In security tests, parameters define which properties of the request ReadyAPI will test. Each parameter corresponds to a specific property of the request message you want to scan. Depending on the type of the scan, ReadyAPI will replace the value of this property with some content that will expose vulnerabilities in your service.
Some scans require that you specify parameters before starting the test run – for example, the XPath Injection scan.
To create and edit parameters:
-
Select a security scan.
-
Expand the Configuration drop-down list in the security scan inspector on the right.
-
Use the Parameters table.
Click the image to enlarge it.
Each row of the table shows information on a specific parameter:
| Column | Description |
|---|---|
| Label |
A descriptive name for the parameter. Must be unique. Use this label in the Custom Script scan to access this parameter. |
| Type |
Depending on the parameter type, a scan appends the parameter to different locations in the request message:
|
| Path | The XPath or JSONPath expression that refers to the request property whose value will be replaced during the security test run. |
| Enabled | Indicates whether the parameter is enabled or disabled. |
Use the toolbar of the Parameters table to access the parameter operations:
| Option | Description |
|---|---|
 |
Add a parameter. |
 |
Delete the selected parameter. |
 |
Copy the selected parameter. |
 |
Clone the selected parameter. |
 |
Extract parameters from the request. |
Examples
SOAP request
For example, you need to scan the following SOAP request:
<soapenv:Header/>
<soapenv:Body>
<sam:login>
<username>user</username>
<password>password</password>
</sam:login>
</soapenv:Body>
</soapenv:Envelope>
There are two properties in this request:
usernamepassword
To ensure your API will handle this request properly even if it contains some potentially harmful strings, define these properties as parameters. To do that, either add them to the table manually, or configure the SOAP Request test step to include these parameters and extract them automatically.
REST request
For example, you need to scan the following REST message:
"username": "user",
"password": "password"
}
There are two body parameters in this message:
usernamepassword
In this case, these properties are defined by using JSON.
When configuring security scans, use property expansions to get these values. For example, to specify the Request test step’s username field for substitution, use ${Request#username}.
To test the body parameters without using property expansions, select a parameter name.
 |
The Custom Script scan does not support JSON payloads. |
Create parameters
To create a single parameter manually:
-
Click Add in the Parameters table of the Configuration inspector.
-
The Configure Security Test Step Parameters dialog will appear.
-
Specify the parameter options:
Option Description Parameter Label The parameter’s label. Must be unique.
Use this label in the Custom Script scan to access this parameter.Path The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run. 
Calls the *Path Expression dialog. Use it to generate a JSONPath or XPath expression for a specific element.
Also, see Get Data.Tip: To learn more about the JSONPath syntax, see JSONPath Reference. -
Click one of these buttons to finish the creation:
Button Description Add Add the parameter. Add&Copy Add the parameter and copy all settings you have specified to a new parameter. Close Abort creating the parameter and close the window.
Delete parameters
To remove a parameter:
-
Select the parameter in the Parameters table of the Configuration inspector.
-
Click Delete.
Copy parameters
To create a copy of the parameter without editing the original one:
-
Select the parameter in the Parameters table of the Configuration inspector.
-
Click Copy.
-
The Configure Security Scan Parameters dialog will appear.
Specify the options:
Option Description Parameter Label The parameter’s label. Must be unique.
Use this label in the Custom Script scan to access this parameter.Path The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run. Calls the *Path Expression dialog, allowing you to generate a JSONPath or XPath expression for a specific element. See Get Data. -
Click one of the following buttons to finish the copying:
Button Description Add Add the parameter. Add&Copy Add the parameter and copy all the settings you have specified to the new parameter. Close Abort creating the parameter and close the window.
Clone parameters
To clone a parameter to another security scan within the same project:
-
Click Clone in the Parameters table of the Configuration inspector.
-
The Clone Parameters dialog will appear.
Specify the options:
Option Description Parameters The parameters to clone. Target Test Suite Apply the cloned parameters to the selected test suite. Target Test Case Apply the cloned parameters to the selected test case. Target Security Test Apply the cloned parameters to the selected security test. Target Test Step Apply the cloned parameters to the selected test step. Target Security Scans Apply the cloned parameters to the selected security scans. Overwrite Replace the existing parameters with the cloned parameters. -
Click OK to apply the changes and clone the parameter.
Extract properties as parameters
If a request contains the properties you want to add as parameters, extract them automatically.
|
This feature is available only to the users who have a Pro license. |
To extract properties, click Extract.
ReadyAPI will search for available properties in the request. If they contain any values, the properties will appear in the table as the new parameters.
