samedi 21 décembre 2019

soapUI security scans - not replacing properties with fuzzed values as expected

Basic question about fuzzing and other security scans in soapUI 5.5.0.

Step in question has properties like this:

"firstName": "${firstName}",
"lastName": "${lastName}",
"displayName": "${displayName}",
etc.

I tested this by running the test step itself, setting the first name property to "fff". The HTTP log showed that "fff" was sent, so no problem with the test step.

In my fuzzing scan, I selected all of the properties I want to "fuzz": enter image description here

I was expecting that each fuzzed request would replace "firstName" with a random string, but what I am seeing instead is that every request has all of the fields blank.

Sun Dec 22 08:10:34 IST 2019:DEBUG:>> "  "firstName": "",[\n]"
Sun Dec 22 08:10:34 IST 2019:DEBUG:>> "  "lastName": "",[\n]"
Sun Dec 22 08:10:34 IST 2019:DEBUG:>> "  "displayName": "",[\n]"

How do I get the fuzzing to be applied to my properties?

From the on-line documentation:

The Fuzzing Scan does just as described above; it generates totally random input for the specified request parameters for a specified number of requests, hoping to provoke some kind of unexpected . By default the generated values will be between 5 and 15 characters in lenght and mutated 100 times

Aucun commentaire:

Enregistrer un commentaire