JSON Boundary Scan

Applies to ReadyAPI 3.54, last modified on September 23, 2024

About

The JSON Boundary scan checks if your service handles unexpected input values correctly.

Typically, attackers try to send values that fall outside of the expected range, causing the service to reveal the system data through error messages or stack traces. The JSON Boundary scan checks how your service acts in such cases by sending various unexpected inputs. For example, for an input field that accepts any integer value between 1 and 10, the JSON Boundary scan checks its behavior if a user enters 20 or -5.

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that may mean your service is sensitive to values that fall outside of the normal range, and its vulnerabilities are exposed.

Requirements

  • This scan is applicable to test steps or POST requests that have valid JSON data in the request body. Otherwise, you cannot add the JSON Boundary scan in your security test.

    If you use property expansion, enclose it into quotes, otherwise, ReadyAPI does not consider it as a valid JSON object.

  • To use this scan, you need a ReadyAPI Test  license. If you do not have it, request it on our web site or start a trial.

How it works

The JSON Boundary scan will replace the value of each field in the simulated JSON request with random data several times until all available fields are checked.

The scan inputs vary according to a value type:

Value Type Possible Inputs
String Empty string,
Very large string,
String with control characters (\t),
String with non-alphanumeric characters
Integer 0,
-1,
Smallest possible integer value,
Largest possible integer value,
Smallest possible double value,
Largest possible double value
Double

The JSON Boundary scan uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

Assertions

  • Default assertion
    Sensitive Information Exposure – Validates that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

  • Recommended assertion
    Response SLA – Validates that your service responds within expected time even after receiving unexpected input.

Parameters

The JSON Boundary scan checks the boundaries for all simulated JSON request’s fields. Use the following options to configure the scan Strategy:

Option Description
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed Test Steps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for a test case.

See Also

Boundary Scan
Security Scans Types

Highlight search results