Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?
Hi,
I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using SoapUI 5.3.0 open source tool.
Here is the raw request example below:
POST http://ngetest.callminerhq.callminer.net:8080/api/v2/users HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Content-Length: 148
Host: ngetest.callminerhq.callminer.net:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
{
"Email": "sample@test.com",
"FirstName": "sample",
"LastName": "test",
"IsEnabled": 1,
"Password": "test123",
"ChangePassword": true
}
See the 'Email' field above, I would like to run a fuzz scan (and other security tests) on this input property.
Here's what I have so far but could not quite understand how to get this working. Currently, the 'Email' field does not change value and simply runs with the body above (result = duplicate email field is prohibited thus we receive a 400).
Screenshot:
https://www.screencast.com/t/jgOrX51SYkKF
Basically, it seems that my XPath string is not correct and I'm not entirely sure how to interface with a request object. Maybe someone could help me break down this XPath string. Any help would be appreciated.
Thanks,
Luke
Hi Luke,
In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.
To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:
Label: Request
Type: Request
XPath: leave emptyScript:
import groovy.json.JsonSlurper import groovy.json.JsonOutput import java.util.concurrent.ThreadLocalRandom import org.apache.commons.lang.RandomStringUtils def fuzzCount = 3 // Max number of requests to send def minChars = 5 def maxChars = 15 // Check the iteration counter if (context.fuzzCount == null) context.fuzzCount = 0 // Parse & update the request def payload = testStep.getPropertyValue("Request") def json = new JsonSlurper().parseText(payload) def charCount = ThreadLocalRandom.current().nextInt(minChars, maxChars + 1) json.Email = RandomStringUtils.randomAlphanumeric(charCount) parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json)) return ++context.fuzzCount < fuzzCountHere's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)Hope this helps!
