API Security Testing

Add security scans in your CI/CD workflow to ensure your APIs are free of security vulnerabilities.

Security Scan Wizard

SoapUI Pro, helps you find and address API security vulnerabilities before you go to production by providing several built-in security scans that you can easily add to your API tests. Our unique Security Scan Wizard walks you through the steps of customizing the test run by selecting the scans you want to use and the test steps you want to run them against.

Types of Security Tests in SoapUI Pro

Boun​dary Scan

Sending in data at the boundary of allowed values or in direct opposition of the allowed values may cause your system to display unwanted information. This scan sends those requests through to see if your API can be breached.

Cross-Site Scripting

This test checks to make sure your API doesn't expose the parameters it uses by displaying the in messages and URLs. 

Fuzzing Scan

This scan injects random text as API requests to provoke unknown errors, buffer overflows, stack traces, or string vulnerabilities.

Invalid Types

This scan sends an unexpected data format in the request so you can validate that the API can gracefully handle input of the wrong data type.

Malformed XML

This scan will insert malformed XML snippets into the API request in an effort to expose sensitive information or potentially crash a vulnerable server.

Malicious Attachment

Malicious attachments can take several forms and have multiple purposes - for our scan, we add and/or replace attachments to the request with invalid or large attachments to seek out vulnerabilities in the server or the code.

SQL Injection

Our SQL injection test can send malicious SQL statements to your API in an effort to access and weaken your databases.

XML Bomb

The XML Bomb sends an extremely large XML file to your API in an effort to create a stack overflow.

XML Injection

This scan injects unexpected XML content and/or structures into the API request in an attempt to disrupt its behavior.

Custom Scans

For those who want more control over the design and execution of their API security tests, SoapUI Pro, provides the ability to start from a clean slate and build your own scans. In SoapUI Pro, a security test is basically a layer on top of an existing test case, adding any number of security scans to each of the Request TestSteps beneath. 

To help you build and configure the security scans that make sense for your API, the tool includes the scans defined in the above section that you can populate.

If none of those meet your needs, you can also choose Custom Script to write your own security scan in Javascript or Groovy. Your script will be invoked with parameters, log, context, securityScan, and testStep variables.

Security Test Generator

The types and amount of API security testing you need depends greatly on who will be using your API and the level of exposure you might have as a result. With SoapUI Pro, we provide you with the option of building custom security scans from scratch, using our pre-built security scans, or jump start your security testing with our Security Test Generator.


Start Your SoapUI Pro Trial Now

Test the functionality of your REST and SOAP APIs faster, while improving quality and security.

  • Fully-functional 14 day free trial
  • Create and execute API tests in seconds
  • Automate your API tests with CI servers
  • Quickly generate security scans
  • Integrate with leading API management platforms


By submitting this form, you agree to our Terms of Use and Privacy Policy