In Chapter 1, Introduction to SOA Testing, we learnt how to configure SoapUI to test the services from a security perspective. In this chapter we will cover the following topics in detail:
- Security testing in SOA world
- Generating security attacks and analyzing any vulnerabilities
- A real-time example of security testing in Web services
Service-oriented architecture, as the name implies, is a collection of loosely coupled services which can be over the same or different network. These services talk to multiple databases and share lots of critical information within the organizational services as well as third-parties. The sharing of complex information across multiple WAN and multiple third-party services across enterprises raises concerns for the stakeholders.
Let's have a look at few of the attack types:
- SQL injection: The purpose of this attack is to gain access to the database or to get an inappropriate response when we pass SQL fragments in the request parameters.
- XPath injection: The purpose of this attack type is to extract information from an XML database.
- XML bomb: The purpose of this attack is to result in denial of service for an application. This attacks works by overloading the XML parser recursively by using the entities defined in the DTD.
- Cross-site scripting attack: This is a very powerful attack if used in the right combination, this attack targets the user using the application and is capable of transferring the user to unknown locations on the Web, or steal a user's password by capturing keyboard inputs.
As you can see SOA applications are very vulnerable, which raises a need to security test SOA architecture.
SmartBear SoapUI provides you with a set of readymade features and functionalities to test your web services for the following vulnerabilities:
- SQL injection:
- XPath injection
- Fuzzing scan
- Invalid types
- Boundary scans
- Malformed XML
- XML bomb
- Malicious attachment
- CSS attack
- Custom scan
The preceding scan helps to check for any vulnerability that exists in the service and helps us identify security threats more easily.
SoapUI also provides us with an option to custom scan, where you can create your own security test with the help of Groovy or JavaScript.
In the following screenshot you can see an option to Security Tests just below Load Tests in SoapUI:
Let's see how we configure a security test in SoapUI:
- To add a test, right-click on Security Tests and select New SecurityTest:
- Now select New SecurityTest and verify that a popup asking the name of the security test opens:
- Select the name of the security test and click on OK.
- After that you will have a security test configuration window open on the screen; for the Service operation of your test case, in cases where there are multiple operations in the same test case, you can configure for multiple operations in a single security test as well.
- For this pane you can select and configure scans on your service operations.
- To add a scan click on the selected icon in the following screenshot:
- After selecting the icon you can now select the scan you want to generate on your operation:
- After that you can configure your scan for the relevant parameter by configuring the XPath of the parameter in the request. Once you select the test and click on the OK button you will be routed to the following screen:
Once you are done with entering the details, you can then add the test with the Add button. Once you add the test you can leave the window by clicking on the Close button.
- After that you can select Assertions and Strategy from the options:
- You are now ready to run your security test with boundary scan for the search service method and we will be testing the service for sensitive information exposure in response.
