Skip to content

Schema-Based Testing

Wallarm's Schema-Based Testing is designed to perform dynamic security testing of your applications and APIs to identify a wide range of vulnerabilities - including those outlined in both the OWASP Top 10 and the OWASP API Security Top 10 - through comprehensive, automated tests.

Schema-Based Testing capabilities:

  • Deep, dynamic analysis of API endpoints.

  • Detection of vulnerabilities in the application or API itself, as well as security misconfigurations in the underlying infrastructure or environment.

  • Visualization of found issues in the Wallarm Console's Security Issues section.

  • Lightweight execution via Docker container.

Schema-Based Testing - test runs

How it works

Use Schema-Based Testing by fulfilling the following steps:

  1. Create test policy: specify the target application, provide its OpenAPI specification or Postman collection, base URL, and select the tests to run.

  2. Copy Docker command: find your test policy on the Test policies tab, click it, and copy the provided Docker command.

  3. Run and monitor: start the agent with the command. Track progress and view results on the Test runs tab.

Schema-Based Testing - how it works

Test basis

Schema-Based Testing can base its tests on:

  • OpenAPI specification (OAS) - precise and machine-readable blueprint of your API allows to build efficient and reliable test suite for your application. OAS-based testing is focused on input validation, injection, and misconfiguration detection.

  • Postman collection - if you use the Postman API design platform, the functional tests from its collections may be used to build security tests alongside. See details. Postman collection-based testing is focused on complex business logic and access control vulnerabilities.

Test types

For OpenAPI specification-based tests, Schema-Based Testing uses three types of tests to detect security issues:

  • Environment misconfiguration tests check for vulnerabilities and misconfigurations in the environment or infrastructure the application and APIs run on (not the API logic). Examples:

    • Exposed source code, backups, configuration files.
    • Accessible .git, .env, or system files.
    • Insecure web server settings (e.g., directory listing, weak TLS).
  • GraphQL vulnerability detection checks for 10 GraphQL most popular misconfigurations (API2, API4).

  • Input parameter tests check each input point (parameters, headers, etc.) defined in the OpenAPI specification for application-level vulnerabilities. Covered vulnerabilities:

    • Command injection
    • CRLF injection
    • LFI / RFI
    • NoSQL injection
    • Open redirect
    • Path traversal
    • Remote code execution (RCE)
    • SQL injection
    • SSRF
    • SSTI
    • XSS
    • XXE
    • Infoleak

Enabling and setup

To start using Schema-Based Testing, enable and configure it as described in Schema-Based Testing Setup.