J'ai écrit cet article pour aider quiconque qui désire commencer à utiliser SoapUI pour vérifier la sécurité de services web (SOAP). Pour ce faire, on commence par mettre en place Mutillidae qui contient quelques services à tester. Par la suite, on exécute un test d'injection SQL.
Excusez l'anglais. Je n'ai pas vraiment le temps de le traduire. Mais une image vaut mille mots, n'est-ce pas?
______________
This post is meant to help a security tester with setting up SoapUI and use it against the test web services included in Mutillidae.
Setting up a local test environment with web services
- Download Mutillidae from http://sourceforge.net/projects/mutillidae/files/mutillidae-project/
- Install the package to a Linux distro with Apache 2.x under /var/www/mutillidae/
- Start Apache
- Access http://localhost/mutillidae and setup the database by clicking Reset DB or by going there http://localhost/mutillidae/set-up-database.php
Setting up SoapUI
- Setup SoapUI and create a test project for Mutillidae and load the
various Mutillidae WSDL files and setup the associated test suites for
each WSDL:
- As a simple test, double click getUserInformation and add username and password values as follows:
- Click on the green Submit Request button and wait for the response in the right pane:
Creating a security test
- Create a new Security Test:
- Optionally, add another specific assertion, as demonstrated below.
Note that adding an XPath assertion for many injection issue testing may not be a good idea. At least, you have to ensure that the assertion will cover all the cases. For example, below, we add an XPath expression to cover the case of a normal request (node count = 1) and the case of an empty result set (node count = 0).
Running the test
Inspecting the results
