Ask a Question

XSS scripting assertion on REST PATCH request via GET method

Occasional Contributor

XSS scripting assertion on REST PATCH request via GET method

Hello to all

The subject may not make much sence so here it goes


I have a REST service and i'd like to check the Cross Site Scripting test options provided with SoapUI Pro (i have downloaded a trial version, even though it is the same with the community version if I'm not mistaken). The target of the test is one of the PATCH methods.


The problem is in seting up a proper assertion. I see that the default is performing the assertion on the actual response which is not very helpful in my case and there is no website whose url I could provide.


Ideally I'd like when I send something like this in the json request body 

"id": "resourceID",
"data": <IMG src=\"javascript&colon;alert('XSS');\">"

to be able to configure an assertion where I issue a GET request for the resource with the same id and detect any cross site scripting in the "data" element in the GET response


Has anyone else bumped into a similar problem?

Any comment would be highly appreciated




Occasional Contributor

Hi @nmrao 


In general the success response is a simple 

HTTP/1.1 204 No Content
Server: Kestrel
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
Date: Tue, 10 Sep 2019 10:55:29 GMT


We also the typical error responses (Unauthorized, Bad Request...)

Responses that return error details return a body like this 

"code": "string",
"target": "string",
"message": "string",
"errors": [
"innerDetails": {}


I'll check the library you indicated but on first glance don't see how this would allow me to grab the details of the PATCH request that SoapUI sends


Still I see here that property expansion could work for ReadyAPI


But I cannot seem to get this to work

I have a structure something like 

Test Suite: SecTest

=> Security Tests: SecTestCustPhones

      => TestSteps: CustPhones_Get

             ==> Security Scan: Fuzzing Scan


(I use a different method and secuirty scan for simplicity and because the Pro trial version has expired so I work with whatever the community edition has to offer on my previous setup)


def ResFile ="C:/Request.xml"
def request = context.expand('${#SecurityTest#SecTestCustPhones#Request}')
def j = new File(ResFile)
j.write(request, "UTF-8")


I add this in a script assertion just to see if it manages to grab the request but when I run the security test the resulting file is empty 

Which means two things

  1. My script is wrong ...most probably
  2. This is available only in SoapUI pro whose trial version has expired
Champion Level 3

If that does not allow you to grab the response or some other hurdle to use security test, I would suggest to use normal test in data driven format and use different requests resembling as security test does.

Then you can grab the response and write the script using the mentioned library to send the GET request dynamically.

Showing results for 
Search instead for 
Did you mean: