Secure is Ready! API's security testing tool that provides a wide range of security scans to ensure that your API is not vulnerable to various security exploits.


โ†’

Getting Started With Secure

In this tutorial, we give a brief overview of how to create a security test in Ready! API Secure.

โ†’

Security Tests

Security Tests

Secure provides you with a number of testing features which make it extremely easy for you to validate the functional security of your target services. This helps you assess the vulnerability of your system for common security attacks.

This is especially critical if you system is publicly available. But even if that is not the case, ensuring an altogether secure environment is equally important.


Security Scans

Security Scans

Security Scans are what SoapUI uses to identify potential security vulnerabilities in your target services. Each scan sends a number of malicious requests to your service to try to provoke and identify a behavior that could indicate a security vulnerability that needs to be handled.

The following Security Scans are currently available (click on the name for a dedicated page)

Scan Description Comment
Boundary Scan tries to exploit bad handling of values that are outside of defined ranges
Cross Site Scripting tries to find cross-site scripting vulnerabilities
Custom Script allows you to use a script for generating custom parameter fuzzing values
Fuzzing Scan generates totally random input for the specified request parameters for a specified number of requests
HTTP Method Fuzzing Scan generates totally random input for the specified request parameters for a specified number of requests Pro Feature
Invalid Types tries to exploit handling of invalid input data
Invalid JSON Types tries to exploit handling of JSON data
JSON Fuzzing Scan generates random input and inserts into POSTed JSON for a specified number of request
JSON Boundary Scan tries to exploit bad handling of values that are outside of defined ranges in JSON POST requests Pro Feature
Malformed XML tries to exploit bad handling of invalid XML on your server or in your service
Malicious Attachment tries to exploit bad handling of attached files
Sensitive Files tries to find files that may contain sensitive information Pro Feature
SQL Injection tries to exploit bad database integration coding
Weak Authentication static analysis of the request for authorization weaknesses Pro Feature
XML Bomb tries to exploit bad handling of malicious XML request
XPath Injection tries to exploit bad XML processing inside your target service

Security Assertions

Security Assertions

You use the security assertions to make sure that the responses for requests sent during the Security Scan contain content indicating the presence of a vulnerability.

The mechanism is the same as for standard test requests - you select the assertion and configure it in the table in the Assertions tab.


In this section you can find information about creating reports in your security tests.

Security Issues Report

Security Test Report

Data Export Report

Note: Reports use some of Microsoft core fonts. Not all Linux installations include these fonts. If you have issues with creating reports, install the mscorefonts package applicable for your Linux distributive, and then copy TTF files from /usr/share/fonts/truetype/msttcorefonts to the {Ready API Installation}/jre/lib/fonts directory.

Make sure to specify the {Ready API Installation}/bin/reports directory in the Custom Reports Library field of the File | Preferences | Ready! API window.


SecurityTest Scripting

As with most other functionality in LoadUI, the possibility to enhance and tailor the execution of a SecurityTest to your specific needs is available. The following SecurityTest-specific scripting hooks are available directly in the UI.

1. Setup and TearDown scripts that execute before and after a SecurityTest has run
2. Access to SecurityTest related objects in a TestCase script
3. SecurityTest-related event handlers in LoadUI Pro
4. SecurityTest-related extensions 

Scripts can be used to perform any kind of action, for example you might want to write all TestStep execution times to a database for later analysis, or perform some kind of customization on all sent requests via the SecurityTestRunListener.beforeTestStep event.

Command-Line Runner

To launch security tests from a command line, you can use a SecurityTestRunner script that you can find in the <Ready! API directory>\bin directory. The file name is securitytestrunner.bat on Windows, and on Linux and Mac.

You can start this runner from the command line, or from the Ready! API user interface. In the latter case, you can configure the command-line parameters visually and then copy the generated command line to the clipboard to insert it later into your automated testing tool.

โ†’

Help and Feedback

You did not find what you looked for?

© 2016 SmartBear Software

Didn't find an answer? Try searching here: