Use security tests to ensure your service is well-protected from most common malicious attacks and does not expose any sensitive information.

Security tests include various types of security scans. Each of them detects a specific vulnerability. With multiple security scans in one test, you guarantee your service is well-protected against possible attacks.

Security tests interface

Below is a screenshot of the security test window:

Click the image to enlarge it.

The security test window is similar to the test case window. It contains:

A toolbar with common actions: execution, report generation and so on.
A progress bar for tracking the progress of the security test.
A toolbar and a list of test steps in the underlying test case, with more information on the execution progress and with configured security scans for each step.
Inspectors for adding a description, properties and setup or teardown scripts to the security test.
Security test logs.

To run a security test, prepare your scans and click in the top left corner. For more information on running tests, see Run Security Tests.

Execution order

If you have a security test for a test case with three test steps and matching security scans:

A login request.
- SQL Injection Scan
- XPath Injection Scan
- Malformed XML
A property transfer of the session ID from the login response to the logout request.
A logout request.
- SQL Injection Scan
- XPath Injection Scan

The execution of that security test will include the following steps:

Run the login request.
Run the login SQL Injection scan using the login request as a template.
Run the login XPath Injection scan using the login request as a template.
Run the login Malformed XML scan using the login request as a template.
Run the property transfer test step.
Run the logout request.
Run the logout SQL Injection scan using the logout request as a template.
Run the logout XPath Injection scan using the logout request as a template.

Licenses

Security tests are part of ReadyAPI and are available to all users of the product.

Basic security testing functionality is available for free to any user who has a license for any tool of ReadyAPI (for instance, basic security scans are available to LoadUI Pro users).

To use all the security testing features available in SoapUI, you need a SoapUI Pro license.

For information on the differences between the licenses, see below.

Differences between Base and Pro licenses

Feature	Base	Pro
Security scans	Boundary Cross-Site Scripting Groovy Fuzzing Invalid Types Malformed XML Malicious Attachments SQL Injection XML Bomb XPath Injection	All basic scans HTTP Fuzzing Sensitive Files Exposure Weak Authentication Invalid JSON Types JSON Boundary JSON Fuzzing
Creating tests	From an API definition From a SoapUI test case From SoapUI in general	All Base license options From an URL From an API For a single request For a single URL
Security test reporting	Absent	Available
Scan parameters extraction	Absent	Available
Dashboard tile	Absent	Available
Endpoint scans	Absent	Available

About Security Tests

Security tests interface

Execution order

Licenses

Differences between Base and Pro licenses

See Also