Yes, I am seeing different behavior.
When running the Security Test with Strategy set to
One by One, this is what the Security Log says:
[SQL Injection] Request 1 - FAILED - [lemail=' or '1'='1]: took 4936 ms
(Nevermind the FAIL, that's due to my assertions.) The LEMAIL parameter is being listed in the log, and looking at the server response, I can tell that SoapUI has successfully mutated the LEMAIL parameter.
Now, when I run the Security Test with Strategy set to
All at Once, this is what the log says;
[SQL Injection] Request 1 - FAILED: took 4843 ms
Notice that there are no parameters listed in the log. When looking at the server response, I can also tell that SoapUI never sent the SQL Injection parameters, but the default HTTP Request parameters.
As you can see from the screenshot the default HTTP Request parameters are blank, but if I set them to any of the SQL Injection Strings, those exact parameters
will be sent to the server for
all the requests in the Security Test.
Any ideas, am I doing something wrong, or is this a bug?
