Getting Started with Security Testing

This page contains information on standalone SoapUI Pro that has been replaced with ReadyAPI.
To try enhanced security testing functionality, feel free to download a ReadyAPI trial.

The step-by-step guide to Security Testing:

Watch the video demo below for some quick information on testing your APIs Security.

 

The Security Testing features introduced in SoapUI 4.0 make it extremely easy for you to validate the functional security of your target services, allowing you to assess the vulnerability of your system for common security attacks. This is especially critical if you system is publically available, but even if that is not the case, ensuring an altogether secure environment is equally important.

Let’s do a quick walk-through of just how easy it is.

1. Create a Functional TestCase (or use an existing one)

We’ll start with the trustworthy included Sample Project, import it into your workspace and open the first TestCase:

Sample project

2. Add a Security Test

You can see an empty “Security Tests” node in the left tree (see above image), right click it and select the “New SecurityTest” option, this opens the following dialog (if you are using the free version, read further down):

Create security test wizard

Select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press "Next":

Auto security wizard

Here you see a summary of all the Security Scans and Assertions SoapUI will add to the Security Test, press OK to create the Security Test with the described configuration and open the Security Test window:

Created security test

If you are running the free version of SoapUI you will just be prompted for the name of the Security Test, once created you will have to add Security Scans and their assertion manually for the TestSteps in the TestCase (read more about Security Scans).

3. Run the Security Test

Run the Test by pressing the green arrow on the top left (make sure the target service is running, in our case this is the MockService), you will see ongoing progress for each TestStep and configured Security Scans in the Security Test window:

Running security test

You will see ongoing progress in the main window as the different Security Scans are executed, more detailed information is available in the Security Log at the bottom.

If you are really observant you will notice that I had removed the XML Bomb Security Scan prior to running the Test; the SoapUI MockService engine which we are running our tests against, is unfortunately vulnerable for these attacks.

4. Analyze the Results

The Security Log at the bottom of the Security Test window shows detailed information on failed Security Scans, click on a Security Scan in the main window and the log will scroll to that Scans entries:

Security test log

Check here for unexpected alerts that might indicate a possible security vulnerability in your target service. Double click individual entries to see their actual message exchanges.

Security message log

Here you can see one of the XPath Injection mutations sent to our logout service operation.

5. Create a Report

Make your managers happy by sending them a report of indicating the immense stability of your services; press the "Create Report" button in the top menu which opens the familiar report preview:

Create security test report

5.1. What Next?


Dig in to the documentation on Security Tests and Security Scans and put your knowledge to work in SoapUI for ensuring the security of your target services.