Solved
Soapui 5.3.0 - Security Test - How to Send Fuzzing Scan Input into a Request Body?
Hi, I have a POST request with a JSON body and would like to understand how I can injection invalid inputs such as cross-site scripting, sql injection, fuzzing values into the Request body using ...
Hi Luke,
In SoapUI open source, the built-in security scans can mutate XML payloads but not JSON payloads. JSON scans are supported in the commercial version, Ready! API.
To mutate JSON you need to use a Custom Script and change the request payload yourself. For example, to change "Email" to a random string of 5-15 characters you can use:
Label: Request
Type: Request
XPath: leave emptyScript:
import groovy.json.JsonSlurper import groovy.json.JsonOutput import java.util.concurrent.ThreadLocalRandom import org.apache.commons.lang.RandomStringUtils def fuzzCount = 3 // Max number of requests to send def minChars = 5 def maxChars = 15 // Check the iteration counter if (context.fuzzCount == null) context.fuzzCount = 0 // Parse & update the request def payload = testStep.getPropertyValue("Request") def json = new JsonSlurper().parseText(payload) def charCount = ThreadLocalRandom.current().nextInt(minChars, maxChars + 1) json.Email = RandomStringUtils.randomAlphanumeric(charCount) parameters.Request = JsonOutput.prettyPrint(JsonOutput.toJson(json)) return ++context.fuzzCount < fuzzCountHere's another script example that shows how to use the values from a file:
http://blog.smartbear.com/sqc/how-to-check-your-web-app-for-security-vulnerabilities/
(Sorry about the missing images - they seem to have gotten lost when the blog moved.)Hope this helps!
