...
Because penetration testing can take a long time to run, even for a single API, the Penetration Testing Tool has a built-in timeout that governs how long the tool will run before moving on to the next test. The timeout complies with the timeout configured in the test configuration used to run the test. If the timeout is reached before the penetration testing for the current API is complete, the penetration testing for that API will be interrupted and an error will be reported. To change the timeout
Additionally, you can set global includes and excludes, added as regular expressions, to control what URLs get scanned by the Penetration Testing Tool. Includes are processed before excludes. When no includes are defined, everything is assumed to be included before considering excludes. Includes and excludes get applied regardless of the tool to which the Penetration Testing Tool is chained.
To change the timeout and/or includes and excludes, go to Parasoft > Test Configurations, then select the test configuration and go to Execution > Security.
- The timeout is measured in minutes.
- To add a regular expression used to determine included or excluded URLs, click Add beside its table and input the regular expression.
- To remove a previously added URL regular expression, select it and click Remove.
When your penetration test scenarios run, information about what is being scanned is shown in the Console view. It can be valuable to enable high verbosity in the console, which will provide more detail such as what URLs are being scanned and which are being skipped, allowing you to ensure that your include and exclude patterns are performing as expected. To enable high verbosity, go to Parasoft > Test Configurations, then select the test configuration and go to Execution > Security.
Preferences > Console and select High.
Reviewing Results
When running via UI, errors are reported to the Quality Tasks view, and details about the error and how to fix it can be seen by double-clicking on each error or right-clicking and choosing View Details.
More detailed results are available by generating an HTML version of the report. The HTML report will organize the errors by CWE or OWASP 2021 Top 10 (as set in Parasoft> Preferences> Reports> API Security; note that it is not necessary to re-execute your tests after changing this setting), Risk, and Confidence.
For more information see Reviewing Results.
...
SOAtest's penetration testing uses active and passive scan rules to do its analysis. Active scan rules make additional (manipulated) requests to the API to attempt to discover security vulnerabilities. In contrast, passive scan rules make no new requests to the application but instead analyze request/response data captured by the corresponding tool to discover security vulnerabilities. SOAtest leverages OWASP ZAP for penetration testing.
SOAtest contains two three built-in penetration test profiles: one for REST APIs, and another one for SOAP APIs, and one for non-API requests for web resources. Each profile consists of an active scan policy and a set of passive scan rules. By default, a profile is chosen based on whether the configured test makes a request to a REST API or SOAP API, a SOAP API, or some other web resource (for example, HTML).
If you want to use a custom active scan policy, you can do so by exporting a scan policy from OWASP ZAP and configuring SOAtest to use it. The exported scan policy will configure the set of active scan rules that will be used by the Penetration Testing Tool. When using a custom active scan policy, an appropriate set of passive scan rules will be automatically used based on whether the request is made to a REST API or SOAP API.
...
- Select Parasoft > Test Configuration to open the Test Configuration Manager.
- Click New to create a new Test Configuration, or select an existing one.
- Open the Test Configuration’s Execution > Security tab.
- Choose Use custom scan policy.
- Using the Browse button select your ZAP .policy file.
...
This folder contains the following active policy files:
- Parasoft SOAP.policy – used by Penetration Testing Tools attached to SOAP Clients.Parasoft REST.policy – used by Penetration Testing Tools attached to tools other than SOAP Clients.policy – Used for requests to SOAP APIs. This primarily includes Penetration Testing Tools attached to SOAP Clients, but can include other tools that make requests to SOAP APIs.
- Parasoft REST.policy – Used for requests to REST APIs. This primarily includes Penetration Testing Tools attached to REST Clients, but can include other tools that make requests to REST APIs including other client tools and Browser Playback Tools.
- Parasoft Web.policy – Used for requests to non-API web resources. This is only used for Penetration Testing Tools attached to Browser Playback Tools for non-API requests.
Once you’ve modified either of these policies, it will be used in the next Penetration Testing Tool invocation.
Penetration Testing Rules Supported
| ID | Rule | CWE ID | OWASP | Risk | Type | Profile |
|---|---|---|---|---|---|---|
| 0 | Directory Browsing | 548 | A01:2021 | medium | Active | Web/REST/SOAP |
| 2 | Private IP Disclosure | 200 | A01:2021 | low | Passive | Web/REST/SOAP |
| 3 | Session ID in URL Rewrite | 200 | A01:2021 | medium | Passive | Web/REST/SOAP |
| 6 | Path Traversal | 22 | A03:2021 | high | Active | Web/REST/SOAP |
| 7 | Remote File Inclusion | 98 | A03:2021 | high | Active | Web/REST |
| 41 | Source Code Disclosure - Git | 541 | A05:2021 | high | Active | Web/REST/SOAP |
| 42 | Source Code Disclosure - SVN | 541 | A05:2021 | medium | Active | Web/REST/SOAP |
| 43 | Source Code Disclosure - File Inclusion | 541 | A05:2021 | high | Active | Web/REST/SOAP |
| 10003 | Vulnerable JS Library | 829 | A06:2021 | medium | Passive | Web/REST/SOAP |
| 10009 | In Page Banner Information Leak | 200 | A05:2021 | low | Passive | Web/REST/SOAP |
| 10010 | Cookie No HttpOnly Flag | 1004 | A05:2021 | low | Passive | Web/REST/SOAP |
| 10011 | Cookie Without Secure Flag | 614 | A05:2021 | low | Passive | Web/REST/SOAP |
| 10015 | Incomplete or No Cache-control Header Set | 525 | Unspecified | low | Passive | Web/REST |
| 10017 | Cross-Domain JavaScript Source File Inclusion | 829 | A08:2021 | low | Passive | Web/REST/SOAP |
| 10019 | Content-Type Header Missing | 345 | A05:2021 | informational | Passive | Web/REST/SOAP |
| 10020 | X-Frame-Options Header | 1021 | Unspecified | medium | Passive | Web/REST/SOAP |
| 10021 | X-Content-Type-Options Header Missing 693 | 693 | A05:2021 | low | Passive | Web/REST |
| 10023 | Information Disclosure - Debug Error Messages | 200 | A01:2021 | low | Passive | Web/REST/SOAP |
| 10024 | Information Disclosure - Sensitive Information in URL | 200 | A01:2021 | informational | Passive | Web/REST/SOAP |
| 10025 | Information Disclosure - Sensitive Information in HTTP Referrer Header | 200 | A01:2021 | informational | Passive | Web/REST/SOAP |
| 10026 | HTTP Parameter Override | 20 | A04:2021 | medium | Passive | Web/REST/SOAP |
| 10027 | Information Disclosure - Suspicious Comments | 200 | A01:2021 | informational | Passive | Web/REST/SOAP |
| 10028 | Open Redirect | 601 | A03:2021 | high | Passive | Web/REST/SOAP |
| 10029 | Cookie Poisoning | 20 | A03:2021 | informational | Passive | Web/REST/SOAP |
| 10030 | User Controllable Charset | 20 | A03:2021 | informational | Passive | Web/REST/SOAP |
| 10031 | User Controllable HTML Element Attribute (Potential XSS) | 20 | A03:2021 | informational | Passive | Web/REST/SOAP |
| 10032 | Viewstate | 642 | Unspecified | high, medium, low, informational | Passive | Web/REST/SOAP |
| 10033 | Directory Browsing | 548 | A01:2021 | medium | Passive | Web/REST/SOAP |
| 10034 | Heartbleed OpenSSL Vulnerability (Indicative) | 119 | A09:2021 | high | Passive | Web/REST/SOAP |
| 10035 | Strict-Transport-Security Header | 319 | A05:2021 | low, informational | Passive | Web/REST/SOAP |
| 10036 | HTTP Server Response Header | 200 | A05:2021 | low, informational | Passive | Web/REST/SOAP |
| 10037 | Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) | 200 | A01:2021 | low | Passive | Web/REST/SOAP |
| 10038 | Content Security Policy (CSP) Header Not Set | 693 | A05:2021 | medium, informational | Passive | Web/REST/SOAP |
| 10039 | X-Backend-Server Header Information Leak | 200 | A05:2021 | low | Passive | Web/REST/SOAP |
| 10040 | Secure Pages Include Mixed Content | 311 | A05:2021 | medium, low | Passive | Web/REST/SOAP |
| 10041 | HTTP to HTTPS Insecure Transition in Form Post | 319 | A02:2021 | medium | Passive | Web/REST/SOAP |
| 10042 | HTTPS to HTTP Insecure Transition in Form Post | 319 | A02:2021 | medium | Passive | Web/REST/SOAP |
| 10043 | User Controllable JavaScript Event (XSS) | 20 | A03:2021 | info | Passive | Web/REST/SOAP |
| 10044 | Big Redirect Detected (Potential Sensitive Information Leak) | 201 | A04:2021 | low | Passive | Web/REST/SOAP |
| 10045 | Source Code Disclosure - /WEB-INF folder | 541 | A05:2021 | high | Active | Web/REST/SOAP |
| 10047 | HTTPS Content Available via HTTP | 311 | A05:2021 | low | Active | Web/REST/SOAP |
| 10048 | Remote Code Execution - Shell Shock | 78 | A09:2021 | high | Active | Web/REST/SOAP |
| 10049 | Content Cacheability | 524 | Unspecified | informational | Passive | Web/REST |
| 10050 | Retrieved from Cache | Unspecified | Unspecified | informational | Passive | Web/REST/SOAP |
| 10051 | Relative Path Confusion | 20 | A05:2021 | medium | Active | Web |
| 10052 | X-ChromeLogger-Data (XCOLD) Header Information Leak | 200 | A04:2021 | medium | Passive | Web/REST/SOAP |
| 10054 | Cookie without SameSite Attribute | 1275 | A01:2021 | low | Passive | Web/REST/SOAP |
| 10055 | CSP | 693 | A05:2021 | medium, low, informational | Passive | Web/REST/SOAP |
| 10056 | X-Debug-Token Information Leak | 200 | A01:2021 | low | Passive | Web/REST/SOAP |
| 10057 | Username Hash Found | 284 | A01:2021 | informational | Passive | Web/REST/SOAP |
| 10061 | X-AspNet-Version Response Header | 933 | A05:2021 | low | Passive | Web/REST/SOAP |
| 10062 | PII Disclosure 359 | 359 | A04:2021 | high | Passive | Web/REST/SOAP |
| 10063 | Permissions Policy Header Not Set | 16 | A01:2021 | low | Passive | Web/REST/SOAP |
| 10070 | Use of SAML | Unspecified | Unspecified | informational | Passive | Web/REST/SOAP |
| 10094 | Base64 Disclosure | 200 | A04:2021 | high, informational | Passive | Web/REST/SOAP |
| 10095 | Backup File Disclosure | 530 | A04:2021 | medium | Active | Web/REST/SOAP |
| 10096 | Timestamp Disclosure | 200 | A01:2021 | informational | Passive | Web/REST/SOAP |
| 10097 | Hash Disclosure | 200 | A04:2021 | high, low | Passive | Web/REST/SOAP |
| 10098 | Cross-Domain Misconfiguration | 264 | A01:2021 | medium | Passive | Web/REST/SOAP |
| 10099 | Source Code Disclosure | 540 | A05:2021 | medium | Passive | Web/REST/SOAP |
| 10103 | Image Location and Privacy Scanner | 200 | Unspecified | informational | Passive | Web/REST/SOAP |
| 10105 | Weak Authentication Method | 287 | A01:2021 | high, medium | Passive | Web/REST/SOAP |
| 10106 | HTTP Only Site | 311 | A05:2021 | medium | Active | Web/REST/SOAP |
| 10107 | Httpoxy - Proxy Header Misuse | 20 | A06:2021 | high | Active | Web/REST/SOAP |
| 10108 | Reverse Tabnabbing | Unspecified | A04:2021 | medium | Passive | Web/REST/SOAP |
| 10109 | Modern Web Application | Unspecified | Unspecified | informational | Passive | Web/REST/SOAP |
| 10110 | Dangerous JS Functions | 749 | A04:2021 | low | Passive | Web/REST/SOAP |
| 10202 | Absence of Anti-CSRF Tokens | 352 | A01:2021 | low, informational | Passive | Web/REST/SOAP |
| 20012 | Anti-CSRF Tokens Check | 352 | A05:2021 | high | Active | Web |
| 20015 | Heartbleed OpenSSL Vulnerability | 119 | A06:2021 | high | Active | Web/REST/SOAP |
| 20016 | Cross-Domain Misconfiguration | 264 | A01:2021 | high | Active | Web/REST/SOAP |
| 20017 | Source Code Disclosure - CVE-2012-1823 | 20 | A06:2021 | high | Active | Web/REST/SOAP |
| 20018 | Remote Code Execution - CVE-2012-1823 | 20 | A06:2021 | high | Active | Web/REST/SOAP |
| 20019 | External Redirect | 601 | A03:2021 | high | Active | Web/REST |
| 30001 | Buffer Overflow | 120 | A03:2021 | medium | Active | Web/REST/SOAP |
| 30002 | Format String Error | 134 | A03:2021 | medium | Active | Web/REST/SOAP |
| 30003 | Integer Overflow Error | 190 | A03:2021 | medium | Active | Web/REST |
| 40003 | CRLF Injection | 113 | A03:2021 | medium | Active | Web/REST |
| 40008 | Parameter Tampering | 472 | A04:2021 | medium | Active | Web/REST/SOAP |
| 40009 | Server Side Include | 97 | A03:2021 | high | Active | Web/REST |
| 40012 | Cross Site Scripting (Reflected) | 79 | A03:2021 | high | Active | Web/REST |
| 40013 | Session Fixation | 384 | A01:2021 | high | Active | Web/REST/SOAP |
| 40014 | Cross Site Scripting (Persistent) | 79 | A03:2021 | high | Active | Web/REST |
| 40015 | LDAP Injection | 90 | A03:2021 | high | Active | Web/REST/SOAP |
| 40016 | Cross Site Scripting (Persistent) - Prime | 79 | Unspecified | informational | Active | Web/REST |
| 40017 | Cross Site Scripting (Persistent) - Spider | 79 | Unspecified | informational | Active | Web/REST |
| 40018 | SQL Injection 89 | 89 | A03:2021 | high | Active | Web/REST/SOAP |
| 40025 | Proxy Disclosure | 200 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40028 | ELMAH Information Leak | 215 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40029 | Trace.axd Information Leak | 215 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40032 | .htaccess Information Leak | 215 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40034 | .env Information Leak | 215 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40035 | Hidden File Finder | 538 | A05:2021 | medium | Active | Web/REST/SOAP |
| 40038 | Bypassing 403 | Unspecified | A01:2021 | medium | Active | Web/REST/SOAP |
| 40039 | Web Cache Deception | Unspecified | A05:2021 | medium | Active | Web/REST/SOAP |
| 40040 | CORS Header | 942 | A01:2021 | high, medium, informational | Active | Web/REST |
| 90001 | Insecure JSF ViewState | 642 | A04:2021 | medium | Passive | Web/REST/SOAP |
| 90002 | Java Serialization Object | 502 | A04:2021 | medium | Passive | Web/REST/SOAP |
| 90003 | Sub Resource Integrity Attribute Missing | 345 | A05:2021 | medium | Passive | Web/REST/SOAP |
| 90004 | Insufficient Site Isolation Against Spectre Vulnerability | 693 | A04:2021 | low | Passive | Web/REST/SOAP |
| 90011 | Charset Mismatch | 436 | Unspecified | informational | Passive | Web/REST/SOAP |
| 90017 | XSLT Injection | 91 | A03:2021 | medium | Active | Web/REST/SOAP |
| 90019 | Server Side Code Injection | 94 | A03:2021 | high | Active | Web/REST/SOAP |
| 90020 | Remote OS Command Injection | 78 | A03:2021 | high | Active | Web/REST/SOAP |
| 90021 | XPath Injection | 643 | A03:2021 | high | Active | Web/REST/SOAP |
| 90022 | Application Error Disclosure | 200 | A05:2021 | medium | Passive | Web/REST/SOAP |
| 90023 | XML External Entity Attack | 611 | A03:2021 | high | Active | Web/REST/SOAP |
| 90024 | Generic Padding Oracle 209Oracle | 209 | A02:2021 | high | Active | Web/REST/SOAP |
| 90025 | Expression Language Injection | 917 | A03:2021 | high | Active | REST/SOAPWeb |
| 90028 | Insecure HTTP Method | 200 | A05:2021 | medium | Active | Web/REST/SOAP |
| 90030 | WSDL File Detection | Unspecified | A05:2021 | informational | Passive | Web/REST/SOAP |
| 90033 | Loosely Scoped Cookie | 565 | A08:2021 | informational | Passive | Web/REST/SOAP |
| 90034 | Cloud Metadata Potentially Exposed | Unspecified | A05:2021 | high | Active | Web/REST/SOAP |
| 110001 | Application Error Disclosure via WebSockets | 209 | Unspecified | medium | Passive | Web/REST/SOAP |
| 110002 | Base64 Disclosure in WebSocket message | Unspecified | Unspecified | informational | Passive | Web/REST/SOAP |
| 110003 | Information Disclosure - Debug Error Messages via WebSocket | 200 | Unspecified | low | Passive | Web/REST/SOAP |
| 110004 | Email address found in WebSocket message | 200 | Unspecified | informational | Passive | Web/REST/SOAP |
| 110005 | Personally Identifiable Information via WebSocket | 359 | Unspecified | high | Passive | Web/REST/SOAP |
| 110006 | Private IP Disclosure via WebSocket | Unspecified | Unspecified | low | Passive | Web/REST/SOAP |
| 110007 | Username Hash Found in WebSocket message | 284 | Unspecified | informational | Passive | Web/REST/SOAP |
| 110008 | Information Disclosure - Suspicious Comments in XML via WebSocket | 200 | Unspecified | informational | Passive | Web/REST/SOAP |
| 111001 | HTTP Verb Tampering (Parasoft proprietary rule) | 287 | A07:2021 | medium | Active | Web/REST |
Integration with Burp Suite
...