SoapUI 4.0.1 - The Security Release
XML Bomb, SQL Injection, Malformed XML, what do they all have in common? Those are just a few of the new features added to the latest SoapUI 4 release. Adding a multiple set of security scans helps you make sure your web services are protected from vulnerabilities.
Sending in data at the boundary of allowed values or in direct opposition of the allowed values may cause your system to behave erratically or display unwanted information. Harden your system against boundary conditions.
Sending purely invalid data of invalid formats can cause your system to reveal deep information about how it's built or make itself vulnerable to further attacks. Protect your system from invalid data attacks.
Make sure your Service Implementation is robust. Send malformed XML to your system, and verify that the malformed XML does not cause ripple effects which weaken your systems robustness.
Secure your database. Send in Malicious SQL statements in order to make sure it's not possible to get access to or weaken your databases.
Verify your application server does not execute XPath statements and examine whether an attacker can execute XPath statements on your server.
A document of extreme size can cause instability, make your systems inaccessible or make your system an attack vector. The XML Bomb scan will examine whether your system is vulnerable to stack overflows.
Send malicious attachments to the target system. Make sure an attacker cannot send unwanted attachments such as executable or plain viruses.
The SoapUI Security Test Framework comes completely extendable. Create your own scan using Groovy and build your own set of security tests fully integrated into SoapUI.
Cross Site scripting
Does your Service expose the parameters it uses in its messages? This is a common mistake leading to Cross Site Scripting scans.
Send random texts to you Service in order to provoke unknown errors, buffer overflows, stack traces, or find string vulnerabilities. Help system hardening greatly by running Fuzzing Scans.
But wait, there's more
- Added ability to delete more than one assertion at once (4.0.1)
- Enlarged the controls in Security Testing (4.0.1)
- Added option in preferences to trim WSDL on import (4.0.1)
- Added global setting for normalizing forward slashes (which was always performed previously)
- Added possibility to ignore XML comments in XPath assertions
- Added custom multi-value delimiter for REST parameter values
- Improved handling of internal errors in Schema Validation
- Added adding of Quotes "" to File DataSink
- Improved REST Resource resolution for REST TestRequests when there are multiple resources with the same path
- Improved Redirect handling to always use GET
- Added encoding property to File DataSink (if you need to write files with some other charset than the system one)
- General Stability and Performance improvements
- All password fields now use masked input
- Images URLs referenced (end-point) in an HTTP Test Step will now be shown in the corresponding Result View (HTML tab) when the Test Step is executed
- Support for sending empty query parameters in HTTP Test Steps
- Added option to disable browser plugins for HTTP Test Steps
- Improved WADL importer support for referenced representations and parameters
- Added Digest Algorithm setting to WS-Security Signature entry
- Improved error messages when WSDL loading fails
- Added support for property expansions in output folder for command-line runners
- Improved Command-line Security-Test runner to support all TestCase Runner options and custom JUnit-Style report
- Added new WAR generator command-line utility for generating WAR files for a Project
- Added possibility to override JUnitReportCollector for creating custom JUnit style reports
- Added option to run Security Scans only once in complex TestCases
- Improved feedback in Security Log
- Introduced factory extension mechanism for easily adding your own TestSteps, Assertions, etc.
- Improved installer to install the tutorials in custom location
- Improved error messages when trying to install a Renewal license over a Trial
- Improved installer to install the Browser Component in SoapUI directory instead of local profile
- Added a version update notice- Get notified when a new version of SoapUI is out. (4.0.1)