Ask a Question
Log In / Sign Up
Resources
Ask a Question
Log In Sign Up

How to add security tests to REST requests with JSON content

etan1
New Contributor
‎08-19-2013 05:25 AM
‎08-19-2013 05:25 AM

How to add security tests to REST requests with JSON content

Ok, let me explain my problem:

I have REST request with few parameters, POST method, service accept only JSON content, so I changed Media Type to application/json and put values to the request body by this way:
{
"param1" : "${param1}"
"param2" : "${param2}"
}


Everything works fine (functional tests), but...

...when I trying add security tests: I choose my request in SecurityTest window > Add SecurityScan > SQL Injection > Adds a parameter > choosing param1 from the list > etc

And when I running that tests I getting informations like that one:
[SQL Injection] Request 1 - OK - [param1=' or '1'='1]: took 17 ms

But when looking on the request body in Message Viewer window, it seems I still sending default values, not SQL Injections:
{
"param1" : "value1"
"param2" : "value2"
}


And when I looking to my server logs I really getting standard requests.

So, the question is: why SoapUI doesn't overwrites this parameters? Bug on your side, or I do something wrong? Maybe because you not support natively JSON in requests and I must create request circuitous way?

Thank you for any help,
Regards!
0 Kudos
9 REPLIES 9
nmrao
Community Hero
Community Hero
‎08-19-2013 07:41 AM
‎08-19-2013 07:41 AM

Have you noticed request, responses in soapui log files? Are you sure that always sending the default values?


Regards,
Rao.
0 Kudos
etan1
New Contributor
‎08-19-2013 08:13 AM
‎08-19-2013 08:13 AM

Yes, I'm sure, I checked it directly in server logs.

When I do the same for more "static" properties (directly placed in request body, like authorization header) everything works fine (they are replaced by SQL Injection strings), problem occurs only for parameters that I put in the request by editor under the table of parameters.
0 Kudos
nmrao
Community Hero
Community Hero
‎08-19-2013 11:06 AM
‎08-19-2013 11:06 AM

Ok about the server logs.

You might notice that i was referring to soapui logs. Also is it possible to check the Raw request it is sending?
Is it possible to show the screen shot how parameter values are being set for the test?


Regards,
Rao.
0 Kudos
etan1
New Contributor
‎08-19-2013 11:31 PM
‎08-19-2013 11:31 PM

Preview file
22 KB
Preview file
23 KB
Preview file
14 KB
Preview file
20 KB
Preview file
20 KB
Ok, here you can see how I set parameter values:



Here is my SecurityScan configuration:



Screen from Security log after running tests:



And Raw request, as you can see "exter*" property still have default value:



And quick look on Properties > SecurityChangedParameters - he think he do everything right:

0 Kudos
etan1
New Contributor
‎08-19-2013 11:36 PM
‎08-19-2013 11:36 PM

Preview file
20 KB
Sorry for second post, attachments limit.

Last screen, when I doing exactly the same for Authorization property everything works fine:

0 Kudos
kiranb
New Contributor
‎06-30-2014 06:09 AM
‎06-30-2014 06:09 AM

Is this probelm got resolved??? even i am facing same issue?? Please respond asap?
0 Kudos
kiranb
New Contributor
‎06-30-2014 06:43 AM
‎06-30-2014 06:43 AM

what is the outcome of this post??? i am also facing same problem???
0 Kudos
ReshmaSachdev
Contributor
‎04-21-2016 04:23 AM
‎04-21-2016 04:23 AM

Any Update on this? Facing similar problem with ReadyAPI 1.5 version

0 Kudos
Namee92
New Contributor
‎05-07-2017 04:48 AM
‎05-07-2017 04:48 AM

Any update for this??
0 Kudos
Subscribe
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: