Forum Discussion

racoliv's avatar
racoliv
New Contributor
13 years ago

Security test parameters

Hello.

I'm having a really hard time to define parameters on security scans.

From what i've understand... we have to provide a label, Parameter name (type), and xpath.

for instance for the following web service :

http://www.webservicex.com/globalweather.asmx?WSDL

i've done:

declare namespace web="http://www.webserviceX.NET";
  declare namespace soap="http://schemas.xmlsoap.org/soap/envelope/";
  //soapenv:Envelope/soapenv:Body/web:GetCitiesByCountry/web:CountryName;



request:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET">
   <soap:Header/>
   <soap:Body>
      <web:GetCitiesByCountry>
         <!--Optional:-->
         <web:CountryName>?</web:CountryName>
      </web:GetCitiesByCountry>
   </soap:Body>
</soap:Envelope>


My goal is to pass the mutation to the parameter CountryName of the GetCitiesByCountry operation from Web Service. That doesn't work for instance for the malformed xml attack, i get "Property value is not XML or XPath is wrong!"

I don't see any example on how to create a parameter on the soapUI official documentation here:

http://www.soapui.org/Security/security ... rview.html

i only see in that that it is mandatory to declare namespaces (partially in the screenshots provided on previous link), but i don't know whats wrong with my expression.

Anyone can please help me with this issue, since i need this for a work on school.

1 Reply

Sort By
  • mfebrestrop's avatar
    mfebrestrop
    New Contributor
    8 years ago

    Hello everyone,

     

    I have the same problem trying to define parameters on security scans for a REST service. Here you can see my json payload and according to the documentation it seems I need to create also a plain request parameter with the same name.

     

     

    Then , I create a Security Test, and added a new parameter using the Hello property and Hello Label (not sure if they need to be the same)

     

     

     

    When I run the security Scan, I can see that is using Hello to set the values for test:

     

     

    But when monitoring the request with a proxy, Hello parameter is empty all the time:

     

     

     

     

    Can you help me to understand how to configure correctly the parameter?

     

    Thanks,

    Miguel