web services and introduction of soapui
TRANSCRIPT
Web Services and Introduction of SOAPUI
Dinesh kaushik
+91-9555927575
Discussion Points
● What are web services?● Component of web services● Architecture● Operations in web service architecture● Diagram of web service architecture● Types of web services● What is SoapUI● SoapUI test structure
Discussion Points(Continued..)
● Creating a new SOAP project● Adding a TestSuite● Adding a Test ● Assertion● SoapUI Pro
What are web services
● Web services are the method of communication between the systems over a network.
● This communication is done over http platform.● XML is used to encode all communication in form of
XML message.● It is not tied to any particular Operating system or any
programming language.
Components of web services
All standard web services uses the following components.
1. XML2. SOAP3. WSDL4. UDDI
SOAP
● Its stand for Simple Object Access Protocol● It is an XML based protocol for exchanging the
information between the computers.● It can extend extends HTTP for XML messaging.● It is an XML way of defining what information gets sent.● It is platform and language independent.
WSDL
● It stands for Web Service Description Language.● It is a standard format for describing the web services.● Its definition describe how to access a web service and
what operation it will perform.● It was developed jointly by microsoft and IBM.
UDDI
● It stands for Universal Description,Discovery and Integration
● It is an XML standard for describing,finding and publishing the web services.
● It communicate via SOAP,CORBA and Java RMI protocol.
● It is platform independent and open framework.
Architecture
There are three major roles with in web service architecture.
● Service Provider : It implements the service and make it available on internet.
● Service Requester : It utilizes existing web service by opening a network connection and sending an XML request.
● Service registry : It is a central place where developers can publish new services or find the existing one.
Operations in web service architecture
There are three major types of operations performed in web service architecture.
● Publish : A service description needs to be published so that a service requester can find it.
● Find : In this operation,service requester retrieves a service description directly or queries the service registry for the type of service required.
● Bind : In this operation,a service requestor use the binding detail to invoke the service.
Diagram of web service architecture
Type Web Services
● XML-RPC● SOAP● REST
What is SoapUI
● SoapUI is a API testing tool which is free and open source cross-platform for Functional Testing solution.
● SoapUI provides complete test coverage and supports all the standard protocols and technologies.
● SoapUI allows you to easily and rapidly create and execute automated functional, load tests and security testing.
SoapUI Test structure
It structures functional tests into three level.
● Test Suites● Test Cases● Test Steps
Test Suite
● It is a collection of test cases that can be used for grouping functional tests into logical units
● We can create any number of test suites inside the soapUI project.
Test Case
● It is a collection of test steps that are assembled to test
some specific aspect of your service.● We can add any number of test cases to a containing
test suite.● We can even modularize them to call each other for
complex test scenarios.
Test Steps
● These are “building blocks” of functional tests in soapUI.
● They are added to a Test Case and used to control the flow of execution.
● Validate the functionality of service to be tested.
Creating a new SoapUI project
● Start SoapUI● Click on “File”● Click on “New Soap Project”.● Add Project Name and URL● Select the checkbox option● Click on “OK”
New SOAP Project window
Adding a TestSuite
● Right click on the name of interface● Click on “Generate TestSuite”.● A dialog box will show up where you can customize the
generation
Adding a Test
● Expand the tree until the test steps have been unfolded.
● Double click on the test step. A sample request should appear in the request editor.
Assertion
● It gives an indication that your test case has been passed or failed.
● If we add at least one assertion,it will warn us about the problem which failed our test case.
Adding an assertion
● Click on the label “Assertions” at the bottom of the request editor.
● This will expand the assertions editor. It is empty.● Click on the small +-sign at the top of the assertions
editor.● Select “Property Content assertions.” The first one in
the list is a Contains assertion.
● Let’s use that one. Click on the “Contains” box ● Click on “Add” to add it to the test case.
Verify a range
We need the assertion “Range” when value is expected to change then we need a test that can handle a range instead of fix value.
Steps to add range
● Click on the label “Assertions” at the bottom of the request editor.
● Click on the small +-sign at the top of the assertions editor.
● Select “Property Content.”● Select “XPath match” and click “Add.”
● Click “Declare” in the XPath editor, SoapUI declared two namespaces for you. They can be called anything. The two namespaces that were declared are called soap and ns1.
● Rename ns1 to something more descriptive.● The next step is to add an XPath3 expression that will
search for the element that contains the conversion rate.
//Web:ConversionRateResult
Verify response time
Verifying the response time is often important. A slow API is a problem waiting to emerge. Customers will probably start to complain when you have a lot of traffic and they don’t get their response quickly enough.
Steps to add response time
● Add a new assertion.● Select “SLA” and “Response SLA.”● Add it.● Specify the desired response time.● Click on “OK”
SOAP UI Pro
It comes with several time saving features aimed at making your testing faster and testing life easier.
● Test Debugging● Multi Environment Support● Data Driven ● Reporting
Security Testing with SOAP UI
Discussion Points
● What is Security Testing● Purpose of Security Testing● Security Test in SOAPUI● Security Scans● Add Security Scan● Add New Security Parameters● Assertions● Execution
What is Security Testing?
● Testing how well the system protects against unauthorized internal or external access.
● To check whether there is any information leakage.● Non-functional testing
Purpose of Security Testing
The purpose of the security test is to discover the vulnerabilities of the application so that the developers can then remove these vulnerabilities from the application and make application and data safe from unauthorized actions.
What is a Security Test in SOAPUI
● A Security Test is used in soapUI to scan your target services for common security vulnerabilities, like for example SQL Injections and XML Bombs.
● Security Tests are layered “on top” of an existing TestCase to which it then applies a configurable number of “Security Scans” which perform the actual vulnerability scanning and detection.
In the main navigator Security Tests are visible under a corresponding “Security Tests” node under the containing TestCase:
Security Scans
● SQL Injection : tries to exploit bad database integration coding
● XPath Injection : tries to exploit bad XML processing inside your target service
● Boundary Scan : tries to exploit bad handling of values that are outside of defined ranges
● Invalid Types : tries to exploit handling of invalid input data
Security Scans
● Malformed XML : tries to exploit bad handling of invalid XML on your server or in your service.
● Malicious Attachment : tries to exploit bad handling of attached files
● Cross Site Scripting : tries to find cross-site scripting vulnerabilities
Add Security Scan
● Once added, double-click a Security Test to see its main configuration and execution window:
● A toolbar with actions related to execution, reports, etc.
● A progress-bar at the top for tracking progress of the Security Test as it executes.
Add Security Scan (Continue)
● A toolbar and list of the TestSteps in the underlying TestCase, with additional information. on execution progress and configured Security Scans for each TestStep.
● a number of log tabs for viewing results from the execution of the Security Test.
Add Security Scan
Add Security Scan
● Add a Security Scan to a TestStep in your Security Tests either with the “Add SecurityScan” button or the corresponding TestStep right-click menu option in the Security Test window.
● You will first be prompted for which type of Security Scan to add (differs based on the underlying TestStep) and then open the corresponding Security Scan configuration window:
Add Security Scan
Security Scan Parameters● Most Security Scans require you define which content
of the underlying request you want to use as placeholders for the corresponding scan, for example for a Rest request you might have a message as follows:
● When performing for example a SQL Injection scan with this request, you would want to send the malicious SQL statements in OS, User Id, Deal Id and version fields, which would require you to define these four as parameters in the table.
Adding New Security Parameters
Adding New Security Parameters
Here you need to specify the following:● The underlying Test Property that contains the
parameter value (for example Request for Rest
requests).
● A unique label for the parameter.
● An optional XPath statement specifying where in the
Test Property value to find the parameter.
Add Assertions
Add Assertions
● The top of the dialog usually contains a table for defining which parameters in the request to use for test testing (see below).
● In the middle there is an area for Security Scan specific configuration components (not used in the above screenshot).
Add Assertions
At the bottom there are a number of tabs for further configuration:● Assertions : the assertions used to validate and check
the response for any signs of a successful security
exploit
● Strategy : settings related to how multiple parameters
should be permutated against each other (see below)
● Advanced : settings specific for the Security Scan (if
applicable)
Security Scan Assertions
● Assertions are used to assess if the responses for the Security Scan requests contain some kind of content that indicates if the target system has a corresponding vulnerability.
● All the standard assertions are available, but also a number of new ones have been added specifically for this purpose.
Security Scan Assertions● Invalid HTTP Codes : Allows you to specify a comma-
separated list of HTTP status codes that should not be returned by the target service. e.g 500, 404, 403.
● Valid HTTP Codes : Allows you to specify a comma-separated list of HTTP status codes that should be returned. e.g 200, 201, 202
Invalid HTTP Codes
Security Scan Assertions● System Information Exposure : Checks the response for
content that reveals system information which could be used by hackers to further exploit any existing vulnerabilities, for example if the response gives away which database version that is being used (in an error message), hackers could use this information to try to exploit known security issues with that database.
Execution
● When a Security Scan is run as part of the containing Security Test, it sends the different mutation requests as configured, mutating the defined parameters for each request.
● The Security Log shows specifically which values were sent for each parameter and request, together with any assertion failures:
Execution
Any Questions
Thanks