From f52eb86bf3cfa504a557e625eaa2852a5f27c79b Mon Sep 17 00:00:00 2001 From: Dominik Knut Date: Sat, 18 Nov 2023 15:42:00 +0100 Subject: [PATCH 1/4] Pushing test for Persistent XSS in HTML --- ...rsistentXSSInHTMLTagVulnerabilityTest.java | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java new file mode 100644 index 00000000..c8c7024e --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -0,0 +1,126 @@ +package org.sasanlabs.service.vulnerability.xss.reflected; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; + +import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability; +import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; +import org.springframework.http.ResponseEntity; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + + +public class PersistentXSSInHTMLTagVulnerabilityTest { + @Mock + private PostRepository postRepository; + + private PersistentXSSInHTMLTagVulnerability vulnerability; + + @BeforeEach + public void setup() { + MockitoAnnotations.initMocks(this); + vulnerability = new PersistentXSSInHTMLTagVulnerability(postRepository); + } + + @Test + public void testGetVulnerablePayloadLevel1() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", "Click me"); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel2() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel3() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel5() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel7() { + Map queryParams = new HashMap<>(); + queryParams.put("comment", ""); + + ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); + + verify(postRepository, times(1)).save(any()); + + assertEquals(200, response.getStatusCodeValue()); + } +} \ No newline at end of file From 9ab42e6751e5b853d3c63bf44b7b2bdabeccb58a Mon Sep 17 00:00:00 2001 From: Dominik Knut Date: Sun, 19 Nov 2023 16:18:35 +0100 Subject: [PATCH 2/4] changed to collections.singletonMap --- ...rsistentXSSInHTMLTagVulnerabilityTest.java | 26 +++++++------------ 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java index c8c7024e..8535ca2b 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -9,7 +9,7 @@ import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; import org.springframework.http.ResponseEntity; -import java.util.HashMap; +import java.util.Collections; import java.util.Map; import static org.junit.jupiter.api.Assertions.assertEquals; @@ -30,8 +30,7 @@ public void setup() { @Test public void testGetVulnerablePayloadLevel1() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); @@ -42,8 +41,7 @@ public void testGetVulnerablePayloadLevel1() { @Test public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", "Click me"); + Map queryParams = Collections.singletonMap("comment", "Click me"); ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); @@ -54,8 +52,7 @@ public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { @Test public void testGetVulnerablePayloadLevel2() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); @@ -66,8 +63,7 @@ public void testGetVulnerablePayloadLevel2() { @Test public void testGetVulnerablePayloadLevel3() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); @@ -78,8 +74,7 @@ public void testGetVulnerablePayloadLevel3() { @Test public void testGetVulnerablePayloadLevel4() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); @@ -90,8 +85,7 @@ public void testGetVulnerablePayloadLevel4() { @Test public void testGetVulnerablePayloadLevel5() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); @@ -102,8 +96,7 @@ public void testGetVulnerablePayloadLevel5() { @Test public void testGetVulnerablePayloadLevel6() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); @@ -114,8 +107,7 @@ public void testGetVulnerablePayloadLevel6() { @Test public void testGetVulnerablePayloadLevel7() { - Map queryParams = new HashMap<>(); - queryParams.put("comment", ""); + Map queryParams = Collections.singletonMap("comment", ""); ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); From ff020c69c2fa4e198787fa0a924b3ed000bbca11 Mon Sep 17 00:00:00 2001 From: Dominik Knut Date: Tue, 28 Nov 2023 00:17:29 +0100 Subject: [PATCH 3/4] changed and added some more tests --- ...rsistentXSSInHTMLTagVulnerabilityTest.java | 269 +++++++++++++++++- 1 file changed, 259 insertions(+), 10 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java index 8535ca2b..d4621fce 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -2,21 +2,25 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; import org.mockito.Mock; import org.mockito.MockitoAnnotations; import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability; +import org.sasanlabs.service.vulnerability.xss.persistent.Post; import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; +import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import java.util.Arrays; import java.util.Collections; +import java.util.List; import java.util.Map; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.mockito.Mockito.*; - -public class PersistentXSSInHTMLTagVulnerabilityTest { +public class PersistentXSSInHTMLTagVulnerabilityTest{ @Mock private PostRepository postRepository; @@ -29,90 +33,335 @@ public void setup() { } @Test - public void testGetVulnerablePayloadLevel1() { + public void testGetVulnerablePayloadLevel1(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { + public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", "Click me"); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("Click me", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel2() { + public void testGetVulnerablePayloadLevel2(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel3() { + public void testGetVulnerablePayloadLevel3(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } + @Test - public void testGetVulnerablePayloadLevel4() { + public void testGetVulnerablePayloadLevel4(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel5() { + public void testGetVulnerablePayloadLevel5(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel6() { + public void testGetVulnerablePayloadLevel6(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel7() { + public void testGetVulnerablePayloadLevel7(){ + // Prepare test data Map queryParams = Collections.singletonMap("comment", ""); + // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); + // Verify that the save method is called once verify(postRepository, times(1)).save(any()); + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } + + @Test + public void testGetVulnerablePayloadLevel5WithNullByte(){ + // Prepare test data with NullByte + Map queryParams = Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithNullByte(){ + // Prepare test data with NullByte + Map queryParams = Collections.singletonMap("comment", "\u0000"); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved (assuming it's not modified) + assertEquals("\u0000", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(200, response.getStatusCodeValue()); + } + + @Test + public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions(){ + // Prepare test data + Map queryParams = Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel6WithHtmlEscaping(){ + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (HTML escaped) + assertEquals("
<img src='x' onerror='alert(1)'>
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel2_WithPatternReplacement(){ + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the modified content of the post being saved (pattern replaced) + assertEquals("
src='x' onerror='alert(1)'>
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions(){ + Post post = new Post(); + post.setContent(""); + + when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post)); + + // Prepare test data + Map queryParams = Collections.singletonMap("comment", ""); + + // Perform the test + ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); + + // Verify that the save method is called once + verify(postRepository, times(1)).save(any()); + + // Capture the argument passed to the save method + ArgumentCaptor postCaptor = ArgumentCaptor.forClass(Post.class); + verify(postRepository).save(postCaptor.capture()); + + // Assert on the modified content of the post being saved + assertEquals("", postCaptor.getValue().getContent()); + + // Assert on the content of the response + assertEquals("
>alert('XSS')
", response.getBody()); + + // Assert on the HTTP response status code + assertEquals(HttpStatus.OK, response.getStatusCode()); + } } \ No newline at end of file From 07a0cf8a57b1c1fba4c06f74ac25f3de6f6bd5bd Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Tue, 28 Nov 2023 23:01:28 -0800 Subject: [PATCH 4/4] SpotlessApply --- ...rsistentXSSInHTMLTagVulnerabilityTest.java | 100 ++++++++++-------- 1 file changed, 56 insertions(+), 44 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java index d4621fce..6e034c8e 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java @@ -1,28 +1,24 @@ package org.sasanlabs.service.vulnerability.xss.reflected; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.Mockito.*; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Map; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentCaptor; import org.mockito.Mock; import org.mockito.MockitoAnnotations; - import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability; import org.sasanlabs.service.vulnerability.xss.persistent.Post; import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Map; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.mockito.Mockito.*; - -public class PersistentXSSInHTMLTagVulnerabilityTest{ - @Mock - private PostRepository postRepository; +public class PersistentXSSInHTMLTagVulnerabilityTest { + @Mock private PostRepository postRepository; private PersistentXSSInHTMLTagVulnerability vulnerability; @@ -33,9 +29,10 @@ public void setup() { } @Test - public void testGetVulnerablePayloadLevel1(){ + public void testGetVulnerablePayloadLevel1() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); @@ -55,9 +52,10 @@ public void testGetVulnerablePayloadLevel1(){ } @Test - public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue(){ + public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", "Click me"); + Map queryParams = + Collections.singletonMap("comment", "Click me"); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel1(queryParams); @@ -70,16 +68,18 @@ public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue(){ verify(postRepository).save(postCaptor.capture()); // Assert on the content of the post being saved - assertEquals("Click me", postCaptor.getValue().getContent()); + assertEquals( + "Click me", postCaptor.getValue().getContent()); // Assert on the HTTP response status code assertEquals(200, response.getStatusCodeValue()); } @Test - public void testGetVulnerablePayloadLevel2(){ + public void testGetVulnerablePayloadLevel2() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); @@ -99,9 +99,10 @@ public void testGetVulnerablePayloadLevel2(){ } @Test - public void testGetVulnerablePayloadLevel3(){ + public void testGetVulnerablePayloadLevel3() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); @@ -120,11 +121,11 @@ public void testGetVulnerablePayloadLevel3(){ assertEquals(200, response.getStatusCodeValue()); } - @Test - public void testGetVulnerablePayloadLevel4(){ + public void testGetVulnerablePayloadLevel4() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); @@ -144,9 +145,10 @@ public void testGetVulnerablePayloadLevel4(){ } @Test - public void testGetVulnerablePayloadLevel5(){ + public void testGetVulnerablePayloadLevel5() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); @@ -166,9 +168,10 @@ public void testGetVulnerablePayloadLevel5(){ } @Test - public void testGetVulnerablePayloadLevel6(){ + public void testGetVulnerablePayloadLevel6() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); @@ -188,9 +191,10 @@ public void testGetVulnerablePayloadLevel6(){ } @Test - public void testGetVulnerablePayloadLevel7(){ + public void testGetVulnerablePayloadLevel7() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel7(queryParams); @@ -210,9 +214,10 @@ public void testGetVulnerablePayloadLevel7(){ } @Test - public void testGetVulnerablePayloadLevel5WithNullByte(){ + public void testGetVulnerablePayloadLevel5WithNullByte() { // Prepare test data with NullByte - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel5(queryParams); @@ -232,9 +237,10 @@ public void testGetVulnerablePayloadLevel5WithNullByte(){ } @Test - public void testGetVulnerablePayloadLevel6WithNullByte(){ + public void testGetVulnerablePayloadLevel6WithNullByte() { // Prepare test data with NullByte - Map queryParams = Collections.singletonMap("comment", "\u0000"); + Map queryParams = + Collections.singletonMap("comment", "\u0000"); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); @@ -254,9 +260,10 @@ public void testGetVulnerablePayloadLevel6WithNullByte(){ } @Test - public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions(){ + public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions() { // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel4(queryParams); @@ -276,14 +283,15 @@ public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions(){ } @Test - public void testGetVulnerablePayloadLevel6WithHtmlEscaping(){ + public void testGetVulnerablePayloadLevel6WithHtmlEscaping() { Post post = new Post(); post.setContent(""); when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post)); // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel6(queryParams); @@ -299,21 +307,24 @@ public void testGetVulnerablePayloadLevel6WithHtmlEscaping(){ assertEquals("", postCaptor.getValue().getContent()); // Assert on the modified content of the post being saved (HTML escaped) - assertEquals("
<img src='x' onerror='alert(1)'>
", response.getBody()); + assertEquals( + "
<img src='x' onerror='alert(1)'>
", + response.getBody()); // Assert on the HTTP response status code assertEquals(HttpStatus.OK, response.getStatusCode()); } @Test - public void testGetVulnerablePayloadLevel2_WithPatternReplacement(){ + public void testGetVulnerablePayloadLevel2_WithPatternReplacement() { Post post = new Post(); post.setContent(""); when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post)); // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel2(queryParams); @@ -336,14 +347,15 @@ public void testGetVulnerablePayloadLevel2_WithPatternReplacement(){ } @Test - public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions(){ + public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions() { Post post = new Post(); post.setContent(""); when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post)); // Prepare test data - Map queryParams = Collections.singletonMap("comment", ""); + Map queryParams = + Collections.singletonMap("comment", ""); // Perform the test ResponseEntity response = vulnerability.getVulnerablePayloadLevel3(queryParams); @@ -364,4 +376,4 @@ public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions(){ // Assert on the HTTP response status code assertEquals(HttpStatus.OK, response.getStatusCode()); } -} \ No newline at end of file +}