Forum Discussion

Ryarlagadda's avatar
Ryarlagadda
Occasional Contributor
11 years ago

Security Test Failure - SOAP UI Pro

Hello,

I have tried to run Security Test (Cross Site Scripting, Invalid Types, SQL Injection, XPath Injection etc ..) for one of Restful API.
Restful service responding in JSon format.

All the security scan tests completed, with 282 failures "Unknown MessageExchange type".

PFA Security Log for reference

SecurityTest started at 2014-03-12 14:39:06.724
Step 3 [Get2Valid_zeroInvalidpackages] Alerts: took 8794 ms
SecurityScan 1 [Cross Site Scripting] Alerts, took = 7005
[Cross Site Scripting] Request 1 - FAILED - [Password=<SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://soapui.org/xss.js"></SCRIPT>]: took 42 ms
-> Unknown MessageExchange type
[Cross Site Scripting] Request 2 - FAILED - [Username=<SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://soapui.org/xss.js"></SCRIPT>]: took 38 ms
-> Unknown MessageExchange type

Could you please advise how to analyze these failure, as This information not clear enough. Is there any further log to identify root cause of these failures.

In addition, SOAP UI not generating "common report" after completion of Security test.
Following failure reported in error.log in SOAPUI Pro installation directory.

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
net.sf.jasperreports.engine.design.JRValidationException: Report design not valid :
1. Parameter not found : FailedTestSteps
2. Parameter not found : ProjectCoverage
3. Parameter not found : RequirementLinkedTestCases
4. Parameter not found : TestCaseCoverage
5. Parameter not found : TestStepResults
6. Parameter not found : TestSuiteCoverage
at net.sf.jasperreports.engine.design.JRAbstractCompiler.verifyDesign(JRAbstractCompiler.java:258)
at net.sf.jasperreports.engine.design.JRAbstractCompiler.compileReport(JRAbstractCompiler.java:140)
at net.sf.jasperreports.engine.JasperCompileManager.compileReport(JasperCompileManager.java:215)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport.createReport(SourceFile:460)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport$ReportFillWorker.construct(SourceFile:428)
at com.eviware.soapui.support.swing.SwingWorkerDelegator.construct(SwingWorkerDelegator.java:46)
at com.eviware.soapui.support.swing.SwingWorker$2.run(SwingWorker.java:149)
at java.lang.Thread.run(Unknown Source)
net.sf.jasperreports.engine.design.JRValidationException: Report design not valid :
1. Parameter not found : FailedTestSteps
2. Parameter not found : ProjectCoverage
3. Parameter not found : RequirementLinkedTestCases
4. Parameter not found : TestCaseCoverage
5. Parameter not found : TestStepResults
6. Parameter not found : TestSuiteCoverage
at net.sf.jasperreports.engine.design.JRAbstractCompiler.verifyDesign(JRAbstractCompiler.java:258)
at net.sf.jasperreports.engine.design.JRAbstractCompiler.compileReport(JRAbstractCompiler.java:140)
at net.sf.jasperreports.engine.JasperCompileManager.compileReport(JasperCompileManager.java:215)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport.createReport(SourceFile:460)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport$ReportFillWorker.construct(SourceFile:428)
at com.eviware.soapui.support.swing.SwingWorkerDelegator.construct(SwingWorkerDelegator.java:46)
at com.eviware.soapui.support.swing.SwingWorker$2.run(SwingWorker.java:149)
at java.lang.Thread.run(Unknown Source)
net.sf.jasperreports.engine.design.JRValidationException: Report design not valid :
1. Parameter not found : FailedTestSteps
2. Parameter not found : ProjectCoverage
3. Parameter not found : RequirementLinkedTestCases
4. Parameter not found : TestCaseCoverage
5. Parameter not found : TestStepResults
6. Parameter not found : TestSuiteCoverage
at net.sf.jasperreports.engine.design.JRAbstractCompiler.verifyDesign(JRAbstractCompiler.java:258)
at net.sf.jasperreports.engine.design.JRAbstractCompiler.compileReport(JRAbstractCompiler.java:140)
at net.sf.jasperreports.engine.JasperCompileManager.compileReport(JasperCompileManager.java:215)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport.createReport(SourceFile:460)
at com.eviware.soapui.reporting.engine.jasper.GenerateJasperReport$ReportFillWorker.construct(SourceFile:428)
at com.eviware.soapui.support.swing.SwingWorkerDelegator.construct(SwingWorkerDelegator.java:46)
at com.eviware.soapui.support.swing.SwingWorker$2.run(SwingWorker.java:149)
at java.lang.Thread.run(Unknown Source)


Please could you advise how to resolve this issue , This error not shown while generating other reports.

Thanks,
Raj

6 Replies

  • Ryarlagadda's avatar
    Ryarlagadda
    Occasional Contributor
    Hello,

    I am using SOAP UI Pro 4.6.4.

    Please could you help on following 2 issues

    1. Regarding Security Test failures, all the test seems to be sending request data(RAW) in following format.
    GET http://localhost:8080/ref-product/login HTTP/1.1
    Accept-Encoding: gzip,deflate
    Authorization: Basic am9objovKiExMDAwMCUyMDEvMCUyMCov
    Host: localhost:8080
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

    However I have not configured to send GET Request to above end point, Just provided user authentication details (Basic authentication) for each request.
    Ideally the request should go to http://localhost:8080/ref-product/update same as being used in SOAP UI Functional Test.

    As the request sent to incorrect resource, request being rejected by the server.
    Could you advise how to configure Resource for Security test.



    2. Regarding Common Report Failure, Please find below additional information.
    Common Report Failure :
    ===============
    After completion of Test (functional/security test), Click on icon for "Creates a report for this item'
    and In Create Report popup window, choose Common Report Format
    and click on OK button.

    No Report is generated, instead few exceptions reported in SOAP UI.log

    Thanks,
    Raj
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi,

    For issue number one, the security test scan will run a scan for the request test steps you have in your test case. Please see the screen shot attached. If you do not want it to run for a particular request test step then disable that test step.

    For issue number two, a pdf report should be generated if you clicked on the report icon and generated a security test report. I have attached one.


    Regards,
    Marcus
    SmartBear Support
  • Ryarlagadda's avatar
    Ryarlagadda
    Occasional Contributor
    Dear Support Team,

    For Issue 1, Please see attached screenshot. I have already disabled test steps, that I don't need to perform security test scan.
    As you can see all 382 failures report "Unknown MessageExchange type".

    As I have mentioned in Earlier request, I have noticed Security test Raw Data Request message showing GET Request sent to incorrect Resource.
    GET http://localhost:8080/reference-product/login HTTP/1.1 (This should be GET http://localhost:8080/reference-product/update)

    Please refer to the attachment, with screenshots of failure.
    As you can see in attachment, SOAPUI Functional test sending requests to correct end point & Resource.
    Only Security test sending request to incorrect resource.

    Could you please advise how should I configure Security test requests are routed to correct end point & resource.

    For Issue 2, This is about failure related to Common Report.
    I knew Security test report is working.
    Just wanted to check if Common report generates any additional information to investigate test failures.
    This could be Bug in SOAPUI-Pro 4.6.4.

    Thanks,
    Raj
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi,

    Issue 1:
    Are you able to send your project file? I don't know why the resource url would be changing when running a security test. Please check that it's not being changed in an event handler or by some other means. You can send it via support ticket at http://www.soapui.org/Support/support-overview.html. Please mention this forum post in your ticket.

    Issue 2:
    The common report more than likely will not show information related to issue 1. I would like to look at the project file to further investigate if the url is changing some where in the project or if this is some kind of bug.


    Regards,
    Marcus
    SmartBear Support