...
- Identify the test scenarios that you want to use for penetration testing and copy them. You can continue executing the original test scenarios for functional testing as normal.
- Add the Penetration Testing Tools to the Traffic Object output of the test clients (e.g., SOAP Client, REST Client, EDI Client, Browser Playback Tools, or or Messaging Client) that make the API calls that need penetration testing.
- As the application changes, update only the functional test scenarios. Whenever you are ready to run the corresponding penetration test scenarios, repeat the above process of copying from the latest set of functional tests and then configuring the copy for penetration testing.
...
To run your penetration testing scenarios, execute them as described in Executing Functional Tests.
- When a tool REST Client or SOAP Client with an attached Penetration Testing Tool is executed, the corresponding request and response data is captured and used as a starting point by the Penetration Testing Tool to execute the penetration test.
Because penetration testing can take a long time to run, even for a single API, the Penetration Testing Tool has a built-in timeout that governs how long the tool will run before moving on to the next test. The timeout complies with the Connection Settings default timeout configured in the Test ConfigurationsMisc Preferences. If the timeout is reached before the penetration testing for the current API is complete, the penetration testing for that API will be interrupted and an error will be reported. To change the timeout, go to Parasoft> Test Configurations, then select the test in the tree on the left and go to Execution> Security.The timeout can be extended in the Misc Preferences by updating the default timeout. See Misc Settings.
Reviewing Results
When running via UI, errors are reported to the Quality Tasks view, and details about the error and how to fix it can be seen by double-clicking on each error or right-clicking and choosing View Details.
...
SOAtest's penetration testing uses active and passive scan rules to do its analysis. Active scan rules make additional (manipulated) requests to the API to attempt to discover security vulnerabilities. In contrast, passive scan rules make no new requests to the application but instead analyze request/response data captured by the corresponding tool REST Client or SOAP Client to discover security vulnerabilities. SOAtest leverages OWASP ZAP for penetration testing.
...
This folder contains the following active policy files:
- Parasoft SOAPREST.policy – used by Penetration Testing Tools attached to SOAP REST Clients.
- Parasoft RESTSOAP.policy – used by Penetration Testing Tools attached to tools other than SOAP Clients.
Once you’ve modified either of these policies, it will be used in the next Penetration Testing Tool invocation.
...
| ID | Rule | CWE ID | Risk | Type | Profile |
|---|---|---|---|---|---|
| 0 | Directory Browsing | 548 | medium | Active | REST/SOAP |
| 2 | Private IP Disclosure | 200 | low | Passive | REST/SOAP |
| 3 | Session ID in URL Rewrite | 200 | medium | Passive | REST/SOAP |
| 6 | Path Traversal | 22 | high | Active | REST/SOAP |
| 7 | Remote File Inclusion | 98 | high | Active | REST |
| 41 | Source Code Disclosure - Git | 541 | high | Active | REST/SOAP |
| 42 | Source Code Disclosure - SVN | 541 | medium | Active | REST/SOAP |
| 43 | Source Code Disclosure - File Inclusion | 541 | high | Active | REST/SOAP |
| 10003 | Vulnerable JS Library | 829 | medium | Passive | REST/SOAP |
| 10009 | In Page Banner Information Leak | 200 | low | Passive | REST/SOAP |
| 10010 | Cookie No HttpOnly Flag | 1004 | low | Passive | REST/SOAP |
| 10011 | Cookie Without Secure Flag | 614 | low | Passive | REST/SOAP |
| 10015 | Incomplete or No Cache-control Header Set | 525 | low | Passive | REST |
| 10017 | Cross-Domain JavaScript Source File Inclusion | 829 | low | Passive | REST/SOAP |
| 10019 | Content-Type Header Missing | 345 | informational | Passive | REST/SOAP |
| 10020 | X-Frame-Options Header | 1021 | medium | Passive | REST/SOAP |
| 10021 | X-Content-Type-Options Header Missing | 693 | low | Passive | REST |
| 10023 | Information Disclosure - Debug Error Messages | 200 | low | Passive | REST/SOAP |
| 10024 | Information Disclosure - Sensitive Information in URL | 200 | informational | Passive | REST/SOAP |
| 10025 | Information Disclosure - Sensitive Information in HTTP Referrer Header | 200 | informational | Passive | REST/SOAP |
| 10026 | HTTP Parameter Override | 20 | medium | Passive | REST/SOAP |
| 10027 | Information Disclosure - Suspicious Comments | 200 | informational | Passive | REST/SOAP |
| 10028 | Open Redirect | 601 | high | Passive | REST/SOAP |
| 10029 | Cookie Poisoning | 20 | informational | Passive | REST/SOAP |
| 10030 | User Controllable Charset | 20 | informational | Passive | REST/SOAP |
| 10031 | User Controllable HTML Element Attribute (Potential XSS) | 20 | informational | Passive | REST/SOAP |
| 10032 | Viewstate | 642 | high, medium, low, informational | Passive | REST/SOAP |
| 10033 | Directory Browsing | 548 | medium | Passive | REST/SOAP |
| 10034 | Heartbleed OpenSSL Vulnerability (Indicative) | 119 | high | Passive | REST/SOAP |
| 10035 | Strict-Transport-Security Header | 319 | low, informational | Passive | REST/SOAP |
| 10036 | HTTP Server Response Header | 200 | low, informational | Passive | REST/SOAP |
| 10037 | Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) | 200 | low | Passive | REST/SOAP |
| 10038 | Content Security Policy (CSP) Header Not Set | 693 | medium, informational | Passive | REST/SOAP |
| 10039 | X-Backend-Server Header Information Leak | 200 | low | Passive | REST/SOAP |
| 10040 | Secure Pages Include Mixed Content | 311 | medium, low | Passive | REST/SOAP |
| 10041 | HTTP to HTTPS Insecure Transition in Form Post | 319 | medium | Passive | REST/SOAP |
| 10042 | HTTPS to HTTP Insecure Transition in Form Post | 319 | medium | Passive | REST/SOAP |
| 10043 | User Controllable JavaScript Event (XSS) | 20 | info | Passive | REST/SOAP |
| 10044 | Big Redirect Detected (Potential Sensitive Information Leak) | 201 | low | Passive | REST/SOAP |
| 10045 | Source Code Disclosure - /WEB-INF folder | 541 | high | Active | REST/SOAP |
| 10047 | HTTPS Content Available via HTTP | 311 | low | Active | REST/SOAP |
| 10048 | Remote Code Execution - Shell Shock | 78 | high | Active | REST/SOAP |
| 10049 | Content Cacheability | 524 | informational | Passive | REST |
| 10050 | Retrieved from Cache | Unspecified | informational | Passive | REST/SOAP |
| 10052 | X-ChromeLogger-Data (XCOLD) Header Information Leak | 200 | medium | Passive | REST/SOAP |
| 10054 | Cookie without SameSite Attribute | 1275 | low | Passive | REST/SOAP |
| 10055 | CSP | 693 | medium, low, informational | Passive | REST/SOAP |
| 10056 | X-Debug-Token Information Leak | 200 | low | Passive | REST/SOAP |
| 10057 | Username Hash Found | 284 | informational | Passive | REST/SOAP |
| 10061 | X-AspNet-Version Response Header | 933 | low | Passive | REST/SOAP |
| 10062 | PII Disclosure | 359 | high | Passive | REST/SOAP |
| 10063 | Permissions Policy Header Not Set | 16 | low | Passive | REST/SOAP |
| 10070 | Use of SAML | Unspecified | informational | Passive | REST/SOAP |
| 10094 | Base64 Disclosure | 200 | high, informational | Passive | REST/SOAP |
| 10095 | Backup File Disclosure | 530 | medium | Active | REST/SOAP |
| 10096 | Timestamp Disclosure | 200 | informational | Passive | REST/SOAP |
| 10097 | Hash Disclosure | 200 | high, low | Passive | REST/SOAP |
| 10098 | Cross-Domain Misconfiguration | 264 | medium | Passive | REST/SOAP |
| 10099 | Source Code Disclosure | 540 | medium | Passive | REST/SOAP |
| 10103 | Image Location and Privacy Scanner | 200 | informational | Passive | REST/SOAP |
| 10105 | Weak Authentication Method | 287 | high, medium | Passive | REST/SOAP |
| 10106 | HTTP Only Site | 311 | medium | Active | REST/SOAP |
| 10107 | Httpoxy - Proxy Header Misuse | 20 | high | Active | REST/SOAP |
| 10108 | Reverse Tabnabbing | Unspecified | medium | Passive | REST/SOAP |
| 10109 | Modern Web Application | Unspecified | informational | Passive | REST/SOAP |
| 10110 | Dangerous JS Functions | 749 | low | Passive | REST/SOAP |
| 10202 | Absence of Anti-CSRF Tokens | 352 | low, informational | Passive | REST/SOAP |
| 20015 | Heartbleed OpenSSL Vulnerability | 119 | high | Active | REST/SOAP |
| 20016 | Cross-Domain Misconfiguration | 264 | high | Active | REST/SOAP |
| 20017 | Source Code Disclosure - CVE-2012-1823 | 20 | high | Active | REST/SOAP |
| 20018 | Remote Code Execution - CVE-2012-1823 | 20 | high | Active | REST/SOAP |
| 20019 | External Redirect | 601 | high | Active | REST |
| 30001 | Buffer Overflow | 120 | medium | Active | REST/SOAP |
| 30002 | Format String Error | 134 | medium | Active | REST/SOAP |
| 30003 | Integer Overflow Error | 190 | medium | Active | REST |
| 40003 | CRLF Injection | 113 | medium | Active | REST |
| 40008 | Parameter Tampering | 472 | medium | Active | REST/SOAP |
| 40009 | Server Side Include | 97 | high | Active | REST |
| 40012 | Cross Site Scripting (Reflected) | 79 | high | Active | REST |
| 40013 | Session Fixation | 384 | high | Active | REST/SOAP |
| 40014 | Cross Site Scripting (Persistent) | 79 | high | Active | REST |
| 40015 | LDAP Injection | 90 | high | Active | REST/SOAP |
| 40016 | Cross Site Scripting (Persistent) - Prime | 79 | informational | Active | REST |
| 40017 | Cross Site Scripting (Persistent) - Spider | 79 | informational | Active | REST |
| 40018 | SQL Injection | 89 | high | Active | REST/SOAP |
| 40025 | Proxy Disclosure | 200 | medium | Active | REST/SOAP |
| 40028 | ELMAH Information Leak | 215 | medium | Active | REST/SOAP |
| 40029 | Trace.axd Information Leak | 215 | medium | Active | REST/SOAP |
| 40032 | .htaccess Information Leak | 215 | medium | Active | REST/SOAP |
| 40034 | .env Information Leak | 215 | medium | Active | REST/SOAP |
| 40035 | Hidden File Finder | 538 | medium | Active | REST/SOAP |
| 40038 | Bypassing 403 | Unspecified | medium | Active | REST/SOAP |
| 40039 | Web Cache Deception | Unspecified | medium | Active | REST/SOAP |
| 40040 | CORS Header | 942 | high, medium, informational | Active | REST |
| 90001 | Insecure JSF ViewState | 642 | medium | Passive | REST/SOAP |
| 90002 | Java Serialization Object | 502 | medium | Passive | REST/SOAP |
| 90003 | Sub Resource Integrity Attribute Missing | 345 | medium | Passive | REST/SOAP |
| 90004 | Insufficient Site Isolation Against Spectre Vulnerability | 693 | low | Passive | REST/SOAP |
| 90011 | Charset Mismatch | 436 | informational | Passive | REST/SOAP |
| 90017 | XSLT Injection | 91 | medium | Active | REST/SOAP |
| 90019 | Server Side Code Injection | 94 | high | Active | REST/SOAP |
| 90020 | Remote OS Command Injection | 78 | high | Active | REST/SOAP |
| 90021 | XPath Injection | 643 | high | Active | REST/SOAP |
| 90022 | Application Error Disclosure | 200 | medium | Passive | REST/SOAP |
| 90023 | XML External Entity Attack | 611 | high | Active | REST/SOAP |
| 90024 | Generic Padding Oracle | 209 | high | Active | REST/SOAP |
| 90028 | Insecure HTTP Method | 200 | medium | Active | REST/SOAP |
| 90030 | WSDL File Detection | Unspecified | informational | Passive | REST/SOAP |
| 90033 | Loosely Scoped Cookie | 565 | informational | Passive | REST/SOAP |
| 90034 | Cloud Metadata Potentially Exposed | Unspecified | high | Active | REST/SOAP |
| 110001 | Application Error Disclosure via WebSockets | 209 | medium | Passive | REST/SOAP |
| 110002 | Base64 Disclosure in WebSocket message | Unspecified | informational | Passive | REST/SOAP |
| 110003 | Information Disclosure - Debug Error Messages via WebSocket | 200 | low | Passive | REST/SOAP |
| 110004 | Email address found in WebSocket message | 200 | informational | Passive | REST/SOAP |
| 110005 | Personally Identifiable Information via WebSocket | 359 | high | Passive | REST/SOAP |
| 110006 | Private IP Disclosure via WebSocket | Unspecified | low | Passive | REST/SOAP |
| 110007 | Username Hash Found in WebSocket message | 284 | informational | Passive | REST/SOAP |
| 110008 | Information Disclosure - Suspicious Comments in XML via WebSocket | 200 | informational | Passive | REST/SOAP |
| 111001 | HTTP Verb Tampering (Parasoft proprietary rule) | 287 | medium | Active | REST |
Integration with Burp Suite
...