Applies to ReadyAPI 2.7, last modified on May 14, 2019

About

The Invalid Types scan checks how your service behaves when you are getting values of unexpected types.

Typically, attackers try to throw values of invalid types to cause the service to reveal the system data through error messages or stack traces. The Invalid Types scan simulates this procedure, notifying you about potential vulnerability.

If the scan does not reveal any information about possible vulnerabilities, it passes successfully.

If the scan has Failed, that may indicate your service is vulnerable to unexpected value types and exposes sensitive information.

Requirements

This scan is applicable to all types of test steps or requests.

How it works

The Invalid Types scan replaces the original parameters of a test step with invalid ones.

Note: Unconstrained parameters will keep their original values.

This scan uses assertions to validate each response and check if it includes any information about potential vulnerabilities.

If a response passes all assertions, PASS will be logged for that response. If any assertion fails, FAIL will be logged.

If you have not applied any assertions to the scan, Unknown will be logged for the response.

Assertions

  • Default Assertion
    Sensitive Information Exposure – Verifies that your server does not reveal any information that is useful for attacks (such as stack traces if the server crashes).

  • Recommended Assertion
    Schema Compliance – Verifies that the server response is not malformed.

Parameters

The Invalid Types scan inserts values into the message parameters.

ReadyAPI: Configuring the Invalid Types scan

Normally, parameters are extracted automatically when you create the scan. If there are no parameters present, ReadyAPI will not run the Invalid Types scan. See Parameters for more information.

Use the following options to configure the scan Strategy:

Option Description
Select Strategy One by One – Select to use requests one by one (may take some time).
All At Once – Select to use all requests at once.
Request Delay (ms) Set a pause between requests during the scan in milliseconds.
Apply to Failed TestSteps Select to run the scan even if the target test step fails.
Run only once Select to run the scan only once for each test step, even if ReadyAPI runs that step several times for the test case.

The Advanced panel contains a list of strings which the Invalid Types scan uses to modify the parameters.

ReadyAPI: Invalid Types scan advanced options

Add, remove, or modify the lines on the list as needed.

See Also

Invalid JSON Types Scan
Sensitive Information Exposure Assertion
Schema Compliance Assertion
Security Scans Types

Highlight search results