Ask a Question
Log In / Sign Up
Resources
Ask a Question
Log In Sign Up

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

SOLVED
Solved
lgermain315
Occasional Contributor
‎04-24-2017 07:57 AM
‎04-24-2017 07:57 AM

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi,

 

I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using SoapUI 5.3.0 open source tool.

 

Here is the raw request example below:

 

POST http://ngetest.callminerhq.callminer.net:8080/api/v2/users HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Content-Length: 148
Host: ngetest.callminerhq.callminer.net:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

{
"Email": "sample@test.com",
"FirstName": "sample",
"LastName": "test",
"IsEnabled": 1,
"Password": "test123",
"ChangePassword": true
}

 

See the 'Email' field above, I would like to run a fuzz scan (and other security tests) on this input property. 

 

Here's what I have so far but could not quite understand how to get this working. Currently, the 'Email' field does not change value and simply runs with the body above (result = duplicate email field is prohibited thus we receive a 400).

 

Screenshot

https://www.screencast.com/t/jgOrX51SYkKF

 

Basically, it seems that my XPath string is not correct and I'm not entirely sure how to interface with a request object. Maybe someone could help me break down this XPath string. Any help would be appreciated.

 

Thanks,

 

Luke

 

 

 

 

 

0 Kudos
3 REPLIES 3
HKosova
SmartBear Alumni (Retired)
SmartBear Alumni (Retired)
‎04-25-2017 03:37 AM
‎04-25-2017 03:37 AM

Hi Luke,

 

In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

 

To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

 

Label: Request
Type: Request
XPath: leave empty

 

Script:

import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

 

Here's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)

 

Hope this helps!


Helen Kosova
SmartBear Documentation Team Lead
________________________
Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
lgermain315
Occasional Contributor
In response to HKosova
‎04-25-2017 05:59 AM
‎04-25-2017 05:59 AM

Thanks for your input and scripting solution. I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool. 

 

I will go ahead with the script you have provided as an example.

 

Thanks again,

 

Luke

 

 

0 Kudos
HKosova
SmartBear Alumni (Retired)
SmartBear Alumni (Retired)
In response to lgermain315
‎04-25-2017 07:23 AM
‎04-25-2017 07:23 AM

@lgermain315 wrote:

I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool.

It's actually possible to use XPath for JSON in some other places, such as test step assertions, but unfortunately not in security scans.


Helen Kosova
SmartBear Documentation Team Lead
________________________
Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
0 Kudos
Subscribe
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: