15 years ago
getXmlHolder crashing groovy script
Hi,
I'm running a TestCase where I am injecting values into a Soap Request and then firing them at my service to test for certain vulnerabilities. The script currently breaks while trying to retrieve the response. I know why it's breaking, but I'm uncertain as to how to fix the issue. When I send the request, I'm getting a fault returned (as is expected), however it contains a piece of javascript code for error handling, which is what is tripping up the groovy script it seems.
The line that is causing the error:
The response that is crashing that line:
Error message:
So my question at this point is this: How do I escape those characters or otherwise sanitize them if I can't get it to even load the XmlHolder?
I'm running a TestCase where I am injecting values into a Soap Request and then firing them at my service to test for certain vulnerabilities. The script currently breaks while trying to retrieve the response. I know why it's breaking, but I'm uncertain as to how to fix the issue. When I send the request, I'm getting a fault returned (as is expected), however it contains a piece of javascript code for error handling, which is what is tripping up the groovy script it seems.
The line that is causing the error:
def response = groovyUtils.getXmlHolder( "SOAP Request#Response" )
The response that is crashing that line:
<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:xsd="http://www.w3.org/1999/XMLSchema">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Client</faultcode>
<faultstring>Invalid key: <IMG%20src='x-javascript:alert(document.cookie)'></faultstring>
<faultactor>/search/beta2</faultactor>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Error message:
org.apache.xmlbeans.XmlException: error: Unexpected character encountered (lex state 8): '%' error: Unexpected character encountered (lex state 8): '%'
So my question at this point is this: How do I escape those characters or otherwise sanitize them if I can't get it to even load the XmlHolder?