diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java new file mode 100644 index 00000000..6e034c8e --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -0,0 +1,379 @@ +package org.sasanlabs.service.vulnerability.xss.reflected; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Map; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability; +import org.sasanlabs.service.vulnerability.xss.persistent.Post; +import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; + +public class PersistentXSSInHTMLTagVulnerabilityTest { + @Mock private PostRepository postRepository; + + private PersistentXSSInHTMLTagVulnerability vulnerability; + + @BeforeEach + public void setup() { + MockitoAnnotations.initMocks(this); + vulnerability = new PersistentXSSInHTMLTagVulnerability(postRepository); + } + + @Test + public void testGetVulnerablePayloadLevel1() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", "Click me"); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals( + "Click me", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel2() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel3() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel5() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel7() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel5WithNullByte() { + // Prepare test data with NullByte + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithNullByte() { + // Prepare test data with NullByte + Map queryParams = + Collections.singletonMap("comment", "\u0000"); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("\u0000", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions() { + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithHtmlEscaping() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (HTML escaped) + assertEquals( + "
<img src='x' onerror='alert(1)'>
", + response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel2_WithPatternReplacement() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (pattern replaced) + assertEquals("
src='x' onerror='alert(1)'>
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions() { + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = + Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the content of the response + assertEquals("
>alert('XSS')
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } +}