Forum Discussion
Hi nmrao
The payload that SoapUI generates during the test is fine.
The assertion executed after each request generated by SoapUI is the "problem" as the options provided are not applicable in my case
- nmrao6 years agoChampion Level 3Not sure if I understand.
What response do you get and what assertion would like to perform? Appreciate if you could add the details along with sample data explaining the problem.- NikosG6 years agoOccasional Contributor
Ok,
simple example
The PATCH operation is used on a resource that is "Phones"
The json body has a unique Id (int), the phone number (string) and a comment (string)I set the XSS security test to execute PATCH requests in order to update the phone with id = 5 and target both strings in the body of the following request
{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "this is a comment"
}As SoapUI iterates through its list of XSS strings and replacing the target fields it issues the following in sequence:
{
"PhoneUniqueId": 5,
"PhoneNumber": "<PLAINTEXT>" ,
"PhoneComment": "this is a comment"
}{
"PhoneUniqueId": 5,
"PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>" ,
"PhoneComment": "this is a comment"
}...
{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "<PLAINTEXT>"
}{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "<SCRIPT>alert(1)</SCRIPT>"
}For the reasons I have mentioned already the existing XSS assertion setup is not helpful. So unless I'm missing something with the XSS assertion config, have to opt for a Custom Script Assertion.
The idea is this:
- Get the PhoneUniqueId from the PATCH request and the field that was used, let's say it was PhoneComment
- Issue a GET for the same PhoneUniqueId
- Check the GET response body and see if the PhoneComment value has an XSS string
Checking through internet I came up with something very rough like this:
def testCase = messageExchange.modelItem.testCase
def ResponseMessage = testCase.testSteps["GET_Phones"].testRequest.response.contentAsStringFile file1 = new File("C:/XSS_Vectors")
List textLine = file1.readLines()
try{
textLine.each{
if (ResponseMessage.contains(it)){
log.info 'XSS_Vector: ' + it +' was found in message'
res = false
throw new Exception('XSS_Vector: ' + it +' was found in message')
}
}
assert res
} catch(Exception e) {
log.error("Exception: ${e}")
assert res
}The XSS_Vectors file has the strings used by SoapUI and GET_Phones is a testcase that performs the GET operation on the "PhoneUniqueId": 5 (hardcoded value)
Two problems with that:
1. I do not know which field was used in the PATCH request so as to target the proper field only in my check. Let's say that the 2nd PATCH request from above goes through and the XSS string is stored as is. When I run the custom script for the 3rd and 4th one I will always get an indication even if "PhoneComment" was treated correctly, simply because the GET response will always have "PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>"2. I want to be able to use a similar approach for POST on the same resource that is used for inserting new entries. The body is the same as PATCH. The difference is that with POST I have to provide a unique PhoneUniqueId, something like this random generation
{
"PhoneUniqueId": "${=(new java.util.Random()).nextInt(10000000)}",
"PhoneNumber": "69${=(new java.util.Random()).nextInt(10000000).toString()}" ,
"PhoneComment": "<SCRIPT>alert(1)</SCRIPT>"
}As a result I cannot have a GET request to be used with a hardcoded "PhoneUniqueId" either
hope this helps
Nikos
- nmrao6 years agoChampion Level 3Thank you for the details.
Just one question, how does the response look like for PATCH request?
I can see from the documentation that user can write your own custom script for the assertion.
https://support.smartbear.com/readyapi/docs/testing/assertions/reference/security/xss.html
Since you like to run a GET request after receiving the PATCH response, you can write code to make the GET call in the custom script. For that, use groovy wslite (check github for the library and sample code).
Related Content
- 6 years ago
- 8 years ago
- 6 years ago
- 8 years ago
- 5 years ago