Security Testing in SOAP UI

Testing Using SOAP UI Simple Object Access Protocol User Interface (SOAP UI)
33 minutes
Share the link to this page
Copied
  Completed
You need to have access to the item to view this lesson.
One-time Fee
$69.99
List Price:  $99.99
You save:  $30
€64.90
List Price:  €92.72
You save:  €27.82
£55.48
List Price:  £79.26
You save:  £23.78
CA$94.84
List Price:  CA$135.49
You save:  CA$40.65
A$107.44
List Price:  A$153.49
You save:  A$46.05
S$94.44
List Price:  S$134.92
You save:  S$40.48
HK$547.73
List Price:  HK$782.50
You save:  HK$234.77
CHF 63.11
List Price:  CHF 90.16
You save:  CHF 27.05
NOK kr759.51
List Price:  NOK kr1,085.06
You save:  NOK kr325.55
DKK kr484.31
List Price:  DKK kr691.90
You save:  DKK kr207.59
NZ$117.18
List Price:  NZ$167.41
You save:  NZ$50.23
د.إ257.02
List Price:  د.إ367.19
You save:  د.إ110.16
৳7,686.18
List Price:  ৳10,980.73
You save:  ৳3,294.54
₹5,834.28
List Price:  ₹8,335.04
You save:  ₹2,500.76
RM330.66
List Price:  RM472.40
You save:  RM141.73
₦97,668.24
List Price:  ₦139,532.04
You save:  ₦41,863.80
₨19,468.63
List Price:  ₨27,813.53
You save:  ₨8,344.89
฿2,546.70
List Price:  ฿3,638.31
You save:  ฿1,091.60
₺2,265.91
List Price:  ₺3,237.16
You save:  ₺971.24
B$351.06
List Price:  B$501.53
You save:  B$150.47
R1,322.01
List Price:  R1,888.66
You save:  R566.65
Лв126.52
List Price:  Лв180.76
You save:  Лв54.23
₩94,315.14
List Price:  ₩134,741.70
You save:  ₩40,426.55
₪257.38
List Price:  ₪367.71
You save:  ₪110.32
₱3,931.96
List Price:  ₱5,617.33
You save:  ₱1,685.37
¥10,592.26
List Price:  ¥15,132.45
You save:  ¥4,540.19
MX$1,160.67
List Price:  MX$1,658.17
You save:  MX$497.50
QR255.40
List Price:  QR364.88
You save:  QR109.47
P964.60
List Price:  P1,378.06
You save:  P413.46
KSh9,279.27
List Price:  KSh13,256.67
You save:  KSh3,977.40
E£3,320.75
List Price:  E£4,744.14
You save:  E£1,423.38
ብር3,980.93
List Price:  ብር5,687.29
You save:  ብር1,706.36
Kz58,401.19
List Price:  Kz83,433.85
You save:  Kz25,032.66
CLP$68,800.17
List Price:  CLP$98,290.17
You save:  CLP$29,490
CN¥505.43
List Price:  CN¥722.08
You save:  CN¥216.64
RD$4,147
List Price:  RD$5,924.54
You save:  RD$1,777.54
DA9,435.57
List Price:  DA13,479.97
You save:  DA4,044.39
FJ$157.96
List Price:  FJ$225.66
You save:  FJ$67.70
Q546.07
List Price:  Q780.13
You save:  Q234.06
GY$14,663.88
List Price:  GY$20,949.30
You save:  GY$6,285.42
ISK kr9,758.70
List Price:  ISK kr13,941.60
You save:  ISK kr4,182.90
DH709.58
List Price:  DH1,013.74
You save:  DH304.15
L1,235.01
List Price:  L1,764.37
You save:  L529.36
ден3,991.30
List Price:  ден5,702.11
You save:  ден1,710.80
MOP$564.38
List Price:  MOP$806.29
You save:  MOP$241.91
N$1,336.41
List Price:  N$1,909.24
You save:  N$572.83
C$2,577.43
List Price:  C$3,682.20
You save:  C$1,104.77
रु9,342.84
List Price:  रु13,347.49
You save:  रु4,004.64
S/260.45
List Price:  S/372.08
You save:  S/111.63
K268
List Price:  K382.87
You save:  K114.87
SAR262.59
List Price:  SAR375.15
You save:  SAR112.55
ZK1,736.79
List Price:  ZK2,481.24
You save:  ZK744.44
L322.64
List Price:  L460.94
You save:  L138.29
Kč1,642.49
List Price:  Kč2,346.52
You save:  Kč704.02
Ft25,571.54
List Price:  Ft36,532.34
You save:  Ft10,960.80
SEK kr748.30
List Price:  SEK kr1,069.05
You save:  SEK kr320.74
ARS$60,059.22
List Price:  ARS$85,802.56
You save:  ARS$25,743.34
Bs483.92
List Price:  Bs691.35
You save:  Bs207.42
COP$270,819.36
List Price:  COP$386,901.39
You save:  COP$116,082.02
₡35,222.95
List Price:  ₡50,320.66
You save:  ₡15,097.70
L1,728.74
List Price:  L2,469.73
You save:  L740.99
₲517,758.37
List Price:  ₲739,686.52
You save:  ₲221,928.15
$U2,629.19
List Price:  $U3,756.16
You save:  $U1,126.96
zł279.29
List Price:  zł399
You save:  zł119.71
Already have an account? Log In

Transcript

Welcome back for my sixth lecture for soap UI, you know, portfolio. So here, right? Now we work we did was in a previous class, we did load testing, okay, we use our C here we did 421 was for number $2. And the other words for numbers words, this is a test case, we can do only load testing for our test case, not the actual script. So this is the actual script from the server. You can mess up with other server.

First, you have to do that for make it your test case and then do it for your test case. Okay. You cannot do this w for server. So that's the whole concept. Actually. I was trying to do that.

Previously, I was trying to do a session in the server. So that's not good. No good. We cannot do it. It's not possible. In soap UI doesn't allow us to do it.

And that's a good thing you can do only through your test case. That's what we did. All right. Now, today's class, we will discuss on security testing, we have two more, three more topics. Actually rest, as well as functional testing through soap UI. Technically, functional testing soap UI for a tester is really not a very good option.

But still, it is an option. For manual, you can just open in a browser and just take it on, you know, this manual testing, but soap UI is not really a great tool, but still, you can use it. I mean, if you more good hands on Creek, some that to use it, you can use it. Okay, so we'll go back here. For our test case, let's do security testing. I will go ahead and create one because we didn't do this.

We'll go ahead and click Security test. I have not done this. So this is for me a first thing. I'm not sure how this works. I know security testing is supposed to do with the HTTP protocol. So let's let's do this for this one.

Okay. Let's run this is so supposed to run right? So the, you know, you weren't to this new option here. So actually, I thought I ran this before. So let's see here. Okay, so this is what we have to do, right?

So this is good for 10 point and this is the end point. I'm using Okay, so here we go. So so so, okay, here's the thing Oh, let's do this again Actually, that's good pension something you know, that makes you to understand this was, you know, previously it was blank, right? I changed this endpoint Where did I do that? this URL which I changed this is what is supposed to be there Okay, so this guards added a security scan. So here what type of security testing you want to do?

It's a cross site scripting boundary scan custom field for things can Oh, wow. I'm not done these many's security testing my life. Alright, sequel engine injection, XML bomb, expand injection. So this Very important thing this is for hackers. Right? You see this type of testing is used when you don't want to give the information to the hackers.

Guess what? You know, I bet this government people in this federal government, people don't do this kind of security testing, they don't know how to do it. So that's the reason they, their website, keep forgetting to get hacked. Now, this is what we are going to do here. Let's try to do here. So SQL injection, so this is very important.

SQL injection is like, you know, I'm not exactly sure on that. But what happens is to insert a sequel and run the sequel inside the script. And whenever you run, you can insert a new record, and you can delete a record, or that's very bad and hackers can do that from which to the sequel. Click on OK. We have this Oh, I don't have this thing actually unfortunately I don't have so we will associate good let's see no let's to boundaries cabinets to fit boundary scan is possible. I should have gone to network request go to the request parameter level you have to configure this right. So actually you can add a session to that too, but before adding this assertion are supposed to pull out from the script actually, it didn't pull out from the scope unfortunately, okay.

So okay, so this is a body scan and again remove the selected scan in our Do Mr. Jones anything? All we did was missing assertions. Okay? That's good. We can add assertion assertion. So we can add assertion because we don't have this, but here we can see this description.

There is nothing here because we didn't do anything here. Okay? But we finished this boundary and boundary scan. Okay, this is what we did. But that didn't go well because we didn't specified anything. You have to specify here.

Yeah, so here you have to specify hundred hundred. Right? Let's run this. Now. Now you have to do is you know configure, go to the Configure add parameters who. So see this is problem we don't have this username and password.

So you don't have this parameter level, we'll just put his shoe expand. So you need this core actually. Okay. We are putting this an expert expert should be there, the part of that location right. Okay, let's run this and let's run this. Okay, it ran successfully.

But, you know, we can add any number of the user name or the username and alteration type, okay? And label and put the x part number, okay, so you can do that security testing for this. And make sure so this is log security lab. Keep a note on your memory lock to superior luck. What's happening here? Okay, this runs successfully I'll go, but we didn't do anything yet.

We just done this boundary scan. Okay, let's do one more security. Let's stare so many other things that cross site scripting. Let's do that cross. Essentially, assertion is already have we have this assumption, okay. I'll put it as default and strategy, what kind of strategy you want parameters, you can add parameters that is label name.

So we are good to add anything else. But you can do that, you know, you can add this and this is fine. JavaScript code. Okay, good. can add this. Okay, I'm not worrying about right now.

So I'll show here. Let's run this again. So what it says here is missing parameters. let's configure it Same time we just again. Let's put the parameters that make an expert. You have this expert.

We need this expert actually no say let's run it. There's a missing script. So this is running something is happening here. So what we are doing in our you need that actually XPath thing actually, we didn't have that. So this is doing a security testing for us cryptic. So this yonker doing detail Okay, so the security testing is not just one.

There are many other things in the security testing right boundaries. boundary scan we did, but assertions are missing. So Cross cuts coming. So if there is no alerts, then it's good. If there are alerts, that means it is hackable. Okay, somebody can have that one.

Let's open this again. User Name label few experts up there, man. Something's missing here under school to Boolean probably. Just look into directory quick. Probably I'm missing something. On one we have all this.

This is no, this didn't say anything. Too bad. I'm so cross fake. There has to be an expert. Okay. There has to be expand.

And okay, this is good. This guy is worse than me. I mean, I need at least put some parameters that were being served any parameters to back. Okay. Expand is the location where you have this part? No good is good.

Effectuates running and the user name and the labels so somebody which this user name and you can add any number of parameters to that. Okay, so this ran successfully Okay, so boundary scan I missed it because scoping boundaries can be great here yeah you have to have this one in all this land let's use this one but probably don't work. Yeah, see here declared the experts of this is the expert is required. For me the ex parte is actually not this one. Oh, you need unfortunately, is admin access for an older associate Important sensitive information exposures schema compliance. Okay, fair enough.

So we need to put security versus security and here this token okay. So token security. Okay. Okay, so the only thing we did go to was cross site scripting. This thing got skipped. Because we didn't do now.

We knew that's not correct, because we need to declare the expert variable. That is something which I don't have point of time. That thing you have to get it through the environmental variable, probably. Okay, so boundaries Can you know? Are you that because of that thing we ministers? Okay, so this is testing out and actually go to a test.

Oh, oh yeah, that's good. So always look at the labs see this was happening. It took 4440 4008 99 whatever it is, and this is my token, and it's trying to search in this with my name and trying to scripting. So this is this is what it does. Okay. This is this is the security log and this is a Tesla.

Okay, good. We close this Okay, good. Now I will delete this one because we didn't do well. Trust trusting was good. Okay, we'll add a new one. Go ahead and click on this and all these characters and good custom script we can do fuzzing sand.

Let's try to do that. Again this is strategy you have this assertions always in modern man assertions. Okay, we do this if you move something specific which has to be tested, like something like for this it's not very important. We'll just put some numbers. Let's see how it does. Okay.

Okay, and we will run this. So I will remove this since we have already done cross site scripting. Let's do that because it will take too much time for this scan missing. Okay? So okay, so let's configure it. System system parameters, parameters do work, I do some default parameters x party of two, you always expect those.

I just killed that one user name as a member. And this is and I want to test this now. Let's do this. Now let's try to run In nitronic, it's good. It's good nitronic so it's actually running my request or security, no requests 23 no alerts, if there is any specific on particular on that particular parameter which are given, mmm Remember to search everything. So, it was searching the script actually inserting the script and from that script, if you have any kind of error you have this is the security testing is very important.

Good. So, we are good low alerts. That means test cases successfully passed. Okay, so for the scan is done, so we'll remove it. Okay. All right.

Now let's add a new one. We have a lot of things right. my lashes attachment is SQL injection. Let's try that parameter. I'll give only one thing this parameters you have to be careful. Ad which is required can add multiple parameters, or request.

Password. This password I've put as a no security and add it. Let's find out what happens. Okay, assertions if you have any assertions. Put a social security guard since to experiment a token that we did this already. That doesn't work.

Okay. Let's click on OK SQL injection and run the script and see what happens. So it's doing for my user name actually and the password for eBay. So this is how you do security testing. Okay, this is how you do security testing we did for SQL. We'll do it again for you have some time, right?

This is numbers $2 we are doing some security testing. Okay. So, no. Do yourself a favor. Not me. Always.

Right. See this password got encrypted, this good. Okay, so test log, this is the test log, and you have done security testing. And you cannot export it or you can Google or receive this. logs. Okay.

Service logs into dark log and see that, okay, that's very important. And so poi, of course, you want to see this. What's happening. minear soap UI lock, it should be loud you have to see both because here we are trying to do a lot of things. This doesn't show any things. This dummy log is very useful and forgot about his memory.

Now, you have to keep in mind when you're doing security district, okay? within within the script, okay? So that's about SQL injection. Let's move this. So we do one after the other, okay? Because two way things XML bomb, let's find out what's this parameter again the same parameter for us.

Experts is missing for me. So the only problem but if you know this export default export, we can use the assertion is important. Strategy requests how much weren't in hundred milliseconds and run only Once and once we're going lol 344 which is very alone and then Okay, go here and similar graph and run the script using assertions dependent on assertions. Okay, so I'm not I don't know the script assertion, but let's try this. So you need groovy scripting for this. But here Moodle security and let's do this session Okay, let's run this.

So this thing actually is done successfully. Finally, something Forgive me have been something but go to security logs and see that assertion. Although we put assertion but assertion, I just put that same thing or pm done. So that's my past. Right? So but that's not the way you have to have the XML part in export to do that, okay.

So remove the security scan. Okay, so this is how you can do security desk. Let's do one more time. Okay, let's do one more time for in this case. We'll do it for this one. We did for We did security testing for numbers $2, right?

We there are two binding section unfortunately number $2. Two. Now we do the bug. So this is the binding problem. We'll do it for the same thing. Actually, this is we didn't do four numbers two words.

Okay? There are two bindings. So binding One, two binding to okay. So that's the reason I created it to test case. Okay, let's do security testing for this binding on side. got too much into this.

Okay, numbers towards security test to this is my question. All right. Now, what happens is click on this and add a new security and this case will put cross site scripting. So there are so many you can do any of this. Okay? You have to do all of this assignment.

Assignment assignment assignment. So people who give me negative feedback, do this as your assignment, okay? Or say that no assignment, do this assignment? Do all the security testing what am you know, giving in this lecture? That will be our assignment, please. Okay.

Give me again native feedback and don't you know, you're missing that assignment. So everyone are giving me negative feedback on this assignment. Now they do this assignment do all of the security testing for this web services. Okay. Okay, now we'll do this for cross site scripting. Go ahead and click on this parameters.

I will go ahead and parameter This is my username and I will expand as such, she only has some assertions, right. So I don't need to study all at once. are one on one I'll leave this alone advanced This is what it runs you can add this test the script and do yourself a favor always export this logs security log in and dude I get this locks for you okay to the running for some process Oh, I was keep your memory level and do both both both you can't expand more okay so this shows okay good Okay, so how much memory declining although you don't require memory in this security labs, but I will export this one as a security law so in this case, I'm just putting security logs for cross site today and we'll do one more. So I hope you get a better practice by this security so this log in award shows the gets the request always gets a request and never got a response on that with my user name.

And so what he is doing is whenever the hacker tries to do it, this try to get all this information. So they're kind of checked with this as everything was okay many hackers hackers, it's they can hack it. But this is for security cross. Okay, great for moving, I just put it into this. So let's Okay, I'll remove this reason because to run again, or this one, I'm disabling it because I've already used that I go ahead and click on this cross site we finished it, or we'll do it for this for this scan requested. parameter site.

Assertion, sorry. We'll do for SQL injection. This is my favorite somehow. Parameters use, either use the request if you have the request, or use the username. I'm using my username. You get assertions.

I hope this assertion failed. I mean, from default things. Split numbers to balance some things So let's do this. And since two information, anything which is since two information will go to this, now let's run this script so it doesn't run that one. Because I disabled it, it ran only this one. So the stand for sharp time skirt in you know this is the largest of SQL injection.

So discus love to see it's good it's not necessary that it has to always get past but it's good to know that you learnt a new All right, I don't think you know about the city district. Okay. So um, this ad this one here to put into action. So this was for the handouts and we could look into it and see if I disable this one because we already completed we will see another last one for our class and we'll finish this class okay XML bond the same thing. Okay, parameters I'm using the unfortunately I'm using the same parameters not good. Try with another are and use the experts.

How do you find expert? We find it here. Let's see. Experts should be the expert in the barn. actu but this guy didn't even say the experts dewback less information. Never mind.

But next part should be there where actually it is assertions what you're trying to do. This is the strategy so this thing how much you want to delay Guess what? are good is thousand year. Let's take too much time. We'll just stick to one thing. Okay.

And this is lol, robots lol a lot of noise. Okay. And now I'll run my oops, I run my script. Sorry. This is the back on assertions. We are dismissing assertions.

So puppy if you have in my view expression, Rubio special. Yeah, we just try to use that one. Yeah, this one was so assertions. We didn't do much on this. So it finished okay. So this will be this thing will be in a sessions so I assertion something which is okay, this should be good.

So let's find out now let's run it see what happening ha why everything has to get past Something has to get fame. Now this thing got fade Okay, so there are three alerts created a security scan and see this one we didn't make the SLA service level agreement, service level agreement 569 but we put 200 I guess, right? let's configure it. Again super nice. So a 200 right? response time was fine.

98 Oh, that's good. So study 200 let's put this Okay, let's try to run it again. It will fail again. Okay, this one I thought. Now what we'll do here is change this SLA here what it says to 7273. So we know this is response on 270 to some degree 292.

Okay, so, we go ahead and configure this is the assertion to 73 and one more assertion So, okay. So there will be two alarm systems this will be or have two alerts not three and certainly there you go. So, why everything has to pass something has to get failed, right? So this is you got excellent mock security test has failed. Okay. So this is how I mean this is how you want to do this security testing.

So, I'll put it this this handout. phenol bomb. This is fun. I've never done this before. So, okay, so this is how you build a security district. So that's pretty much for security testing.

I'll move out Move this to we'll see in the next class. Here. We'll see this in the next class for rest. And as follows we'll go for a functional district. So both have similar process, but we finish this in two classes. And hopefully by Today we will be done with so viewer.

Okay. And I hope you like this video, the security gesture was interesting. I hope you like that. If you don't like it, you don't have like it, but I found it fun because this is what they don't do in federal government projects. So this is that's for that the reason there are so many issues, right? So that's good.

Okay, so I hope you like this video, and thanks for watching and see you in the next class.

Sign Up

Share

Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.