What’s new

SoapUI 4.0.1 - The Security Release

XML Bomb, SQL Injection, Malformed XML, what do they all have in common? Those are just a few of the new features added to the latest SoapUI 4 release. Adding a multiple set of security scans helps you make sure your web services are protected from vulnerabilities.

pro hacker-prevention-made-easy

Hacker prevention made easy!

With the SoapUI Pro Security Test Generator you can create a complete set of vulnerability scans. With just a few mouse clicks you will have a full blown hacker simulation. Instant Security!

Powerful analytics engine

Boundary Scan

Sending in data at the boundary of allowed values or in direct opposition of the allowed values may cause your system to behave erratically or display unwanted information. Harden your system against boundary conditions.

Compare tests in real-time

Invalid Data

Sending purely invalid data of invalid formats can cause your system to reveal deep information about how it's built or make itself vulnerable to further attacks. Protect your system from invalid data attacks.

Drag and Drop Analyses

Malformed XML

Make sure your Service Implementation is robust. Send malformed XML to your system, and verify that the malformed XML does not cause ripple effects which weaken your systems robustness.

LIVE Agent Analytics

SQL Injection

Secure your database. Send in Malicious SQL statements in order to make sure it's not possible to get access to or weaken your databases.

Retrospective Data Analysis

XPath Injection

Verify your application server does not execute XPath statements and examine whether an attacker can execute XPath statements on your server.

1-Click Reporting

XML Bomb

A document of extreme size can cause instability, make your systems inaccessible or make your system an attack vector. The XML Bomb scan will examine whether your system is vulnerable to stack overflows.

Results Manager

Malicious attachment

Send malicious attachments to the target system. Make sure an attacker cannot send unwanted attachments such as executable or plain viruses.

Highly interactive charts

Custom script

The SoapUI Security Test Framework comes completely extendable. Create your own scan using Groovy and build your own set of security tests fully integrated into SoapUI.

Multi-level result views

Cross Site scripting

Does your Service expose the parameters it uses in its messages? This is a common mistake leading to Cross Site Scripting scans.


Fuzzing Scan

Send random texts to you Service in order to provoke unknown errors, buffer overflows, stack traces, or find string vulnerabilities. Help system hardening greatly by running Fuzzing Scans.

But wait, there's more

Functional Testing

  • Added ability to delete more than one assertion at once (4.0.1)
  • Enlarged the controls in Security Testing (4.0.1)
  • Added option in preferences to trim WSDL on import (4.0.1)
  • Added global setting for normalizing forward slashes (which was always performed previously)
  • Added possibility to ignore XML comments in XPath assertions
  • Added custom multi-value delimiter for REST parameter values
  • Improved handling of internal errors in Schema Validation
  • Added adding of Quotes "" to File DataSink
  • Improved REST Resource resolution for REST TestRequests when there are multiple resources with the same path
  • Improved Redirect handling to always use GET
  • Added encoding property to File DataSink (if you need to write files with some other charset than the system one)
  • General Stability and Performance improvements
  • All password fields now use masked input
  • Images URLs referenced (end-point) in an HTTP Test Step will now be shown in the corresponding Result View (HTML tab) when the Test Step is executed
  • Support for sending empty query parameters in HTTP Test Steps
  • Added option to disable browser plugins for HTTP Test Steps

Technology Support

  • Improved WADL importer support for referenced representations and parameters
  • Added Digest Algorithm setting to WS-Security Signature entry
  • Improved error messages when WSDL loading fails


  • Added support for property expansions in output folder for command-line runners
  • Improved Command-line Security-Test runner to support all TestCase Runner options and custom JUnit-Style report
  • Added new WAR generator command-line utility for generating WAR files for a Project


  • Added possibility to override JUnitReportCollector for creating custom JUnit style reports


  • Added option to run Security Scans only once in complex TestCases
  • Improved feedback in Security Log


  • Introduced factory extension mechanism for easily adding your own TestSteps, Assertions, etc.
  • Improved installer to install the tutorials in custom location
  • Improved error messages when trying to install a Renewal license over a Trial
  • Improved installer to install the Browser Component in SoapUI directory instead of local profile


  • Added a version update notice- Get notified when a new version of SoapUI is out. (4.0.1)

List of bugs fixed and updated libraries