In security tests, parameters define which properties of the request ReadyAPI will test. Each parameter corresponds to a specific property of the request message you want to scan. Depending on the type of the scan, ReadyAPI will replace the value of this property with some content that will expose vulnerabilities in your service.
Some scans require that you specify parameters before starting the test run – for example, the XPath Injection scan.
To create and edit parameters:
Select a security scan.
Expand the Configuration drop-down list in the security scan inspector on the right.
Use the Parameters table.
 |
Each row of the table shows information on a specific parameter:
Column | Description |
|---|---|
Label | A descriptive name for the parameter. Must be unique. Use this label in the Custom Script scan to access this parameter. |
Type | Depending on the parameter type, a scan appends the parameter to different locations in the request message:
|
Path | The XPath or JSONPath expression that refers to the request property whose value will be replaced during the security test run. |
Enabled | Indicates whether the parameter is enabled or disabled. |
Use the toolbar of the Parameters table to access the parameter operations:
Option | Description |
|---|---|
 | Add a parameter. |
 | Delete the selected parameter. |
 | Copy the selected parameter. |
 | Clone the selected parameter. |
 | Extract parameters from the request. |
For example, you need to scan the following SOAP request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sam="http://www.soapui.org/sample/">
<soapenv:Header/>
<soapenv:Body>
<sam:login>
<username>user</username>
<password>password</password>
</sam:login>
</soapenv:Body>
</soapenv:Envelope>There are two properties in this request:
usernamepassword
To ensure your API will handle this request properly even if it contains some potentially harmful strings, define these properties as parameters. To do that, either add them to the table manually or configure the SOAP Request test step to include these parameters and extract them automatically.
For example, you need to scan the following REST message:
{
"username": "user",
"password": "password"
}There are two body parameters in this message:
usernamepassword
In this case, these properties are defined by using JSON.
When configuring security scans, use property expansions to get these values. For example, to specify the Request test step’s username field for substitution, use ${Request#username}.
To test the body parameters without using property expansions, select a parameter name.
Important
The Custom Script scan does not support JSON payloads.
To create a single parameter manually:
Click Add in the Parameters table of the Configuration inspector.
The Configure Security Test Step Parameters dialog will appear.
Specify the parameter options:
Option
Description
Parameter Label
The parameter’s label. Must be unique.
Use this label in the Custom Script scan to access this parameter.
Path
The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run.
Calls the *Path Expression dialog. Use it to generate a JSONPath or XPath expression for a specific element.
Also, see Get Data.
Tip
To learn more about the JSONPath syntax, see JSONPath Reference.
Click one of these buttons to finish the creation:
Button
Description
Add
Add the parameter.
Add&Copy
Add the parameter and copy all settings you have specified to a new parameter.
Close
Abort creating the parameter and close the window.
To remove a parameter:
Select the parameter in the Parameters table of the Configuration inspector.
Click Delete.
To create a copy of the parameter without editing the original one:
Select the parameter in the Parameters table of the Configuration inspector.
Click Copy.
The Configure Security Scan Parameters dialog will appear.
Specify the options:
Option
Description
Parameter Label
The parameter’s label. Must be unique.
Use this label in the Custom Script scan to access this parameter.
Path
The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run.
Calls the *Path Expression dialog, allowing you to generate a JSONPath or XPath expression for a specific element. See Get Data.
Click one of the following buttons to finish the copying:
Button
Description
Add
Add the parameter.
Add&Copy
Add the parameter and copy all the settings you have specified to the new parameter.
Close
Abort creating the parameter and close the window.
To clone a parameter to another security scan within the same project:
Click Clone in the Parameters table of the Configuration inspector.
The Clone Parameters dialog will appear.
Specify the options:
Option
Description
Parameters
The parameters to clone.
Target Test Suite
Apply the cloned parameters to the selected test suite.
Target Test Case
Apply the cloned parameters to the selected test case.
Target Security Test
Apply the cloned parameters to the selected security test.
Target Test Step
Apply the cloned parameters to the selected test step.
Target Security Scans
Apply the cloned parameters to the selected security scans.
Overwrite
Replace the existing parameters with the cloned parameters.
Click OK to apply the changes and clone the parameter.
If a request contains the properties you want to add as parameters, extract them automatically.
Important
This feature is available only to the users who have a Pro license.
To extract properties, click Extract.
ReadyAPI will search for available properties in the request. If they contain any values, the properties will appear in the table as the new parameters.
