Skip to content

Commit

Permalink
Pushing test for Persistent XSS in HTML (#455)
Browse files Browse the repository at this point in the history
Pushing test for Persistent XSS in HTML

Co-authored-by: Dominik Knut <[email protected]>
Co-authored-by: Karan Preet Singh Sasan <[email protected]>
  • Loading branch information
3 people authored Nov 29, 2023
1 parent cd5f33b commit 2916763
Showing 1 changed file with 379 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,379 @@
package org.sasanlabs.service.vulnerability.xss.reflected;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.mockito.Mockito.*;

import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability;
import org.sasanlabs.service.vulnerability.xss.persistent.Post;
import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;

public class PersistentXSSInHTMLTagVulnerabilityTest {
@Mock private PostRepository postRepository;

private PersistentXSSInHTMLTagVulnerability vulnerability;

@BeforeEach
public void setup() {
MockitoAnnotations.initMocks(this);
vulnerability = new PersistentXSSInHTMLTagVulnerability(postRepository);
}

@Test
public void testGetVulnerablePayloadLevel1() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel1(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the content of the post being saved
assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<a href='javascript:alert(1)'>Click me</a>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel1(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the content of the post being saved
assertEquals(
"<a href='javascript:alert(1)'>Click me</a>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel2() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel2(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel3() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel3(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel4() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel4(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel5() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel5(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel6() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel7() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel7(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel5WithNullByte() {
// Prepare test data with NullByte
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>\u0000alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel5(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved (assuming it's not modified)
assertEquals("<script>\u0000alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel6WithNullByte() {
// Prepare test data with NullByte
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>\u0000");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved (assuming it's not modified)
assertEquals("<img src='x' onerror='alert(1)'>\u0000", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(200, response.getStatusCodeValue());
}

@Test
public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions() {
// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel4(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the HTTP response status code
assertEquals(HttpStatus.OK, response.getStatusCode());
}

@Test
public void testGetVulnerablePayloadLevel6WithHtmlEscaping() {
Post post = new Post();
post.setContent("<img src='x' onerror='alert(1)'>");

when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post));

// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the modified content of the post being saved (HTML escaped)
assertEquals(
"<div id=\"comments\">&lt;img src='x' onerror='alert(1)'&gt;</div>",
response.getBody());

// Assert on the HTTP response status code
assertEquals(HttpStatus.OK, response.getStatusCode());
}

@Test
public void testGetVulnerablePayloadLevel2_WithPatternReplacement() {
Post post = new Post();
post.setContent("<img src='x' onerror='alert(1)'>");

when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post));

// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel2(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the content of the post being saved
assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());

// Assert on the modified content of the post being saved (pattern replaced)
assertEquals("<div id=\"comments\"> src='x' onerror='alert(1)'></div>", response.getBody());

// Assert on the HTTP response status code
assertEquals(HttpStatus.OK, response.getStatusCode());
}

@Test
public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions() {
Post post = new Post();
post.setContent("<script>alert('XSS')</script>");

when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post));

// Prepare test data
Map<String, String> queryParams =
Collections.singletonMap("comment", "<script>alert('XSS')</script>");

// Perform the test
ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel3(queryParams);

// Verify that the save method is called once
verify(postRepository, times(1)).save(any());

// Capture the argument passed to the save method
ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
verify(postRepository).save(postCaptor.capture());

// Assert on the modified content of the post being saved
assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());

// Assert on the content of the response
assertEquals("<div id=\"comments\">>alert('XSS')</script></div>", response.getBody());

// Assert on the HTTP response status code
assertEquals(HttpStatus.OK, response.getStatusCode());
}
}

0 comments on commit 2916763

Please sign in to comment.