NikosG
Occasional Contributor
Joined 6 years ago
User Profile
User Widgets
Contributions
Re: TestComplete SDK equivalent for Web
Hi AlexKaras I was checking TestComplete and I saw that in our angular based web app I could only get click on coordinates. We are using Angular Material UI and Kendo so for example on a mat-select I'd like to create something like webElement.Select("Value") instead Anyway my trial version is over but i'd like to have th full picture in case we revisit this option1.8KViews0likes3CommentsRe: XSS scripting assertion on REST PATCH request via GET method
Hi nmrao In general the success response is a simple HTTP/1.1 204 No Content Server: Kestrel Strict-Transport-Security: max-age=2592000 X-Powered-By: ASP.NET Date: Tue, 10 Sep 2019 10:55:29 GMT We also the typical error responses (Unauthorized, Bad Request...) Responses that return error details return a body like this { "code": "string", "target": "string", "message": "string", "errors": [ null ], "innerDetails": {} } I'll check the library you indicated but on first glance don't see how this would allow me to grab the details of the PATCH request that SoapUI sends Still I see here that property expansion could work for ReadyAPI https://support.smartbear.com/readyapi/docs/testing/properties/expansion.html#scopes But I cannot seem to get this to work I have a structure something like Test Suite: SecTest => Security Tests: SecTestCustPhones => TestSteps: CustPhones_Get ==> Security Scan: Fuzzing Scan (I use a different method and secuirty scan for simplicity and because the Pro trial version has expired so I work with whatever the community edition has to offer on my previous setup) def ResFile ="C:/Request.xml" def request = context.expand('${#SecurityTest#SecTestCustPhones#Request}') def j = new File(ResFile) j.write(request, "UTF-8") I add this in a script assertion just to see if it manages to grab the request but when I run the security test the resulting file is empty Which means two things My script is wrong ...most probably This is available only in SoapUI pro whose trial version has expired516Views0likes1CommentRe: XSS scripting assertion on REST PATCH request via GET method
Ok, simple example The PATCH operation is used on a resource that is "Phones" The json body has a unique Id (int), the phone number (string) and a comment (string) I set the XSS security test to execute PATCH requests in order to update the phone with id = 5 and target both strings in the body of the following request { "PhoneUniqueId": 5, "PhoneNumber": "123123123" , "PhoneComment": "this is a comment" } As SoapUI iterates through its list of XSS strings and replacing the target fields it issues the following in sequence: { "PhoneUniqueId": 5, "PhoneNumber": "<PLAINTEXT>" , "PhoneComment": "this is a comment" } { "PhoneUniqueId": 5, "PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>" , "PhoneComment": "this is a comment" } ... { "PhoneUniqueId": 5, "PhoneNumber": "123123123" , "PhoneComment": "<PLAINTEXT>" } { "PhoneUniqueId": 5, "PhoneNumber": "123123123" , "PhoneComment": "<SCRIPT>alert(1)</SCRIPT>" } For the reasons I have mentioned already the existing XSS assertion setup is not helpful. So unless I'm missing something with the XSS assertion config, have to opt for a Custom Script Assertion. The idea is this: Get the PhoneUniqueId from the PATCH request and the field that was used, let's say it was PhoneComment Issue a GET for the same PhoneUniqueId Check the GET response body and see if the PhoneComment value has an XSS string Checking through internet I came up with something very rough like this: def testCase = messageExchange.modelItem.testCase def ResponseMessage = testCase.testSteps["GET_Phones"].testRequest.response.contentAsString File file1 = new File("C:/XSS_Vectors") List textLine = file1.readLines() try{ textLine.each{ if (ResponseMessage.contains(it)){ log.info 'XSS_Vector: ' + it +' was found in message' res = false throw new Exception('XSS_Vector: ' + it +' was found in message') } } assert res } catch(Exception e) { log.error("Exception: ${e}") assert res } The XSS_Vectors file has the strings used by SoapUI and GET_Phones is a testcase that performs the GET operation on the "PhoneUniqueId": 5 (hardcoded value) Two problems with that: 1. I do not know which field was used in the PATCH request so as to target the proper field only in my check. Let's say that the 2nd PATCH request from above goes through and the XSS string is stored as is. When I run the custom script for the 3rd and 4th one I will always get an indication even if "PhoneComment" was treated correctly, simply because the GET response will always have "PhoneNumber": "<SCRIPT>alert(1)</SCRIPT>" 2. I want to be able to use a similar approach for POST on the same resource that is used for inserting new entries. The body is the same as PATCH. The difference is that with POST I have to provide a unique PhoneUniqueId, something like this random generation { "PhoneUniqueId": "${=(new java.util.Random()).nextInt(10000000)}", "PhoneNumber": "69${=(new java.util.Random()).nextInt(10000000).toString()}" , "PhoneComment": "<SCRIPT>alert(1)</SCRIPT>" } As a result I cannot have a GET request to be used with a hardcoded "PhoneUniqueId" either hope this helps Nikos2.5KViews0likes3CommentsRe: XSS scripting assertion on REST PATCH request via GET method
Hi nmrao Let me clarify a bit As I said I'm trying out the security tests on trial version of SoapUI Pro I'm using the XSS security tests on a PATCH method that is used in our API in order to update a specific resource. Configuring the test I am able to issue PATCH requests for a specific resource id like so { id: <uniqueId>, data: <string replaced by the preconfigured XSS strings> } As I see SoapUI iterates through a list of preconfigured XSS strings and applies them to each of the request body fields. One field at a time. The "problem" is when it is time to check if the XSS string has actually gone through. As it is the application provides two options of doing that when you are setting up the Cross Site Scripting assertion: Check the immediate response Enter a custom script that returns a list of URLs to check for Cross Site Scripts None of these are applicable in my case as: The immediate response can be a simple 204 (success) and I have no way of knowing if the XSS string has reached the backend as it was sent by SoapUI or some form of sanitation has taken place. I have no website that visualizes the data affected by the PATCH so as to scan a webpage for XSS (if this is what it is doing) The only way to know if something like "data: <SCRIPT>alert("1")</SCRIPT>" has reached our database is by executing a GET on the resource with the same id and execute a check on the REST GET response, this way I can verify that the input has been sanitized or not. So in each iteration of the Cross Site Scripting Scan I need to a. get the request sent and extract the "id" from the request body of the PATCH request and field that was targeted b. execute a GET REST request with the same id c. scan the response for the XSS strings on the field defined in (a) Since my last post I tried going via the custom script assertion Extract to a file all the SoapUI XSS strings Create a test step that performs a GET on a hardcoded "id" that is also used by PATCH Issue the GET request and get the response using something like testCase.testSteps["GET_testCase"].testRequest.response.contentAsString Iterate through the entries of the file to see if the response contains any of them It seemed promissing but I still miss the way to isolate the exact field that was used in the PATCH request for the XSS test. So i have to scan the whole GET response. This way I may get a positive for a field that I have already checked in a previous iteration. While working with a specific id may work in PATCH (used for updates) in a POST case (used for creating new) where the id has to be unique between each iteration this will fail Hope this helps to clarify things on my case2.5KViews0likes7CommentsFuzzing Scan: manipulate REST body between iterations
Hi I wonder if during fuzzing scan one could manipulate the values in the JSON request body between each request. Let's suppose that the basic POST request is something like the following { "id":id, "data":"actual data targetted by scan" } The problem in my case is that the id has to be unique. I would like to be able to set the id part to a different value. Something like <prefix>_<autoincrement value> so that the ids in each POST sent during the fuzzing scan are unique. For example { "id":"Prefix_1", "data":"fuzzing scan value 1"}, { "id":"Prefix_2", "data":"fuzzing scan value 2"} and so on.Solved1.5KViews0likes3Comments