Forum Discussion

lgermain315's avatar
lgermain315
Occasional Contributor
8 years ago

Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?

Hi,   I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using ...
  • HKosova's avatar
    HKosova
    8 years ago

    Hi Luke,

     

    In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

     

    To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

     

    Label: Request
    Type: Request
    XPath: leave empty

     

    Script:

    import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

     

    Here's another script example that shows how to use the values from a file:
    http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
    (Sorry about the missing images - they seem to have gotten lost when the blog moved.)

     

    Hope this helps!

HKosova's avatar
HKosova
SmartBear Alumni (Retired)
8 years ago

Hi Luke,

 

In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.

 

To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:

 

Label: Request
Type: Request
XPath: leave empty

 

Script:

import groovy.json.JsonSlurper
import groovy.json.JsonOutput
import java.util.concurrent.ThreadLocalRandom
import org.apache.commons.lang.RandomStringUtils

def fuzzCount = 3 // Max number of requests to send
def minChars = 5
def maxChars = 15

// Check the iteration counter
if (context.fuzzCount == null)
  context.fuzzCount = 0

// Parse & update the request
def payload = testStep.getPropertyValue("Request")
def json = new JsonSlurper().parseText(payload)

def charCount =  ThreadLocalRandom.current().nextInt(minChars, maxChars + 1)
json.Email = RandomStringUtils.randomAlphanumeric(charCount)

parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json))

return ++context.fuzzCount < fuzzCount

 

Here's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)

 

Hope this helps!

  • lgermain315's avatar
    lgermain315
    Occasional Contributor
    8 years ago

    Thanks for your input and scripting solution. I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool. 

     

    I will go ahead with the script you have provided as an example.

     

    Thanks again,

     

    Luke

     

     

    • HKosova's avatar
      HKosova
      SmartBear Alumni (Retired)
      8 years ago
      lgermain315 wrote:

      I kind of figured it would not work since XPath is for XML and JSONPath is for JSON, but thought there might be a work around using the security tool.

      It's actually possible to use XPath for JSON in some other places, such as test step assertions, but unfortunately not in security scans.