I saw an interesting conversation pop up recently where someone was asking for others experiences with SoapUI and Postman for API testing. In the first instance, they planned to only use the tool they chose
to test APIās for integration testing and also test APIās between our Front end and Back end projects for our web application.
Longer-term, they wanted to choose a tool that could potentially be used for security testing so that they could do both API and security testing within the same tool.
Have you tried something similar? Is it something you would recommend? If so, what tools would you suggest and why?
Security testing is a harder thing that I donāt think goes well with API automation. With security you want a tool that gets updates and you should understand what your runtime environment looks like. Iāve had various architects setup WAF(Web application firewalls)'s and scanning tools that get updates and run scans against an API on intervals.
If you donāt take the time to constrain it you donāt really come up with much. There are a lot of low hanging fruit OWASP top ten that can be found from scanning but the stuff that pays out from a bug crowd campaign are things dedicated security testers find. Things like cached login credentials, poorly set authorization schemes that allow the enduser to disable encryption themselves, and on and on.
Thereās low hanging fruit but as far as I know no silver bullet security tool without spending time on understanding the problem space. I would love to hear that iām wrong and there are good automated tools on the market now.
Iām the CEO of a testing automation company called Meeshkan, and this is part of the service we offer on meeshkan.com. The way weāre initially developing our service is that it tests authentication for certain popular frameworks (Spring Boot, Django, Phoenix) and certain popular providers (Okta, Auth0), although we hope to support any OAuth/JWT flow as the product grows over time.
@alanmbarr is right that this is a hard problem and it needs to be constrained. Our service only works (for now) on a small set of frameworks/languages that we can analyze to find these constraints, ie what roles exist, what scopes exist, what grants exist, what resources need what permissions, etc.
Do you know with what languages/frameworks the API youāre testing has been built? I can let you know if we support them at Meeshkan.
I thought that might be the case @alanmbarr but itās been a long time since I looked at security testing so Iām not up to speed on whatās out there at the moment.
Itās not my project Iām afraid @mikesol so Iām not sure on the exact language/framework. If I can find the conversation again though Iāll be sure to pass your tool on
Scans can be useful as @alanmbarr suggests, but they are a bit of a hammer to crack a nut. Fuzzing API endpoints and requests might be useful. The mutations of data that you would inject might find potential data leakages or overflow errors.
Tools like that need configuring and tuning well to reduce the impact of false positives. They will often lead to lots of unhelpful logging and errors that arenāt real problems. So it takes some experience and knowledge of your stack to really find the gnarly issues.
That being said, myself and a colleague did find a private key exposed in an old SOAP integration once, just by using some simple SQL injection. It was fixed by deprecating the code so it couldnāt be used any more. But we tried similar attacks on the new core API for the product. It simply responded with a nice, well handled exception, but didnāt barf any data.
One of the things you could do though was effect a DOS by flooding the API, as it had no rate limiting, nor did the host have sufficient capacity to cope with the throughput. At the time, (as it was a test environment) my suggestion was to see how this would cope on a production environment.
I havenāt used this myself, but it looks like an interesting tool for exploratory API testing. Itās an extension to VS Code that gives you a combination of a Jupyter notebooks like experience and a Postman like experience.
Postman in that it lets you make calls to an API, with secrets, easily seeing stuff that comes back etc. Notebooks in that your interface is a notebook. You have a GUI that lets you edit a document (notebook) that is made of cells. Each cell can have text, code or output from the code. With Jupyter notebooks the code is often Python for data analysis and the results are things like graphs. These notebooks would have code thatās calls to the API and the results are what the API returns.
Iāve used notebooks for data analysis (using R rather than Python) and theyāre surprisingly nice to use. At the end you have a permanent record of your session, combining notes youāve made (the text), exactly what code you wrote, and exactly what results you got from that code, bundled together as one notebook. You could then attach that notebook to a ticket, put it in source control etc. as itās a text document underneath everything.
This isnāt going to replace specialist fuzzing, scanning, or performance tools, but it seemed promising for exploratory testing or just learning.
A simple approach could be to use Postman and ZAP in combination. Both tools are free and very easy to get installed and configured. Both tools also have some great documentation and ZAP has some really nice free videos to help you get started.
Configuring the tools:
ZAP:
Go to āOptionsā, and click on āLocal Proxiesā
Ensure the āAddressā is set, i.e. localhost
Ensure āPortā is set, i.e. 12345
Postman:
Go to āSettingsā and click on āProxyā
Scroll down to āProxy configurations for sending requestsā and click on āAdd a custom proxy configurationā
Set the āProxy Serverā to localhost, and port to 12345
Ready to test:
Now within Postman you can run individual requests or choose to āRun collectionā using Postmans collection runner. Any alerts that should be investigated will be shown in ZAP along with the URLs/Endpoints called within the āSitesā.
As a side note. If after configuring both tools and making a request via Postman you see an error within Postman stating āSSL Error: Self signed certificate in certificate chainā. You could click on āDisable SSL Verificationā in order to be able to run the requests and avoid this error. Because the requests are being sent through ZAP (which uses a self-signed SSL certificate) to capture the request and response being sent you might see this error. By default, this certificate is not trusted by your system, browser, or Postman.
You can also go into Postmans āPreferencesā and disable āSSL certificate verificationā under the āGeneralā tab.
Iām sure there are other great tools and ways of achieving what the original poster was asking but this is just one way they could consider.
Thats the approach I would take, alternatively with BurpSuite Pro.
One thing to note is that it will take a lot of time to get used to the nuances of tools like ZAP, Burp and others. They need a lot of tuning, monitoring and learning to get the best from them (like any tool). The amount of false positives might be daunting, but eventually youāll be able to filter those out, and focus on those issues that really are valuable to explore.
In my opinion, both API and security testing are tasks that involve extensive complexities and need dedicated efforts. Therefore, it is a good idea that any QA service must keep both these tasks separate and use different tools to test API and security testing.
However, if it is a scenario where you need to run security testing for the SOAP and REST API itself, then you can go for tools like Katalon Studio, Postman, or AccelQ.
On the other hand, security testing initiatives could be worked well using Acunetix or ZAP (Zed Attack Proxy).
The custom-developed software is customized for a specific business with mlsdev.com/blog/how-to-create-a-video-streaming-website. Generally, it is made to meet the needs of the client. It is based on the needs of the client and the requirements of the business. During the development process, the company will meet with the customer and determine its exact requirements. The next step is the selection of an outsourcing company. The custom-developed software is usually a valuable investment for a growing business.