...
- Identify the test scenarios that you want to use for penetration testing and copy them. You can continue executing the original test scenarios for functional testing as normal.
- Add the Penetration Testing Tools to the Traffic Object output of the test clients (e.g., SOAP Client, REST Client, EDI Client, or Browser Playback Tools, or Messaging Client) that make the API calls that need penetration testing.
- As the application changes, update only the functional test scenarios. Whenever you are ready to run the corresponding penetration test scenarios, repeat the above process of copying from the latest set of functional tests and then configuring the copy for penetration testing.
...
To run your penetration testing scenarios, execute them as described in Executing Functional Tests.
- When a REST Client or SOAP Client tool with an attached Penetration Testing Tool is executed, the corresponding request and response data is captured and used as a starting point by the Penetration Testing Tool to execute the penetration test.
Because penetration testing can take a long time to run, even for a single API, the Penetration Testing Tool has a built-in timeout that governs how long the tool will run before moving on to the next test. The timeout complies with the Connection Settings default timeout configured in the Misc PreferencesTest Configurations. If the timeout is reached before the penetration testing for the current API is complete, the penetration testing for that API will be interrupted and an error will be reported. The timeout can be extended in the Misc Preferences by updating the default timeout. See Misc Settings.To change the timeout, go to Parasoft> Test Configurations, then select the test in the tree on the left and go to Execution> Security.
Reviewing Results
...
SOAtest's penetration testing uses active and passive scan rules to do its analysis. Active scan rules make additional (manipulated) requests to the API to attempt to discover security vulnerabilities. In contrast, passive scan rules make no new requests to the application but instead analyze request/response data captured by the corresponding REST Client or SOAP Client tool to discover security vulnerabilities. SOAtest leverages OWASP ZAP for penetration testing.
...
This folder contains the following active policy files:
- Parasoft RESTSOAP.policy – used by Penetration Testing Tools attached to REST SOAP Clients.
- Parasoft SOAPREST.policy – used by Penetration Testing Tools attached to tools other than SOAP Clients.
Once you’ve modified either of these policies, it will be used in the next Penetration Testing Tool invocation.
...