SoapUI

SoapUI is the world's most widely used open-source testing tool for Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) APIs. While originally built for functional testing, it has evolved into a critical asset for cybersecurity professionals, specifically for API Security Testing.

In the context of cybersecurity, SoapUI is used for Dynamic Application Security Testing (DAST) of Application Programming Interfaces (APIs). It allows testers to verify that data exchanges between servers and clients are secure, compliant, and resilient to common cyberattacks.

Core Capabilities for Security Testing

SoapUI provides specialized tools to uncover vulnerabilities in the API layer.

• API Fuzzing: SoapUI can inject random, invalid, or unexpected data into API parameters to test how the system handles errors. This helps identify potential crashes or unauthorized access points.

• Vulnerability Scanning: The tool includes pre-built security scans that automatically test for known weaknesses, such as weak authentication or poor session management.

• Boundary Scan: This feature tests the application's response to values at the extreme ends of the acceptable range (e.g., very large numbers or long strings) to detect buffer overflow vulnerabilities.

• Malicious Payload Injection: Testers can manually or automatically insert malicious scripts or code snippets into API requests to see if they are executed by the server.

Common Security Scans in SoapUI

SoapUI comes equipped with specific scan generators that target the most prevalent API vulnerabilities.

• SQL Injection (SQLi): Tests if the API is vulnerable to code injection attacks that could allow an attacker to interfere with the application's database queries.

• Cross-Site Scripting (XSS): Checks if the API reflects input back to the user without proper sanitization, which could lead to script execution in a client's browser.

• XPath Injection: specifically targets XML-based APIs (SOAP). It attempts to manipulate XML data processing to access unauthorized information.

• XML Bomb: A Denial of Service (DoS) test that sends a small, valid XML file that expands exponentially when parsed, attempting to crash the server.

The Role of SoapUI in DevSecOps

SoapUI is widely used in DevSecOps environments due to its automation capabilities.

• Shift-Left Security: By integrating SoapUI security tests into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, teams can detect API vulnerabilities early in the development process, before the code is deployed to production.

• Regression Testing: Security tests can be saved and re-run automatically whenever the API is updated, ensuring that new code changes do not introduce new security flaws.

• Compliance Verification: Organizations use SoapUI to generate reports that demonstrate their APIs meet specific security standards required for regulatory compliance.

Frequently Asked Questions About SoapUI

Is SoapUI free?

Yes, SoapUI has a robust Open Source version that is free to use. There is also a commercial version called ReadyAPI (formerly SoapUI Pro) that offers advanced features, reporting, and support.

What is the difference between SoapUI and Postman?

While both are API testing tools, SoapUI was originally designed for complex SOAP- and XML-based testing and offers deep legacy support, making it a favorite in enterprise environments. Postman started as a REST client and is often considered more user-friendly for modern REST APIs, though both tools now support both protocols.

Can SoapUI test REST APIs?

Yes. Despite the name "Soap" UI, the tool is fully capable of testing RESTful web services, JMS, AMF, and JDBC calls.

Does SoapUI require coding skills?

Basic testing can be done via the graphical interface without coding. However, to create complex security scenarios or custom assertions, knowledge of Groovy scripting (a language similar to Java) is often required.

Integrating ThreatNG and SoapUI for API Security

Combining ThreatNG’s external attack surface management with SoapUI’s deep API testing capabilities creates a comprehensive security framework. ThreatNG provides the "outside-in" visibility to identify all potential API endpoints and risks, while SoapUI delivers the "inside-out" technical validation to test those endpoints for exploitability.

Enhanced External Discovery for API Targeting

ThreatNG acts as the reconnaissance engine that fuels SoapUI’s testing activities. One of the primary challenges in API security is maintaining an accurate inventory of what needs to be tested.

• Discovery of Shadow APIs: ThreatNG’s External Discovery capabilities perform purely external, unauthenticated discovery without agents. This allows it to identify "Shadow IT"—such as forgotten development subdomains (e.g., dev-api.target.com) or legacy microsites—that standard asset lists often miss.

• Target List Generation: Once ThreatNG maps the digital footprint, it provides a validated list of active domains and subdomains. Security teams can feed these newly discovered endpoints into SoapUI to ensure that vulnerability scans cover the entire attack surface, not just the documented "happy path" APIs.

External Assessment and Validation

ThreatNG performs high-level assessments to identify susceptibility, which SoapUI then validates through rigorous testing.

Web Application Hijack Susceptibility

• ThreatNG Role: The solution assesses the presence of key security headers on discovered subdomains. It specifically flags the absence of Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), and X-Frame-Options.

• SoapUI Integration: Upon receiving a report of missing headers from ThreatNG, SoapUI can be configured to run specific assertion tests against those endpoints. For example, if ThreatNG identifies a missing X-Frame-Options header on an API documentation portal, SoapUI can simulate a clickjacking attack to verify if the site can actually be framed and exploited.

Mobile App Exposure

• ThreatNG Role: ThreatNG evaluates mobile applications in public marketplaces to find hardcoded secrets. It scans for Access Credentials (such as AWS API keys) and Platform-Specific Identifiers (such as Firebase URLs) left in the code.

• SoapUI Integration: Security teams can extract these leaked credentials and use SoapUI to authenticate against the backend APIs. This allows testers to determine the severity of the leak—whether the exposed key provides read-only access or full administrative control over the backend database.

Empowering Investigation Modules

ThreatNG’s investigation modules provide the context required to create intelligent, targeted SoapUI test cases.

Sensitive Code Exposure

• ThreatNG Context: This module monitors public code repositories (like GitHub) for leaked configuration files, API Keys, and Database Credentials.

• SoapUI Application: If ThreatNG discovers a public repository containing a Swagger definition or a Postman collection, this structural data can be directly imported into SoapUI. This allows the testing team to instantly generate a full suite of functional and security tests for an API that was previously unknown or undocumented.

Technology Stack

• ThreatNG Context: ThreatNG identifies the underlying technologies powering an organization's infrastructure, categorizing them into groups like DevOps or E-commerce. It can pinpoint specific web servers (e.g., Nginx, Apache) and framework versions.

• SoapUI Application: Knowing the exact technology stack allows SoapUI users to tailor their attack vectors. If ThreatNG reports that an API is running on an outdated version of PHP, SoapUI testers can focus their "Malicious Payload Injection" tests on known PHP vulnerabilities rather than wasting time on irrelevant .NET or Java exploits.

Intelligence Repositories (DarCache)

ThreatNG’s DarCache repositories enrich SoapUI findings with real-world threat intelligence.

• Risk Prioritization: If SoapUI identifies a technical vulnerability, such as an SQL Injection flaw in a specific API endpoint, ThreatNG helps prioritize the fix. By cross-referencing the finding with Ransomware Groups and Dark Web repositories, ThreatNG can inform the team whether that specific SQLi vector is currently being leveraged by active ransomware gangs or whether the data behind that API is already appearing on dark web marketplaces.

Reporting and Continuous Monitoring

The cooperation between these solutions ensures that the security posture is monitored in near real-time.

• Continuous Loop: ThreatNG provides Continuous Monitoring of the external attack surface. When it detects a significant change—such as a new API gateway coming online or a change in a subdomain's IP address—it can alert security teams to initiate a focused SoapUI scan. This ensures that new assets are tested immediately upon deployment.

• Unified Reporting: ThreatNG’s reporting capabilities, which include Security Ratings and mappings to frameworks like PCI DSS and GDPR, are bolstered by SoapUI’s technical evidence. A ThreatNG report might highlight a "High Risk" due to exposed infrastructure, while the attached SoapUI data provides a "Proof of Concept" demonstrating exactly how that exposure can be compromised.

Cooperation with Complementary Solutions

ThreatNG and SoapUI often work in tandem as part of a broader "Detection and Validation" architecture within a DevSecOps pipeline.

• CI/CD Pipeline Integration: In a continuous integration environment, ThreatNG acts as the "Scope Definer." It periodically scans the perimeter to ensure the asset inventory is up to date. This inventory is then used to update the CI/CD pipeline configuration, ensuring that the automated SoapUI tests running in the build process always target the correct, most current list of assets.

• Defensive Tuning (WAFs): ThreatNG identifies the presence of Web Application Firewalls (WAFs) and determines if they are properly covering all subdomains. SoapUI then tests the effectiveness of these WAFs by launching simulated attacks. If SoapUI's attacks penetrate the WAF, the data is fed back to the engineering team to tune the WAF rules, closing the gap identified by the combined testing.

FAQ: ThreatNG and SoapUI Cooperation

How does ThreatNG improve SoapUI scans? ThreatNG provides the target list. Without ThreatNG, SoapUI can only test known APIs. ThreatNG discovers the unknown and "Shadow" APIs, ensuring SoapUI scans the entire attack surface.

Can ThreatNG detect if an API is vulnerable? ThreatNG detects susceptibility (e.g., missing headers, exposed keys). SoapUI confirms exploitability (e.g., by successfully injecting code).

Do they share data directly? They function as complementary layers. ThreatNG’s output (asset lists, leaked keys, technology data) serves as the input for SoapUI’s test configurations, creating a workflow where intelligence drives action.