SoapUI Security Testing: Complete Guide

How to do security testing using SoapUI?

APIs are essential for software systems to communicate with each other. With the ever-increasing importance of APIs, security testing is crucial. SoapUI is a popular testing tool that provides various security testing methods for APIs. In this article, we will explore SoapUI’s security testing techniques.

Table of contents

• Why security testing is crucial?
• Types of security scans in SoapUI
• Creating and running security tests in SoapUI
• Viewing test results
• Adding assertions to security scans
• Security scan parameters
• Cloning security scans
• Scripts for security tests
• Common errors in security testing
• Security testing in SoapUI vs. Burp Suite
• Conclusion

Why security testing is crucial?

Security testing is crucial in the software development life cycle (SDLC). It evaluates a system’s security to identify potential susceptibilities and weaknesses malicious modules could exploit. Security testing is essential for APIs as they are gateways to sensitive data and functionality. Failure to secure APIs can lead to security risks such as data violations and unauthorized access.

Vulnerability assessment

Security testing in SoapUI helps identify vulnerabilities within web services. Testers can pinpoint weak points in the system by simulating various attack scenarios, such as SQL injection, cross-site scripting (XSS), or authentication vulnerabilities.

Compliance and regulations

Many industries and regions have severe data security and privacy limitations, such as GDPR, HIPAA, or PCI DSS. Security testing assures web services comply with these regulations, lowering the risk of legal consequences and fines.

Protecting sensitive data

Web services often handle sensitive data, including personal information and financial records. Security testing in SoapUI helps ensure that this data remains confidential and is not susceptible to unauthorized access.

Mitigating risks

Cyber threats are constantly evolving. Regular security testing helps organizations avoid potential threats and vulnerabilities, allowing them to address and mitigate risks proactively.

Types of security scans in SoapUI

Security scans are SoapUI tools that identify potential security vulnerabilities in your target services. Each scan sends several malicious requests to your service, trying to provoke and determine the behavior that indicates a security susceptibility that needs to be handled.

Let’s explore some of the most common types of security scans available in SoapUI:

Cross-site scripting (XSS) scan

Cross-site scripting is a typical web application susceptibility where an attacker injects malicious scripts into web pages considered by other users. The SoapUI XSS scan identifies vulnerable endpoints in your API that may be susceptible to this attack. It checks for proper input validation and output encoding to prevent malicious scripts from executing.

Boundary scan

Boundary scan, also known as boundary value analysis, involves testing the boundaries of input parameters to ensure that an API behaves correctly when given values at the edge of its expected range. SoapUI’s boundary scan helps you identify potential security weaknesses related to boundary conditions in your API.

Fuzzing scan

Fuzzing is a technique where an application is subjected to a large volume of random or invalid data to uncover unexpected behavior or vulnerabilities. SoapUI’s fuzzing scans can simulate these attacks by sending malicious data to your API endpoints to identify potential security weaknesses.

SQL injection scan

SQL injection is a well-known attack vector where malicious SQL queries are injected into input fields to manipulate a database. SoapUI’s SQL injection scan checks whether your API is vulnerable to such attacks by attempting to inject malicious SQL queries and observing the API’s response.

XPath injection scan

XPath injection is a security vulnerability that occurs when an attacker manipulates input parameters to an XML query in a way that exposes sensitive information or compromises the API’s functionality. SoapUI’s XPath injection scan helps identify these vulnerabilities in your API.

Sensitive file exposure

Sensitive file exposure vulnerabilities occur when an API allows unauthorized access to sensitive files or resources. SoapUI scans can identify misconfigured access controls or inadequate authentication mechanisms that may lead to such exposure.

Weak authentication

Weak authentication mechanisms are a common source of security vulnerabilities. SoapUI’s security scans assess the strength of authentication mechanisms in your API, looking for potential weaknesses such as easily guessable passwords or missing multi-factor authentication.

HTTP method fuzzing

HTTP method fuzzing scans involve sending various HTTP methods (e.g., GET, POST, PUT, DELETE) to API endpoints to discover unexpected behaviors or vulnerabilities. It helps ensure that your API endpoints respond correctly to different HTTP methods and do not expose sensitive operations to unauthorized users.

Creating and running security tests in SoapUI

Now that we have explored the various security scans available in SoapUI let’s walk through the process of performing security testing using this tool.

Follow the below steps to ensure the security of your APIs:

Open File > New Security Test, or in the Dashboard, select Go to Security Tests.

Select the URL option.

Enter your respective endpoint URL and click Next. 

To add another URL, click Add URL.

Select the security scans you need and click Finish.

Now, you have created a security test. SoapUI will allow you to run the security tests immediately or edit them before running. We do not need to configure anything, so select the Run Security Test option.

If you edit the test before running it, click to start the test run later.

SoapUI will start sending modified requests and checking responses. After the test run is over, SoapUI will display the results of the test run.

Click View Summary Report to open the test summary report page. Again, for a more detailed report, click View Full Report.

Viewing test results

If some scans fail during the test run, the progress bar will become orange, but the test run will resume.

Navigate to the Transaction log page. This page contains the complete log of requests sent during the security test.

The column on the left includes the information about requests sent to the service. The column on the right contains the info about responses you received from the service and the status of each request. If the assertion fails, the scan will have the FAIL status. If any request gets a random result, it will have the WARNINGS status, but it will not fail.

Select a response with the FAILED or WARNING status in the property editor tab to see the tests where the error has occurred. Then, expand the Message section to see the service’s response to this request.

Adding assertions to security scans

After the security scan, you need to ensure that it takes only a short time for the service to respond in case of unexpected input.

Go to the Setup tab. Click the Boundary Scan response. In the Assertions editor, click the plus icon (+).

In the Add Assertion dialog, select SLA > Response SLA and click Add.

Specify the response time value, choose one that will trigger the assertion, and click OK.

If some response takes over 200 milliseconds during this scan duration, the assertion will be triggered, and the security scan will fail.

Security scan parameters

In the security tests, parameters define which properties of the request SoapUI will be tested. Each parameter corresponds to a specific parcel of the request message you want to scan. Depending on the type of scan, SoapUI will replace the value of the following property with some content that will expose vulnerabilities in your service.

Some scans require that you specify parameters before starting the test run – for example, the XPath Injection scan.

To create and edit parameters:

• Select a security scan.
• Expand the Configuration drop-down list in the security scan inspector on the right.
• Use the Parameters table.

Cloning security scans

When you clone configured scans and parameters in a security test, copy them to another security test in the same or a different project. 

To do that:

Right-click a security test. Select Clone Security Scans.

In the subsequent window, configure the cloning.

Scripts for security tests

Scripts for security tests are a suitable way to enhance and tailor the execution of a security test to your specific needs. Use these scripts to perform various actions relying on the goals you need to accomplish.

There are two primary types of scripts for security tests:

Setup script

In the Setup phase, you prepare your test environment, configure necessary security parameters, and establish the initial conditions for your security tests. This phase is crucial for ensuring your tests are executed consistently and effectively.

To open the setup script editor, click the Setup Script in the security test inspector tab.

Here’s an example script for the Setup phase in SoapUI:

// Define the base URL of the web service to be tested
def baseUrl = "https://example.com/api/"

// Set up authentication, such as providing API keys or tokens
def apiKey = "your-api-key"
testRunner.testCase.setPropertyValue("APIKey", apiKey)

// Configure SSL settings if required
testRunner.testCase.getTestStepByName("TestStepName").getHttpRequest().setSslKeystore("path/to/keystore.jks")
testRunner.testCase.getTestStepByName("TestStepName").getHttpRequest().setSslKeystorePassword("keystore-password")

// Set up request headers, content type, or any other necessary headers
testRunner.testCase.getTestStepByName("TestStepName").setRequestHeaders("Content-Type: application/json")

// Log the start of the Setup phase for reference
log.info("Setup phase completed.")

In the above script, we set the base URL, configure authentication, handle SSL settings if needed, and set request headers.

Use the setup scripts to:

• Create shared objects that will be available for additional tests.
• Initialize external resources to utilize them in your test.
• Clear and remove log files.
• Organize databases or your operating system for testing.
• Initialize shared data and objects and save them to the context interface.

Tear down script

The Tear Down phase is executed after the central security tests have been performed. It is essential to clean up any resources, ensure a return to the initial state, and log the results or any issues encountered during testing.

To open the teardown script editor, click the TearDown Script in the security test inspector tab:

Here’s an example script for the Tear Down phase in SoapUI:

// Log the end of the main security testing phase
log.info("Main security tests completed.")

// Clean up resources or close connections
def connection = testRunner.testCase.getTestStepByName("TestStepName").getHttpRequest().getConnection()
if (connection != null) {
    connection.close()
}

// Log the completion of the Tear Down phase
log.info("Tear Down phase completed.")

In this script, we log the end of the leading testing phase, clean up any resources or connections, and log the completion of the tear-down phase.

Use teardown scripts to:

• Send notification email.
• Cancel a test run if some condition is not fulfilled.
• Display the total execution time and the state of external resources.
• Close database collections or Postman connections if required
• Fail a test by using the SecurityTestRunner.fail() methods.

Common errors in security testing with SoapUI

Security testing is critical to ensuring the robustness and integrity of web services. However, like any testing process, security testing in SoapUI can encounter several common errors or challenges that may affect its effectiveness. Understanding these issues is essential for successful security testing.

Here are some common errors in security testing with SoapUI:

SSL/TLS connection error

This error typically occurs when SoapUI cannot establish a secure SSL/TLS connection due to certificate issues or when SoapUI encounters a self-signed SSL certificate.

SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

Solution: You need to import the SSL certificate of the target server into SoapUI’s trust store. Again, To bypass this error for testing purposes, you can configure SoapUI to ignore SSL certificate validation.

Request size limit exceeded

Some security configurations may restrict the size of requests to prevent attacks like denial of service (DoS).

The request exceeded the maximum allowed size

Solution: Review the security settings on the server, proxy, or security appliance to which you send the request. Ensure that the request size complies with the allowed limits. You may need to split large requests or configure your server to accept larger requests if necessary.

Neglecting client-side security

Focusing solely on server-side security can leave vulnerabilities in client-side components unaddressed. These client-side vulnerabilities may be exploited to manipulate or misuse the web service.

Solution: Perform comprehensive security testing for both server-side and client-side components. Verify that client-side inputs are sanitized and secure to prevent potential vulnerabilities.

Failure to keep SoapUI Updated

Using an outdated version of SoapUI may result in missing out on the latest security features, bug fixes, and patches. This can expose the testing process to known vulnerabilities.

Solution: Regularly update SoapUI to the latest version to ensure your security testing tool is up-to-date and aligned with the latest security standards and features.

Security testing in SoapUI vs. Burp Suite

Security testing is critical in ensuring the safety and integrity of web services and applications. Both SoapUI and Burp Suite are potent tools for security testing, but they have distinct features and different purposes.

Let’s compare security testing in SoapUI and Burp Suite:

Purpose and focus

• SoapUI: Primarily focuses on functional and load testing of web services and APIs. It is designed for testing the functionality, performance, and reliability of services.
• Burp Suite: Dedicated to web application security testing, particularly for identifying and exploiting vulnerabilities like SQL injection, cross-site scripting (XSS), and more. Penetration testers and security professionals widely use it.

Testing approach

• SoapUI: Creates and executes test cases to ensure web services function as expected. Security testing in SoapUI often includes authentication, authorization, and encryption testing.
• Burp Suite: Used for black-box testing and vulnerability assessment. It intercepts, analyzes, and manipulates HTTP requests and responses to identify security vulnerabilities. It provides advanced injection, session management, and security misconfiguration scanning tools.

Security features

• SoapUI: While it has some security testing capabilities, SoapUI primarily focuses on functional testing. It can be used to simulate security-related scenarios but lacks the extensive security-specific features found in Burp Suite.
• Burp Suite: Designed explicitly for security testing. It provides many tools, including an intercepting proxy, a web vulnerability scanner, and extensive reporting capabilities for identifying and remediating security vulnerabilities.

User community

• SoapUI: Has a large user community, primarily consisting of testers, developers, and quality assurance professionals. It’s widely used for functional and load testing of web services.
• Burp Suite: Has a dedicated user community of security professionals and penetration testers. It’s known for its comprehensive security testing capabilities.

Integration and extensibility

• SoapUI: Can be integrated with various test management tools, making it suitable for incorporating security tests into a broader testing framework. However, its security-specific features are limited compared to Burp Suite.
• Burp Suite: Provides extensive integrations with various tools, and its functionality can be extended through plugins. This flexibility allows it to be used with other security testing and analysis tools.

Reporting

• SoapUI: Offers basic reporting capabilities but may provide a different level of detail and focus on security vulnerabilities than Burp Suite.
• Burp Suite: Offers detailed reports with clear descriptions of vulnerabilities and suggested remediation actions, making it an ideal choice for security professionals and auditors.

Final thoughts on SoapUI security testing

Security testing in SoapUI is vital to web service development and maintenance. By systematically assessing the security aspects of your web services, you can identify vulnerabilities, ensure compliance with regulations, protect sensitive data, and proactively mitigate risks. In today’s interconnected world, the importance of robust security testing cannot be overstated. It’s not just about functionality; it’s about safeguarding the trust and privacy of your users.

Related articles

• SoapUI performance testing
• Groovy scripting in SoapUI
• API mocking with SoapUI
• SoapUI-Postman integration

Soapui security testing tutorial