Security Scan Wizard


SoapUI NG Pro, helps you find and address API security vulnerabilities before you go to production by providing several built-in security scans that you can easily add to your API tests. Our unique Security Scan Wizard walks you through the steps of customizing the test run by selecting the scans you want to use and the test steps you want to run them against.
Our built-in security tests include:

BOUNDARY SCAN
Sending in data at the boundary of allowed values or in direct opposition of the allowed values may cause your system to display unwanted information. This scan sends those requests through to see if your API can be breached.

CROSS-SITE SCRIPTING
This test checks to make sure your API doesn't expose the parameters it uses by displaying the in messages and URLs. 

FUZZING SCAN
This scan injects random text as API requests to provoke unknown errors, buffer overflows, stack traces, or string vulnerabilities.

INVALID TYPES
This scan sends an unexpected data format in the request so you can validate that the API can gracefully handle input of the wrong data type.

MALFORMED XML
This scan will insert malformed XML snippets into the API request in an effort to expose sensitive information or potentially crash a vulnerable server.

MALICIOUS ATTACHMENT
Malicious attachments can take several forms and have multiple purposes - for our scan, we add and/or replace attachments to the request with invalid or large attachments to seek out vulnerabilities in the server or the code.

SQL INJECTION
Our SQL injection test can send malicious SQL statements to your API in an effort to access and weaken your databases.

XML BOMB
The XML Bomb sends an extremely large XML file to your API in an effort to create a stack overflow.

XML INJECTION
This scan injects unexpected XML content and/or structures into the API request in an attempt to disrupt its behavior.

 

Custom Scans

For those who want more control over the design and execution of their API security tests, SoapUI NG Pro, provides the ability to start from a clean slate and build your own scans. In SoapUI NG Pro, a security test is basically a layer on top of an existing test case, adding any number of security scans to each of the Request TestSteps beneath. 

To help you build and configure the security scans that make sense for your API, the tool includes the scans defined in the above section that you can populate.

If none of those meet your needs, you can also choose Custom Script to write your own security scan in Javascript or Groovy. Your script will be invoked with parameters, log, context, securityScan, and testStep variables.

 

Security Test Generator


The types and amount of API security testing you need depends greatly on who will be using your API and the level of exposure you might have as a result. With SoapUI NG Pro, we provide you with the option of building custom security scans from scratch, using our pre-built security scans, or jump start your security testing with our Security Test Generator.

 

Back To All Features
Questions? Email us at sales@smartbear.com or call: U.S. +1 617-684-2600, EMEA +353 91-398300