Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2023.2

...

  1. Identify the test scenarios that you want to use for penetration testing and copy them. You can continue executing the original test scenarios for functional testing as normal.

  2. For test clients (for example, SOAP ClientREST ClientEDI Client, or Messaging Client), add the Penetration Testing Tools to the Traffic Object outputs that make the API calls that need penetration testing.

  3. For Browser Playback Tools, add the Penetration Testing Tools to the HTTP Traffic or Browser Contents outputs that need penetration testing. When the tool is chained to an HTTP Traffic output, the tool attacks just the request described by that traffic message. When the tool is chained to Browser Contents, it attacks all requests made by the Browser Playback tool. By default, binary files are ignored unless enabled in Parasoft > Preferences > Browser Settings (see Additional Preference Settings).

  4. As the application changes, update only the functional test scenarios. Whenever you are ready to run the corresponding penetration test scenarios, repeat the above process of copying from the latest set of functional tests and then configuring the copy for penetration testing.

...

For more information see Reviewing Results.

Suppressing False Positives

...

IDRuleCWE IDOWASPRiskTypeProfile
0Directory Browsing 548A01:2021mediumActiveWeb/REST/SOAP
2Private IP Disclosure 200A01:2021lowPassiveWeb/REST/SOAP
3Session ID in URL Rewrite 200A01:2021mediumPassiveWeb/REST/SOAP
6Path Traversal 22A03:2021highActiveWeb/REST/SOAP
7Remote File Inclusion 98A03:2021highActiveWeb/REST
41Source Code Disclosure - Git 541A05:2021highActiveWeb/REST/SOAP
42Source Code Disclosure - SVN 541A05:2021mediumActiveWeb/REST/SOAP
43Source Code Disclosure - File Inclusion 541A05:2021highActiveWeb/REST/SOAP
10003Vulnerable JS Library 829A06:2021mediumPassiveWeb/REST/SOAP
10009In Page Banner Information Leak 200A05:2021lowPassiveWeb/REST/SOAP
10010Cookie No HttpOnly Flag 1004A05:2021lowPassiveWeb/REST/SOAP
10011Cookie Without Secure Flag 614A05:2021lowPassiveWeb/REST/SOAP
10015Incomplete or No Cache-control Header Set 525UnspecifiedlowPassiveWeb/REST
10017Cross-Domain JavaScript Source File Inclusion 829A08:2021lowPassiveWeb/REST/SOAP
10019Content-Type Header Missing 345A05:2021informationalPassiveWeb/REST/SOAP
10020Anti-clickjacking Header 1021UnspecifiedmediumPassiveWeb/REST/SOAP
10021X-Content-Type-Options Header Missing 693A05:2021lowPassiveWeb/REST
10023Information Disclosure - Debug Error Messages 200A01:2021lowPassiveWeb/REST/SOAP
10024Information Disclosure - Sensitive Information in URL 200A01:2021informationalPassiveWeb/REST/SOAP
10025Information Disclosure - Sensitive Information in HTTP Referrer Header 200A01:2021informationalPassiveWeb/REST/SOAP
10026HTTP Parameter Override 20A04:2021mediumPassiveWeb/REST/SOAP
10027Information Disclosure - Suspicious Comments 200A01:2021informationalPassiveWeb/REST/SOAP
10028Open Redirect 601A03:2021highPassiveWeb/REST/SOAP
10029Cookie Poisoning 20A03:2021informationalPassiveWeb/REST/SOAP
10030User Controllable Charset 20A03:2021informationalPassiveWeb/REST/SOAP
10031User Controllable HTML Element Attribute (Potential XSS) 20A03:2021informationalPassiveWeb/REST/SOAP
10032Viewstate 642Unspecifiedhigh, medium, low, informationalPassiveWeb/REST/SOAP
10033Directory Browsing 548A01:2021mediumPassiveWeb/REST/SOAP
10034Heartbleed OpenSSL Vulnerability (Indicative) 119A09:2021highPassiveWeb/REST/SOAP
10035Strict-Transport-Security Header 319A05:2021low, informationalPassiveWeb/REST/SOAP
10036HTTP Server Response Header 200A05:2021low, informationalPassiveWeb/REST/SOAP
10037Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) 200A01:2021lowPassiveWeb/REST/SOAP
10038Content Security Policy (CSP) Header Not Set 693A05:2021medium, informationalPassiveWeb/REST/SOAP
10039X-Backend-Server Header Information Leak 200A05:2021lowPassiveWeb/REST/SOAP
10040Secure Pages Include Mixed Content 311A05:2021medium, lowPassiveWeb/REST/SOAP
10041HTTP to HTTPS Insecure Transition in Form Post 319A02:2021mediumPassiveWeb/REST/SOAP
10042HTTPS to HTTP Insecure Transition in Form Post 319A02:2021mediumPassiveWeb/REST/SOAP
10043User Controllable JavaScript Event (XSS) 20A03:2021infoPassiveWeb/REST/SOAP
10044Big Redirect Detected (Potential Sensitive Information Leak) 201A04:2021lowPassiveWeb/REST/SOAP
10045Source Code Disclosure - /WEB-INF folder 541A05:2021highActiveWeb/REST/SOAP
10047HTTPS Content Available via HTTP 311A05:2021lowActiveWeb/REST/SOAP
10048Remote Code Execution - Shell Shock 78A09:2021highActiveWeb/REST/SOAP
10049Content Cacheability 524UnspecifiedinformationalPassiveWeb/REST
10050Retrieved from Cache UnspecifiedUnspecifiedinformationalPassiveWeb/REST/SOAP
10051Relative Path Confusion20A05:2021mediumActiveWeb
10052X-ChromeLogger-Data (XCOLD) Header Information Leak 200A04:2021mediumPassiveWeb/REST/SOAP
10054Cookie without SameSite Attribute 1275A01:2021lowPassiveWeb/REST/SOAP
10055CSP 693A05:2021medium, low, informationalPassiveWeb/REST/SOAP
10056X-Debug-Token Information Leak 200A01:2021lowPassiveWeb/REST/SOAP
10057Username Hash Found 284A01:2021informationalPassiveWeb/REST/SOAP
10061X-AspNet-Version Response Header 933A05:2021lowPassiveWeb/REST/SOAP
10062PII Disclosure 359A04:2021highPassiveWeb/REST/SOAP
10063Permissions Policy Header Not Set 16A01:2021lowPassiveWeb/REST/SOAP
10070Use of SAML UnspecifiedUnspecifiedinformationalPassiveWeb/REST/SOAP
10094Base64 Disclosure 200A04:2021high, informationalPassiveWeb/REST/SOAP
10095Backup File Disclosure 530A04:2021mediumActiveWeb/REST/SOAP
10096Timestamp Disclosure 200A01:2021informationalPassiveWeb/REST/SOAP
10097Hash Disclosure 200A04:2021high, lowPassiveWeb/REST/SOAP
10098Cross-Domain Misconfiguration 264A01:2021mediumPassiveWeb/REST/SOAP
10099Source Code Disclosure 540A05:2021mediumPassiveWeb/REST/SOAP
10103Image Location and Privacy Scanner 200UnspecifiedinformationalPassiveWeb/REST/SOAP
10105Weak Authentication Method 287A01:2021high, mediumPassiveWeb/REST/SOAP
10106HTTP Only Site 311A05:2021mediumActiveWeb/REST/SOAP
10107Httpoxy - Proxy Header Misuse 20A06:2021highActiveWeb/REST/SOAP
10108Reverse Tabnabbing UnspecifiedA04:2021mediumPassiveWeb/REST/SOAP
10109Modern Web Application UnspecifiedUnspecifiedinformationalPassiveWeb/REST/SOAP
10110Dangerous JS Functions 749A04:2021lowPassiveWeb/REST/SOAP
10202Absence of Anti-CSRF Tokens 352A01:2021low, informationalPassiveWeb/REST/SOAP
20012Anti-CSRF Tokens Check352A05:2021highActiveWeb
20015Heartbleed OpenSSL Vulnerability 119A06:2021highActiveWeb/REST/SOAP
20016Cross-Domain Misconfiguration 264A01:2021highActiveWeb/REST/SOAP
20017Source Code Disclosure - CVE-2012-1823 20A06:2021highActiveWeb/REST/SOAP
20018Remote Code Execution - CVE-2012-1823 20A06:2021highActiveWeb/REST/SOAP
20019External Redirect 601A03:2021highActiveWeb/REST
30001Buffer Overflow 120A03:2021mediumActiveWeb/REST/SOAP
30002Format String Error 134A03:2021mediumActiveWeb/REST/SOAP
30003Integer Overflow Error 190A03:2021mediumActiveWeb/REST
40003CRLF Injection 113A03:2021mediumActiveWeb/REST
40008Parameter Tampering 472A04:2021mediumActiveWeb/REST/SOAP
40009Server Side Include 97A03:2021highActiveWeb/REST
40012Cross Site Scripting (Reflected) 79A03:2021highActiveWeb/REST
40013Session Fixation 384A01:2021highActiveWeb/REST/SOAP
40014Cross Site Scripting (Persistent) 79A03:2021highActiveWeb/REST
40015LDAP Injection 90A03:2021highActiveWeb/REST/SOAP
40016Cross Site Scripting (Persistent) - Prime 79UnspecifiedinformationalActiveWeb/REST
40017Cross Site Scripting (Persistent) - Spider 79UnspecifiedinformationalActiveWeb/REST
40018SQL Injection 89A03:2021highActiveWeb/REST/SOAP
40025Proxy Disclosure 200A05:2021mediumActiveWeb/REST/SOAP
40028ELMAH Information Leak 215A05:2021mediumActiveWeb/REST/SOAP
40029Trace.axd Information Leak 215A05:2021mediumActiveWeb/REST/SOAP
40031Out of Band XSS79A03:2021highActiveWeb/REST
40032.htaccess Information Leak 215A05:2021mediumActiveWeb/REST/SOAP
40034.env Information Leak 215A05:2021mediumActiveWeb/REST/SOAP
40035Hidden File Finder 538A05:2021mediumActiveWeb/REST/SOAP
40038Bypassing 403 UnspecifiedA01:2021mediumActiveWeb/REST/SOAP
40039Web Cache Deception UnspecifiedA05:2021mediumActiveWeb/REST/SOAP
40040CORS Header 942A01:2021high, medium, informationalActiveWeb/REST
40042Spring Actuator Information Leak215A01:2021mediumActiveWeb/REST/SOAP
40044Exponential Entity Expansion (Billion Laughs Attack)776A04:2021mediumActiveWeb/REST/SOAP
40045Spring4Shell78A03:2021, A06:2021highActiveWeb/REST/SOAP
90001Insecure JSF ViewState 642A04:2021mediumPassiveWeb/REST/SOAP
90002Java Serialization Object 502A04:2021mediumPassiveWeb/REST/SOAP
90003Sub Resource Integrity Attribute Missing 345A05:2021mediumPassiveWeb/REST/SOAP
90004Insufficient Site Isolation Against Spectre Vulnerability 693A04:2021lowPassiveWeb/REST/SOAP
90005Fetch Metadata Request Headers352UnspecifiedinformationalPassiveWeb/REST
90011Charset Mismatch 436UnspecifiedinformationalPassiveWeb/REST/SOAP
90017XSLT Injection 91A03:2021mediumActiveWeb/REST/SOAP
90019Server Side Code Injection 94A03:2021highActiveWeb/REST/SOAP
90020Remote OS Command Injection 78A03:2021highActiveWeb/REST/SOAP
90021XPath Injection 643A03:2021highActiveWeb/REST/SOAP
90022Application Error Disclosure 200A05:2021mediumPassiveWeb/REST/SOAP
90023XML External Entity Attack 611A03:2021highActiveWeb/REST/SOAP
90024Generic Padding Oracle 209A02:2021highActiveWeb/REST/SOAP
90025Expression Language Injection917A03:2021highActiveWeb
90028Insecure HTTP Method 200A05:2021mediumActiveWeb/REST/SOAP
90030WSDL File Detection UnspecifiedA05:2021informationalPassiveWeb/REST/SOAP
90033Loosely Scoped Cookie 565A08:2021informationalPassiveWeb/REST/SOAP
90034Cloud Metadata Potentially Exposed UnspecifiedA05:2021highActiveWeb/REST/SOAP
90035Server Side Template Injection94UnspecifiedhighActiveWeb/REST
90036Server Side Template Injection (Blind)74UnspecifiedhighActiveWeb/REST
110001Application Error Disclosure via WebSockets 209UnspecifiedmediumPassiveWeb/REST/SOAP
110002Base64 Disclosure in WebSocket message UnspecifiedUnspecifiedinformationalPassiveWeb/REST/SOAP
110003Information Disclosure - Debug Error Messages via WebSocket 200UnspecifiedlowPassiveWeb/REST/SOAP
110004Email address found in WebSocket message 200UnspecifiedinformationalPassiveWeb/REST/SOAP
110005Personally Identifiable Information via WebSocket 359UnspecifiedhighPassiveWeb/REST/SOAP
110006Private IP Disclosure via WebSocket UnspecifiedUnspecifiedlowPassiveWeb/REST/SOAP
110007Username Hash Found in WebSocket message 284UnspecifiedinformationalPassiveWeb/REST/SOAP
110008Information Disclosure - Suspicious Comments in XML via WebSocket 200UnspecifiedinformationalPassiveWeb/REST/SOAP
111001HTTP Verb Tampering (Parasoft proprietary rule)287A07:2021mediumActiveWeb/REST

...

SOAtest uses a preconfigured instance of OWASP ZAP under the hood to perform penetration testing. You also have the option to to use the commercial tool Burp Suite for penetration testing by leveraging the extension https://docs.parasoft.com/display/SOA20211/Burp +Suite+Extensions+1.0Suite Extension.