Ask a Question
Log In / Sign Up
Resources
Ask a Question
Log In Sign Up

XSS scripting assertion on REST PATCH request via GET method

NikosG
Occasional Contributor
‎08-21-2019 07:06 AM
‎08-21-2019 07:06 AM

XSS scripting assertion on REST PATCH request via GET method

Hello to all

The subject may not make much sence so here it goes

 

I have a REST service and i'd like to check the Cross Site Scripting test options provided with SoapUI Pro (i have downloaded a trial version, even though it is the same with the community version if I'm not mistaken). The target of the test is one of the PATCH methods.

 

The problem is in seting up a proper assertion. I see that the default is performing the assertion on the actual response which is not very helpful in my case and there is no website whose url I could provide.

 

Ideally I'd like when I send something like this in the json request body 

{
"id": "resourceID",
"data": <IMG src=\"javascript&colon;alert('XSS');\">"
}

to be able to configure an assertion where I issue a GET request for the resource with the same id and detect any cross site scripting in the "data" element in the GET response

 

Has anyone else bumped into a similar problem?

Any comment would be highly appreciated

 

 

 

Labels:
0 Kudos
11 REPLIES 11
NikosG
Occasional Contributor
In response to nmrao
‎09-10-2019 04:48 AM
‎09-10-2019 04:48 AM

Hi @nmrao 

 

In general the success response is a simple 

HTTP/1.1 204 No Content
Server: Kestrel
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
Date: Tue, 10 Sep 2019 10:55:29 GMT

 

We also the typical error responses (Unauthorized, Bad Request...)

Responses that return error details return a body like this 

{
"code": "string",
"target": "string",
"message": "string",
"errors": [
null
],
"innerDetails": {}
}

 

I'll check the library you indicated but on first glance don't see how this would allow me to grab the details of the PATCH request that SoapUI sends

 

Still I see here that property expansion could work for ReadyAPI 

https://support.smartbear.com/readyapi/docs/testing/properties/expansion.html#scopes

 

But I cannot seem to get this to work

I have a structure something like 

Test Suite: SecTest

=> Security Tests: SecTestCustPhones

      => TestSteps: CustPhones_Get

             ==> Security Scan: Fuzzing Scan

 

(I use a different method and secuirty scan for simplicity and because the Pro trial version has expired so I work with whatever the community edition has to offer on my previous setup)

 

def ResFile ="C:/Request.xml"
def request = context.expand('${#SecurityTest#SecTestCustPhones#Request}')
def j = new File(ResFile)
j.write(request, "UTF-8")

 

I add this in a script assertion just to see if it manages to grab the request but when I run the security test the resulting file is empty 

Which means two things

  1. My script is wrong ...most probably
  2. This is available only in SoapUI pro whose trial version has expired
0 Kudos
nmrao
Champion Level 3
Champion Level 3
In response to NikosG
‎09-11-2019 04:56 AM
‎09-11-2019 04:56 AM

If that does not allow you to grab the response or some other hurdle to use security test, I would suggest to use normal test in data driven format and use different requests resembling as security test does.

Then you can grab the response and write the script using the mentioned library to send the GET request dynamically.


Regards,
Rao.
0 Kudos
Subscribe
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: