Penetration testing

SoapUI: Security Testing

Chiragh Dewan
March 13, 2017 by
Chiragh Dewan

SoapUI is an SOAP (Simple Object Access Protocol) and REST (Representational state transfer) API (Application Programing Interface) testing tool. It provides a plethora of testing features such as:

  • Functional Testing
  • Performance Testing
  • Security Testing
  • Data-Driven Testing
  • API Mocking
  • WSDL (Web Service Definition Language) Coverage

SoapUI provides us with a free Open-Source version as well as a Pro version by the name of SoapUI NG Pro. The Pro version's license can be purchased for $599 for a year or $1,127 for two years or $1,607 for three years. A free trial of 14-days is also available.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The open Source version can be downloaded from https://www.soapui.org/downloads/latest-release.html

A brief comparison between the Open Source version and the Pro version can be seen below:

SoapUI works on Windows (32 bit and 64bit), Linux (32 bit and 64bit) and MacOS. Once downloaded, the installation is pretty straight forward.

Note: SoapUI requires JDK (Java development Kit) to provide best results. JDK can be download from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

Once downloaded, the pretty straight forward. Just follow the installation steps, and you will be good to go. Though SoapUI provides a lot of different testing features, we will just be focusing on the Security Testing with a REST API in this article. Before we start testing the security of an API, we need to start by creating a new project and add our REST API.

We can do that by click on REST found above and entering the URL of our REST API. In this case, I am using an API which has a GET method. Once done, SoapUI will automatically separate the API endpoint and the resource. By default, it chooses the GET parameter. However, it can be changed into the following by simply selecting a different method from the drop-down box on the top-left-hand-side.

Now that we have added the API, it is time to add the parameters required. In this case, a single parameter thread_id is used to retrieve all the messages associated with that thread id. To do that, click on the green plus icon on the top-left-hand-side and enter the parameter name and a test value. Once done, you will notice that it automatically fills the Parameters field on the top with the data entered.

Now before we add this, it is always recommended to test the API. To do that, click on the green play button (marked in red) and we will be able to see the result on the right. Now to test this endpoint, click on the gray check button right next to the dropdown for the methods (marked in blue).

When clicked, it will ask to name the TestSuite. You can enter any relevant name you like. The TestSuite is to save the endpoint.

After clicking Ok, it will then ask us to save the TestCase. You can enter any relevant name you like.

Once entered, it will then ask us to name the test case. You can enter any relevant name you like.

With this, we have finally added our API endpoint for testing. To do that, we start with adding a new Security Test. This can be done by right clicking on Security Test on the left and selecting New SecurityTest (marked in red) and naming it.

Now we add the different security tests we would like to do. SoapUI provides us with the following options:

  • Boundary Scan
  • Cross Site Scripting (XSS)
  • Custom Script
  • Fuzzing Scan
  • Invalid Types
  • SQL Injection
  • XPath Injection

Here, we have the ability to add one or more tests and run them simultaneously. In this case, we shall scan the API endpoint for SQL Injections.

To choose, we select the Test Case we had previous created, in this case, Get-Messages-1. Right-click on it and select Add SecurityScan and a popup would appear with all the test case scenarios and listed above. Select SQL Injection and click Ok. Now, for us to add the parameters, click on the green plus icon (marked in red) and enter the following information:

  • Parameter Name: In this, we need to select the parameter we want to test on. As our current API takes the parameter thread_id, that is what we will be using.
  • Parameter Label: A unique parameter label name is required in this field.
  • XPath: It is an optional field to enter any XML values required like REST or HTTP parameters. In most cases, this is left blank.

Once done, it is time to add the assertions. To do that, click on the green plus sign location below (marked in green). Next, a popup window will show us the list of assertions that are available to us. It is worth mentioning here that not all assertions are compatible with the REST API's. However, the ones compatible will only be selectable. For this instance, we will be choosing the assertion "Sensitive Information Exposure," which can be found under Security (marked in blue) and select the assertion Sensitive Information Exposure (marked in purple).

Next, it will ask us to enter any Sensitive Information Tokens for the assertion we just added.

This is an optional field. However, a list of Tokens can be found in Global Preferences under the "Global Sensitive Information Tokens" tab:

I will also be adding the "XPath Match" assertion. The assertion can be added the same way as the "Sensitive Information Exposure" assertion. Now it is time to run the tests. We will be redirected back to the popup from where we had begun adding the security tests. Just click on the green play button on the top (marked in red), and our scan will start.

While the scan is going, on the right, we can see the progress and any alerts (errors) that the scan might have come across (marked in blue) and below, we can see the error report(s), if any, and the queries that ran for testing (marked in purple). There you have it; we have now successfully checked our REST API for SQL Injection.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

In conclusion, SoapUI is a powerful tool which can help perform various tests and is compatible with SOAP as well as REST API's. It is a great way interact with the web services delivered, and it is easy to use UI helps any user learn the tricks of the trade in no time.

Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.