Custom Script Scan

Applies to ReadyAPI 3.51, last modified on March 21, 2024

The Custom Script scan uses the Groovy script to cause your service to reveal its vulnerabilities.

Attackers use various scripts trying to expose your service’s sensitive information. The Custom Script scan is a flexible tool which simulates any kind of these attacks. For example, this sample script generates a random input string between 5 and 15 characters for 10 requests and tries to use these strings as password and username:

Groovy

import org.apache.commons.lang.RandomStringUtils

// check counter
if( context.fuzzCount == null )
context.fuzzCount = 0

// randomize 5 to 15 characters
def charCount1 = (int) (Math.random() * 10) + 5
def charCount2 = (int) (Math.random() * 10) + 5

// use method in Commons Lang
parameters.password = RandomStringUtils.randomAlphanumeric( charCount1 )
parameters.username = RandomStringUtils.randomAlphanumeric( charCount2 )
return ++context.fuzzCount < 10

Try modifying that script to run requests for a prolonged period of time, trying to cause the service instability.

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that indicates vulnerabilities in your service. Types of vulnerabilities depend on the type of script you have used.

How it works

Configure the Custom Script scan to expose various types of vulnerabilities using Groovy features. The operating script alters the values in the parameters object. It returns true if these values are to be used in a request containing the security scan, and false to indicate that the security scan has finished.

This scan uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

Assertions

  • Default Assertion
    Sensitive Information Exposure – Verifies that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

Parameters

The Custom Script scan uses parameters to insert values into the message.

ReadyAPI: Configuring Groovy script scan

Normally, parameters are extracted automatically when you create the scan. See the Parameters section for more information.

The Custom Script scan does not support JSON payloads.

Define the Groovy script to run in the script editor. Use the following objects:

  • parameters – The map with parameter names as keys. Specify the desired modifications here.

    To access a specific parameter, specify its label. For example, to access the username parameter, use parameters.username

  • securityScan – The instance for this security scan.

  • testStep – The underlying test step being scanned.

  • context – The security test run context.

  • log – The standard scripting log.

Use the following options to configure the scan Strategy:

Option Description
Select Strategy One by One – Select to use scripts one by one (may take some time).
All At Once – Select to use all scripts at once.
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed Test Steps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for the test case.

See Also

Scripting
Sensitive Information Exposure Assertion
Security Scans Types

Highlight search results