Invalid JSON Types Scan

Applies to ReadyAPI 3.57, last modified on December 20, 2024

About

The Invalid JSON Types scan checks how your service behaves when getting unexpected values in JSON POST requests.

Typically, attackers try to throw values of an invalid type to cause the service to reveal the system data through error messages or stack traces. The Invalid JSON Type scan simulates this procedure, notifying you if your service is vulnerable to unexpected POST requests.

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that may indicate your service is vulnerable to unexpected value types and exposes sensitive information.

Requirements

  • This scan is applicable to test steps or POST requests that have valid JSON data in the request body. Otherwise, you cannot add the Invalid JSON Types scan in your security test.

    If you use property expansion, enclose it into quotes, otherwise, ReadyAPI does not consider it as a valid JSON object.

  • To use this scan, you need a ReadyAPI Test  license. If you do not have it, request it on our web site or start a trial.

How it works

The Invalid JSON Types scan replaces the original parameters of a test step with invalid ones.

Note: Unconstrained parameters will keep their original values.

This scan uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

Assertions

  • Default Assertion
    Sensitive Information Exposure – Verifies that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

  • Recommended Assertion
    Schema Compliance – Verifies that the server response is not malformed.

Parameters

The Invalid JSON Types scan works by replacing data types inside a JSON request body. If there are no JSON data available in request, ReadyAPI will not run the Invalid JSON Types scan.

Use the following options to configure the scan Strategy:

Option Description
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed Test Steps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for the test case.

See Also

Invalid Types Scan
Sensitive Information Exposure Assertion
Schema Compliance Assertion
Security Scans Types

Highlight search results