Use assertions for security tests to check if the responses the server sends contain information that reveal vulnerabilities in your service.
Security scans support various types of assertions. Some of them are similar to those you use in functional tests, some of them are available only for security tests. On the other hand, functional tests also support some security test assertions.
When using multiple assertions, make sure their types match the service type. For example, SOAP assertions are applicable to SOAP requests.
To learn more about all assertions available in ReadyAPI, see Assertion Reference.
To configure assertions for security tests, use the same procedure as for standard test requests.
In most cases, all assertions necessary for a particular scan will appear automatically when you add that scan. The configuration information and settings are available in the table on the Assertions tab.
|Not all assertions are configurable. Some of them just provide a predefined test, and some use the settings of the parent scan or test step.|
To start working with assertions, click a response handler in the security test window.
Assertions will appear in the Assertion inspector.
|Tip:||To simplify configuring assertions, run the request you want to use at least once.|
To create a new assertion:
In the Add Assertion dialog, select the assertion you want to to apply.
Note: Some assertions can be missing from the dialog. It happens because they are not applicable to the currently selected test step.
Use the search box at the top of the dialog to quickly find the needed assertion.
In the subsequent dialog, specify the assertion options.
Click OK. The new assertion will appear in the inspector.
To remove an assertion:
Select an assertion in the inspector.
Click Yes in the Remove Assertion dialog to confirm the removal.
To configure an assertion:
Double-click an assertion in the inspector, or select it and click .
In the subsequent dialog, edit the settings specific to that assertion.
Save the changes.
To see the results of an assertion, open the transaction log.
The transaction log contains information about each request and response pair and the results of specific assertions.
To view information about a response, click it. The response details will appear in the inspector.