🔒 OWASP API Security Training

SoapUI - SOAP & REST API Testing Tool

Introduction to SoapUI

SoapUI is a specialized tool designed for testing SOAP and REST web services. While it may not be everyone's preferred tool, it provides robust capabilities for interacting with SOAP services that require XML-based communication. SoapUI offers a comprehensive environment for API testing, assertions, and validation.

Important Note: SoapUI excels at handling SOAP services with XML requests. While similar tools like Postman exist, SoapUI remains a specialized solution for SOAP protocol testing and is sometimes required in enterprise environments.

SOAP vs REST: Quick Comparison

Feature SOAP REST
Protocol XML-based protocol Architectural style
Data Format XML only JSON, XML, HTML, plain text
Communication Requires WSDL Uses standard HTTP methods
Complexity More complex, stricter standards Simpler, more flexible
Performance Slower due to XML parsing Faster, lightweight

SoapUI Key Features

🔄 WSDL Import

Automatically import WSDL files to generate service definitions and operations instantly.

📝 XML Request Builder

Built-in tools for creating and editing complex XML SOAP requests with validation.

✅ Assertions

Create automated assertions to validate response data, status codes, and content.

🌐 REST Support

Not limited to SOAP - can also create and test RESTful API projects.

🔍 Service Testing

Comprehensive testing capabilities for functional, load, and security testing.

🎯 Mock Services

Create mock services to simulate API behavior during development and testing.

Installation & Setup

Installation Steps

Step 1: Download SoapUI from https://www.soapui.org/downloads/soapui/
Step 2: Run the installer executable (Windows/Mac/Linux)
Step 3: Follow the installation wizard to complete setup
Step 4: Launch SoapUI from your applications menu

Initial Configuration

Once installed, SoapUI provides a clean interface ready for project creation. The tool requires minimal configuration out of the box, making it easy to start testing immediately.

Working with SoapUI

Creating a SOAP Project

Step 1: Launch SoapUI and click "File" → "New SOAP Project"
Step 2: Enter a project name
Step 3: Provide the WSDL URL or file path
Step 4: Click "OK" to import all services and operations
Step 5: Expand the service tree to view available operations

Creating a REST Project

Step 1: Click "File" → "New REST Project"
Step 2: Enter project name and base URI
Step 3: Add resources and methods (GET, POST, PUT, DELETE)
Step 4: Configure parameters, headers, and body content
Step 5: Execute requests and analyze responses

SOAP Request Example

Sample SOAP Request Structure

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <authentication>
      <username>testuser</username>
      <password>testpass</password>
    </authentication>
  </soap:Header>
  <soap:Body>
    <GetUserInfo xmlns="http://example.com/api">
      <userId>12345</userId>
    </GetUserInfo>
  </soap:Body>
</soap:Envelope>

Sending Requests in SoapUI

Right-click on the operation → "Show Request Editor"
Modify the XML request with your parameters
Click the green "play" button to send the request
View the response in the right panel

Working with Assertions

Types of Assertions

  • Contains Assertion: Verify that response contains specific text or values
  • Not Contains Assertion: Ensure response does not contain certain content
  • XPath Match: Use XPath expressions to validate XML structure
  • Response Time: Assert that response time is within acceptable limits
  • HTTP Status Code: Validate correct status codes (200, 404, 500, etc.)
  • Schema Compliance: Verify response matches expected XML schema

Adding Assertions

Click on a request in your test case
Click the "Assertions" button (+ icon) at the bottom
Select assertion type from the dialog
Configure assertion parameters
Save and run the test to validate

SoapUI Workflow Diagram

SoapUI Testing Workflow

START Create SOAP/REST Project Import WSDL or Define Endpoints Build XML/JSON Request Send Request to Service Add Assertions (Optional) Analyze Response & Results • SOAP Projects • REST Projects • Auto-generate operations • Edit XML/JSON • Set parameters • Execute request • View response

SoapUI vs Postman

Aspect SoapUI Postman
Primary Focus SOAP & Enterprise Web Services REST APIs & Modern Web Services
Learning Curve Steeper, more complex interface Gentler, intuitive UI
WSDL Support Excellent, automatic import Limited, requires manual setup
Testing Features Advanced functional & load testing Basic to intermediate testing
User Interface Desktop-focused, feature-rich Modern, web-based option available
Best Use Case Enterprise SOAP services REST APIs & modern development

Practical Demonstration Commands

Basic Operations

File → New SOAP Project → Enter WSDL URL → OK
File → New REST Project → Enter Service Endpoint → OK
Right-click Operation → New Request → Name Request → OK
Edit XML Request → Click Green Play Button → View Response
Right-click Request → Add to TestCase → Select TestSuite → OK

Assertion Commands

Click Request → Click Assertions Tab → Add Assertion (+)
Select "Property Content" → "Contains" → Enter Expected Text → OK
Select "Compliance, Status, Standards" → "Valid HTTP Status Codes" → Configure → OK
Select "Script Assertion" → Write Groovy Script → Save
Run TestCase → View Assertion Results in Log

Advanced Features

Project → New TestSuite → Name TestSuite → OK
TestSuite → New TestCase → Name TestCase → OK
TestCase → Add Test Step → Select Type → Configure
Right-click TestCase → Load Test → Configure Parameters → Run
Tools → Preferences → Configure Proxy/Security Settings

Security Testing with SoapUI

Security Scan Types

SQL Injection

Test for SQL injection vulnerabilities in SOAP parameters and REST endpoints.

XSS Testing

Detect cross-site scripting vulnerabilities in API responses.

XML Bomb

Test for XML external entity (XXE) and billion laughs attacks.

Boundary Scan

Test boundary values to find overflow and validation issues.

Running Security Scans

Right-click on Request → New Security Test → Name Test → OK
Select Test Steps → Add Security Scan → Choose Scan Type
Configure Scan Parameters → Apply Strategy
Click Run Button → Monitor Scan Progress
Review Results → Export Report for Documentation

Best Practices

Pro Tips:
  • Always validate WSDL files before importing to avoid errors
  • Use meaningful names for projects, test suites, and test cases
  • Leverage assertions to create automated validation tests
  • Save requests as templates for reusability
  • Document your test cases with descriptions and comments
  • Use environment variables for endpoint URLs to switch between dev/staging/prod
  • Regularly export project files as backups
  • Utilize mock services for development when real services are unavailable
⚠️ Common Pitfalls:
  • Not validating WSDL structure before use
  • Ignoring SSL/TLS certificate validation in production
  • Overlooking authentication requirements
  • Not setting appropriate timeouts for long-running operations
  • Failing to clean up test data after test execution

When to Use SoapUI

Ideal Scenarios

  • Legacy Enterprise Systems: When working with older SOAP-based enterprise services
  • WSDL-Based Services: When you need to import and test services defined by WSDL
  • Comprehensive Testing: When you need functional, load, and security testing in one tool
  • Corporate Requirements: When SoapUI is mandated by your organization
  • Advanced Assertions: When you need complex validation logic with Groovy scripting

Consider Alternatives When

  • Working primarily with modern REST APIs
  • You need a simpler, more intuitive interface
  • Collaborating with teams who prefer Postman
  • You want better documentation and collection sharing features
  • Mobile or web-based testing is preferred

Conclusion

SoapUI is a powerful tool for testing SOAP and REST web services, particularly in enterprise environments where SOAP services are prevalent. While it may have a steeper learning curve compared to tools like Postman, its specialized features for SOAP testing make it invaluable in certain scenarios.

The key is understanding when to use SoapUI versus other tools. For SOAP services with WSDL definitions, SoapUI excels. For modern REST APIs, you might find Postman more intuitive. Both tools have their place in an API security tester's toolkit.

Final Recommendation: While personal preference may lean toward Postman for REST APIs, it's essential to be familiar with SoapUI for enterprise SOAP services. Explore the tool through practical demonstrations and hands-on practice to build proficiency. The more you use it, the more comfortable you'll become with its interface and capabilities.