Applies to ReadyAPI 2.7, last modified on May 14, 2019

About

The HTTP Method Fuzzing scan finds weaknesses in the service by generating the semi-random input through HTTP methods.

Typically, an attacker tries to send random requests through various HTTP methods in order to provoke some kind of unexpected behavior or obtain useful system information. The HTTP Method Fuzzing scan checks how your service handles such requests by sending multiple unexpected requests.

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that means your service responds to undocumented methods, indicating instabilities or vulnerability to iterative HTTP method requests. This causes security problems or reveal sensitive data.

Requirements

  • This scan is applicable to REST test steps or REST requests.

  • To use this scan, you need a SoapUI  license. If you do not have it, request it on our web site or start a trial.

How it works

The HTTP Method Fuzzing scan generates a multitude of requests by using HTTP methods not included in the API definition.

It uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

Assertions

  • Default assertion
    Sensitive Information Exposure – Verifies that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

Parameters

The HTTP Method Fuzzing scan attempts to access the service through various HTTP methods.

ReadyAPI: Configuring the HTTP Method Fuzzing Scan

By default, any methods included in the definition are considered safe.

To exclude other methods you consider safe from the scan, uncheck them in the list.

Use the following options to configure the scan Strategy:

Option Description
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed TestSteps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for the test case.

See Also

Fuzzing Scan
JSON Fuzzing Scan
Sensitive Information Exposure Assertion
Security Scans Types

Highlight search results