Security Scan Parameters

Applies to ReadyAPI 3.51, last modified on March 21, 2024

In security tests, parameters define which properties of the request ReadyAPI will test. Each parameter corresponds to a specific property of the request message you want to scan. Depending on the type of the scan, ReadyAPI will replace the value of this property with some content that will expose vulnerabilities in your service.

Some scans require that you specify parameters before starting the test run – for example, the XPath Injection scan.

To create and edit parameters:

  1. Select a security scan.

  2. Expand the Configuration drop-down list in the security scan inspector on the right.

  3. Use the Parameters table.

ReadyAPI: Security Scans parameters table

Click the image to enlarge it.

Each row of the table shows information on a specific parameter:

Column Description
Label A descriptive name for the parameter. Must be unique.
Use this label in the Custom Script scan to access this parameter.
Type Depending on the parameter type, a scan appends the parameter to different locations in the request message:
  • Query – To the resource’s URL.
  • Path – To one of the request body elements specified by XPath or JSONPath.
Path The XPath or JSONPath expression that refers to the request property whose value will be replaced during the security test run.
Enabled Indicates whether the parameter is enabled or disabled.

Use the toolbar of the Parameters table to access the parameter operations:

Option Description
ReadyAPI: Add security scan parameter button Add a parameter.
ReadyAPI: Delete security scan parameter button Delete the selected parameter.
ReadyAPI: Copy security scan parameter button Copy the selected parameter.
ReadyAPI: Clone security scan parameter button Clone the selected parameter.
ReadyAPI: Extract parameters from the request button Extract parameters from the request.

Examples

SOAP request

For example, you need to scan the following SOAP request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sam="http://www.soapui.org/sample/">
<soapenv:Header/>
    <soapenv:Body>
        <sam:login>
            <username>user</username>
            <password>password</password>
        </sam:login>
    </soapenv:Body>
</soapenv:Envelope>

There are two properties in this request:

  • username
  • password

To ensure your API will handle this request properly even if it contains some potentially harmful strings, define these properties as parameters. To do that, either add them to the table manually, or configure the SOAP Request test step to include these parameters and extract them automatically.

REST request

For example, you need to scan the following REST message:

{
    "username": "user",
    "password": "password"
}

There are two body parameters in this message:

  • username
  • password

In this case, these properties are defined by using JSON.

When configuring security scans, use property expansions to get these values. For example, to specify the Request test step’s username field for substitution, use ${Request#username}.

To test the body parameters without using property expansions, select a parameter name.

The Custom Script scan does not support JSON payloads.

To create a single parameter manually:

  1. Click Add in the Parameters table of the Configuration inspector.

    ReadyAPI: Adding a security scan parameter
  2. The Configure Security Test Step Parameters dialog will appear.

    ReadyAPI: Add security scan parameter dialog
  3. Specify the parameter options:

    Option Description
    Parameter Label The parameter’s label. Must be unique.
    Use this label in the Custom Script scan to access this parameter.
    Path The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run.
    ReadyAPI: XPath element icon Calls the *Path Expression dialog. Use it to generate a JSONPath or XPath expression for a specific element.
    Also, see Get Data.
    Tip: To learn more about the JSONPath syntax, see JSONPath Reference.
  4. Click one of these buttons to finish the creation:

    Button Description
    Add Add the parameter.
    Add&Copy Add the parameter and copy all settings you have specified to a new parameter.
    Close Abort creating the parameter and close the window.

To remove a parameter:

  1. Select the parameter in the Parameters table of the Configuration inspector.

    ReadyAPI: Selecting a security scan parameter
  2. Click Delete.

To create a copy of the parameter without editing the original one:

  1. Select the parameter in the Parameters table of the Configuration inspector.

    ReadyAPI: Selecting a security scan parameter
  2. Click Copy.

  3. The Configure Security Scan Parameters dialog will appear.

    ReadyAPI: Copy security scan parameter dialog

    Specify the options:

    Option Description
    Parameter Label The parameter’s label. Must be unique.
    Use this label in the Custom Script scan to access this parameter.
    Path The XPath or JSONPath expression that refers a request property which value will be replaced during the security test run.

    ReadyAPI: XPath element icon

    Calls the *Path Expression dialog, allowing you to generate a JSONPath or XPath expression for a specific element. See Get Data.
  4. Click one of the following buttons to finish the copying:

    Button Description
    Add Add the parameter.
    Add&Copy Add the parameter and copy all the settings you have specified to the new parameter.
    Close Abort creating the parameter and close the window.

To clone a parameter to another security scan within the same project:

  1. Click Clone in the Parameters table of the Configuration inspector.

    ReadyAPI: The Clone button in scan’s parameters
  2. The Clone Parameters dialog will appear.

    ReadyAPI: Clone security scan parameter dialog

    Specify the options:

    Option Description
    Parameters The parameters to clone.
    Target Test Suite Apply the cloned parameters to the selected test suite.
    Target Test Case Apply the cloned parameters to the selected test case.
    Target Security Test Apply the cloned parameters to the selected security test.
    Target Test Step Apply the cloned parameters to the selected test step.
    Target Security Scans Apply the cloned parameters to the selected security scans.
    Overwrite Replace the existing parameters with the cloned parameters.
  3. Click OK to apply the changes and clone the parameter.

If a request contains the properties you want to add as parameters, extract them automatically.

This feature is available only to the users who have a Pro license.
ReadyAPI: The empty parameters table

To extract properties, click Extract.

ReadyAPI will search for available properties in the request. If they contain any values, the properties will appear in the table as the new parameters.

ReadyAPI: The table with extracted parameters

See Also

Security Scans Types
Security Scans

Highlight search results