Contents
The Oracle API Gateway Explorer testing utility enables you to insert common security attack vectors into Test Case messages. Attack vectors include SQL injection attacks where a SQL command is inserted as the value of a message parameter in a SOAP message. If the code processing the parameter is carelessly written, it can unknowingly execute the SQL command. For example, this SQL command could return all user data from a Users database, drop a table from a database, or delete an entire database altogether. Because of this, the consequences of not checking for SQL syntax (and other attack vectors) on the server-side can be very serious.
As discussed in the Generating and Running Test Cases tutorial, API Gateway Explorer can auto-generate a Test Case for each SOAP operation defined in a WSDL file. A sample input message is associated with each Test Case. You can then create an Attack Vector Message from the sample by inserting a pre-configured attack vector into the message.
This topic describes the various stages involved in creating and running Attack Vectors.
You can configure Attack Vectors in the Design Mode of the API Gateway Explorer interface. When a Test Case Input has been loaded (usually by loading a WSDL), you can insert Attack Vectors into the message by clicking the Security Vectors tab on the bottom of the screen.
All pre-configured attack vectors are listed by name in the table on the left of the screen. You can add a new attack vector by clicking the Edit List link at the bottom. You can use the Security Attack Vectors dialog to add a new Attack Vector to the library.
Click the Add Attack Vector button in the toolbar, and enter a name for the new vector in the field provided. On clicking the OK button, the new Attack Vector name is displayed in the table. You can then enter the content of the Vector in the text area. You can edit any of the existing Attack Vectors by clicking the Vector's name in the table, and entering the new content in the text area. Similarly, you can remove an existing attack vector by clicking it in the table, and clicking the Remove Attack button in the toolbar.
Click the Close button when you have finished adding your attack vectors. In the next section, you can find out how to insert these attack vectors into sample messages.
Complete the following steps to insert Attack Vectors into sample SOAP messages and send them to a Web service. This feature is only available in the Design Mode of API Gateway Explorer, so you must select the Design on the right in the toolbar.
Step 1: Load the WSDL File
You must first auto-generate your Test Cases using a WSDL file. To do this, select the Import WSDL button at the top of the API Gateway Explorer interface. The WSDL can be loaded from a file, URL, or a UDDI registry. For more details, see topic on Retrieving WSDL files from a UDDI registry. Click the Next button when you have specified the WSDL.
Step 2: Select the Operations
On the WSDL Operations screen, select the SOAP operations that you wish to generate Test Cases for by selecting the boxes next to the required operations. Click the Finish button when you have selected the operations. You can see your newly generated Test Suite and its Test Cases in the Navigator panel.
![[Note]](../common_oracle/images/admon/note.png) |
Note |
|---|---|
|
You can only generate Test Cases for those operations that have a SOAP binding. |
Step 3: Open the Security Vectors Screen
Select the Test Case Input (node) in the Test Navigator, and click the Security Vectors tab at the bottom of the Design Mode screen. You can see the list of Security Vectors in the table on the left and the Test Case Input message in the texta area on the right. You can add any new Attack Vector at this time by clicking the Edit List button as described in the previous section.
Step 4: Insert the Attack Vector into the Message
To insert an Attack Vector into the message, select the Attack Vector in the table on the left of the message. Then select the node in the SOAP request where you want to insert the Attack Vector in the source view on the right of the screen. Finally, to insert the Attack Vector, click the Insert button in the middle of the screen. The selected Attack Vector is inserted as the content of the selected node in the message.
Step 6: Repeat for Multiple SOAP Operations
If you have generated Test Case Inputs for multiple SOAP operations from the WSDL, you can repeat the steps above to insert Attack Vectors into each of the generated requests.
Step 7: Run the Attack Vector Messages
You can run attack vectors at the Workspace, Test Suite, or Test Case level. By right-clicking the Test Case node in the Navigator tree, and selecting the Run menu option, you can just run the Attack Vector Messages associated with that Test Case. Similarly, you can run all Attack Vector Messages associated with a Test Suite by selecting the Test Suite node, and clicking the Run button at the top of the Navigator. (The right-click Run option is also available here.) Finally, you can run all Attack Vector Messages for the Workspace by selecting the Workspace node in the tree and clicking the Run button. The green Run button at the top of the API Gateway Explorer interface will run all tests in the Workspace.
When any Attack Vector Messages are run (individually or in batch mode), the results are displayed in the Results Mode of the API Gateway Explorer interface. By default, when tests are run you are automatically presented with the results in the Results Mode screen.
The results are listed according to the name of their Test Suite. You can expand the Test Suite node to display the results of each of the Test Cases. You can then click the Test Case node to display the response from the Web service for the corresponding SOAP operation.
|
Note |
|---|---|
|
You can format the SOAP response into a more user-friendly format by selecting the Auto Format XML Response box in the Auto Format Response section of the global Preferences dialog. The global Preferences dialog is available from the Window > Preferences top-level menu. |
When you expand each of the Test Cases you can see that a number of steps are performed. For a default auto-generated Test Suite there are just a single Connect to URL step. Each of these steps corresponds to a message filter, which can be configured by double clicking it in the Test Navigator tree.
The Clear Results option is available by right-clicking on any node in the Test Case Results tree and can be used to clear the Results table completely.
