Ok,
simple example
The PATCH operation is used on a resource that is "Phones"
The json body has a unique Id (int), the phone number (string) and a comment (string)
I set the XSS security test to execute PATCH requests in order to update the phone with id = 5 and target both strings in the body of the following request
{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "this is a comment"
}
As SoapUI iterates through its list of XSS strings and replacing the target fields it issues the following in sequence:
{
"PhoneUniqueId": 5,
"PhoneNumber": "<PLAINTEXT>" ,
"PhoneComment": "this is a comment"
}
{
"PhoneUniqueId": 5,
"PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>" ,
"PhoneComment": "this is a comment"
}
...
{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "<PLAINTEXT>"
}
{
"PhoneUniqueId": 5,
"PhoneNumber": "123123123" ,
"PhoneComment": "<SCRIPT>alert(1)</SCRIPT>"
}
For the reasons I have mentioned already the existing XSS assertion setup is not helpful. So unless I'm missing something with the XSS assertion config, have to opt for a Custom Script Assertion.
The idea is this:
Checking through internet I came up with something very rough like this:
def testCase = messageExchange.modelItem.testCase
def ResponseMessage = testCase.testSteps["GET_Phones"].testRequest.response.contentAsString
File file1 = new File("C:/XSS_Vectors")
List textLine = file1.readLines()
try{
textLine.each{
if (ResponseMessage.contains(it)){
log.info 'XSS_Vector: ' + it +' was found in message'
res = false
throw new Exception('XSS_Vector: ' + it +' was found in message')
}
}
assert res
} catch(Exception e) {
log.error("Exception: ${e}")
assert res
}
The XSS_Vectors file has the strings used by SoapUI and GET_Phones is a testcase that performs the GET operation on the "PhoneUniqueId": 5 (hardcoded value)
Two problems with that:
1. I do not know which field was used in the PATCH request so as to target the proper field only in my check. Let's say that the 2nd PATCH request from above goes through and the XSS string is stored as is. When I run the custom script for the 3rd and 4th one I will always get an indication even if "PhoneComment" was treated correctly, simply because the GET response will always have "PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>"
2. I want to be able to use a similar approach for POST on the same resource that is used for inserting new entries. The body is the same as PATCH. The difference is that with POST I have to provide a unique PhoneUniqueId, something like this random generation
{
"PhoneUniqueId": "${=(new java.util.Random()).nextInt(10000000)}",
"PhoneNumber": "69${=(new java.util.Random()).nextInt(10000000).toString()}" ,
"PhoneComment": "<SCRIPT>alert(1)</SCRIPT>"
}
As a result I cannot have a GET request to be used with a hardcoded "PhoneUniqueId" either
hope this helps
Nikos
Hi nmrao
In general the success response is a simple
HTTP/1.1 204 No Content
Server: Kestrel
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
Date: Tue, 10 Sep 2019 10:55:29 GMT
We also the typical error responses (Unauthorized, Bad Request...)
Responses that return error details return a body like this
{
"code": "string",
"target": "string",
"message": "string",
"errors": [
null
],
"innerDetails": {}
}
I'll check the library you indicated but on first glance don't see how this would allow me to grab the details of the PATCH request that SoapUI sends
Still I see here that property expansion could work for ReadyAPI
https://support.smartbear.com/readyapi/docs/testing/properties/expansion.html#scopes
But I cannot seem to get this to work
I have a structure something like
Test Suite: SecTest
=> Security Tests: SecTestCustPhones
=> TestSteps: CustPhones_Get
==> Security Scan: Fuzzing Scan
(I use a different method and secuirty scan for simplicity and because the Pro trial version has expired so I work with whatever the community edition has to offer on my previous setup)
def ResFile ="C:/Request.xml"
def request = context.expand('${#SecurityTest#SecTestCustPhones#Request}')
def j = new File(ResFile)
j.write(request, "UTF-8")
I add this in a script assertion just to see if it manages to grab the request but when I run the security test the resulting file is empty
Which means two things
