Ask a Question

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

SOLVED
lgermain315
Occasional Contributor

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi,

 

I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using SoapUI 5.3.0 open source tool.

 

Here is the raw request example below:

 

POST http://ngetest.callminerhq.callminer.net:8080/api/v2/users HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Content-Length: 148
Host: ngetest.callminerhq.callminer.net:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

{
"Email": "sample@test.com",
"FirstName": "sample",
"LastName": "test",
"IsEnabled": 1,
"Password": "test123",
"ChangePassword": true
}

 

See the 'Email' field above, I would like to run a fuzz scan (and other security tests) on this input property. 

 

Here's what I have so far but could not quite understand how to get this working. Currently, the 'Email' field does not change value and simply runs with the body above (result = duplicate email field is prohibited thus we receive a 400).

 

Screenshot

https://www.screencast.com/t/jgOrX51SYkKF

 

Basically, it seems that my XPath string is not correct and I'm not entirely sure how to interface with a request object. Maybe someone could help me break down this XPath string. Any help would be appreciated.

 

Thanks,

 

Luke

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
HKosova
Moderator

Re: Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi Luke,

 

In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

 

To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

 

Label: Request
Type: Request
XPath: leave empty

 

Script:

import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

 

Here's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)

 

Hope this helps!


Helen Kosova
SmartBear Documentation Team Lead
________________________

View solution in original post

3 REPLIES 3
HKosova
Moderator

Re: Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi Luke,

 

In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

 

To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

 

Label: Request
Type: Request
XPath: leave empty

 

Script:

import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

 

Here's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)

 

Hope this helps!


Helen Kosova
SmartBear Documentation Team Lead
________________________

View solution in original post

lgermain315
Occasional Contributor

Re: Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Thanks for your input and scripting solution. I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool. 

 

I will go ahead with the script you have provided as an example.

 

Thanks again,

 

Luke

 

 

HKosova
Moderator

Re: Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?


@lgermain315 wrote:

I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool.


It's actually possible to use XPath for JSON in some other places, such as test step assertions, but unfortunately not in security scans.


Helen Kosova
SmartBear Documentation Team Lead
________________________
cancel
Showing results for 
Search instead for 
Did you mean: