tests. We have tried to set it up with one of the POST requests which sends JSON content as follows:
{
"Name": "${Add QVS#QVSName}",
"ServiceType": "${#TestSuite#QVS_ServiceType}"
}
The test step name is "Add QVS" and we have a parameter "QVSName" defined for that step. The SQL injection security test have an enabled parameter labeled "QVSName" for the test step property/parameter above ("QVSName") with no XPath value. We have selected "Sensitive Information Exposure" as assertion.
Running this produces output like "[SQL Injection] Request 4 - OK - [QVSName=admin'--]: took 129 ms" but the request sent contains the default value for the JSON "Name" property as defined in the request definition:
{
"Name": "MyQVS",
"ServiceType": "QVS"
}
How do we get the SQL injection test value, in the example above "admin'--", into the JSON content?
{
"Name": "${Add QVS#QVSName}",
"ServiceType": "${#TestSuite#QVS_ServiceType}"
}
The test step name is "Add QVS" and we have a parameter "QVSName" defined for that step. The SQL injection security test have an enabled parameter labeled "QVSName" for the test step property/parameter above ("QVSName") with no XPath value. We have selected "Sensitive Information Exposure" as assertion.
Running this produces output like "[SQL Injection] Request 4 - OK - [QVSName=admin'--]: took 129 ms" but the request sent contains the default value for the JSON "Name" property as defined in the request definition:
{
"Name": "MyQVS",
"ServiceType": "QVS"
}
How do we get the SQL injection test value, in the example above "admin'--", into the JSON content?
