The Security Testing features introduced in SoapUI 4.0 make it extremely easy for you to validate the functional security of your target services, allowing you to assess the vulnerability of your system for common security attacks. This is especially critical if you system is publically available, but even if that is not the case, ensuring an altogether secure environment is equally important.
Let’s do a quick walk-through of just how easy it is.
1. Create a Functional TestCase (or use an existing one)
We’ll start with the trustworthy included Sample Project, import it into your workspace and open the first TestCase:
2. Add a Security Test
You can see an empty “Security Tests” node in the left tree (see above image), right click it and select the “New SecurityTest” option, this opens the following dialog (if you are using the free version, read further down):
Select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press "Next":
Here you see a summary of all the Security Scans and Assertions SoapUI will add to the Security Test, press OK to create the Security Test with the described configuration and open the Security Test window:
If you are running the free version of SoapUI you will just be prompted for the name of the Security Test, once created you will have to add Security Scans and their assertion manually for the TestSteps in the TestCase (read more about Security Scans).
3. Run the Security Test
Run the Test by pressing the green arrow on the top left (make sure the target service is running, in our case this is the MockService), you will see ongoing progress for each TestStep and configured Security Scans in the Security Test window:
You will see ongoing progress in the main window as the different Security Scans are executed, more detailed information is available in the Security Log at the bottom.
If you are really observant you will notice that I had removed the XML Bomb Security Scan prior to running the Test; the SoapUI MockService engine which we are running our tests against, is unfortunately vulnerable for these attacks.
4. Analyze the Results
The Security Log at the bottom of the Security Test window shows detailed information on failed Security Scans, click on a Security Scan in the main window and the log will scroll to that Scans entries:
Check here for unexpected alerts that might indicate a possible security vulnerability in your target service. Double click individual entries to see their actual message exchanges.
Here you can see one of the XPath Injection mutations sent to our logout service operation.
5. Create a Report
Make your managers happy by sending them a report of indicating the immense stability of your services; press the "Create Report" button in the top menu which opens the familiar report preview:
5.1. What Next?