cancel
Showing results for 
Search instead for 
Did you mean: 

XSS scripting assertion on REST PATCH request via GET method

Occasional Contributor

Re: XSS scripting assertion on REST PATCH request via GET method

Hi @nmrao 

 

In general the success response is a simple 

HTTP/1.1 204 No Content
Server: Kestrel
Strict-Transport-Security: max-age=2592000
X-Powered-By: ASP.NET
Date: Tue, 10 Sep 2019 10:55:29 GMT

 

We also the typical error responses (Unauthorized, Bad Request...)

Responses that return error details return a body like this 

{
"code": "string",
"target": "string",
"message": "string",
"errors": [
null
],
"innerDetails": {}
}

 

I'll check the library you indicated but on first glance don't see how this would allow me to grab the details of the PATCH request that SoapUI sends

 

Still I see here that property expansion could work for ReadyAPI 

https://support.smartbear.com/readyapi/docs/testing/properties/expansion.html#scopes

 

But I cannot seem to get this to work

I have a structure something like 

Test Suite: SecTest

=> Security Tests: SecTestCustPhones

      => TestSteps: CustPhones_Get

             ==> Security Scan: Fuzzing Scan

 

(I use a different method and secuirty scan for simplicity and because the Pro trial version has expired so I work with whatever the community edition has to offer on my previous setup)

 

def ResFile ="C:/Request.xml"
def request = context.expand('${#SecurityTest#SecTestCustPhones#Request}')
def j = new File(ResFile)
j.write(request, "UTF-8")

 

I add this in a script assertion just to see if it manages to grab the request but when I run the security test the resulting file is empty 

Which means two things

  1. My script is wrong ...most probably
  2. This is available only in SoapUI pro whose trial version has expired
Highlighted
Community Hero

Re: XSS scripting assertion on REST PATCH request via GET method

If that does not allow you to grab the response or some other hurdle to use security test, I would suggest to use normal test in data driven format and use different requests resembling as security test does.

Then you can grab the response and write the script using the mentioned library to send the GET request dynamically.


Regards,
Rao.
New Here?
Join us and watch the welcome video:
SeptemberNews
Join the exciting event
SeptemberHubBub
Top Kudoed Authors
Join the September Hub-bub to show off, learn and win