Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package pl.garciapl.xss;
- import org.junit.Before;
- import org.junit.Test;
- import org.junit.runner.RunWith;
- import org.springframework.mock.web.MockHttpServletRequest;
- import org.springframework.test.context.ContextConfiguration;
- import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
- import org.springframework.web.context.request.RequestContextHolder;
- import org.springframework.web.context.request.ServletRequestAttributes;
- import javax.servlet.ServletException;
- import javax.servlet.http.Cookie;
- import java.io.IOException;
- import static org.junit.Assert.assertEquals;
- @RunWith(SpringJUnit4ClassRunner.class)
- @ContextConfiguration(locations = {"classpath:applicationContext-test.xml"})
- public class XSSRequestWrapperTest {
- private XSSRequestWrapper xssRequestWrapper;
- private MockHttpServletRequest request;
- @Before
- public void setUp() throws ServletException {
- request = new MockHttpServletRequest();
- request.setCookies(new Cookie("myJSESSIONID", "1"));
- RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
- }
- @Test
- public void testXSSFilterAlert() throws IOException, ServletException {
- String dirty = "Site.com/search.php?search=<script>alert(\"XSS\");</script>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("Site.com/search.php?search=", parameter);
- }
- @Test
- public void testXSSFilterAlertSecond() throws IOException, ServletException {
- String dirty = "http://example.com/index.php?user=<script>alert(123)</script>&p=123";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("http://example.com/index.php?user=&p=123", parameter);
- }
- @Test
- public void testXSSFilterAlertThird() throws IOException, ServletException {
- String dirty = "http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName(\\\"a\\\"); AllLinks[0].href = \\\"http://badexample.com/malicious.exe\\\"; }</script> ";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("http://example.com/index.php?user=", parameter);
- }
- @Test
- public void testXSSFilterAlertFourth() throws IOException, ServletException {
- String dirty = "\" onfocus=\"alert(document.cookie)";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("\" onfocus=\"alert(document.cookie)", parameter);
- }
- @Test
- public void testXSSFilterAlertFifth() throws IOException, ServletException {
- String dirty = "<b onmouseover=alert('Wufff!')>click me!</b>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("click me!", parameter);
- }
- @Test
- public void testXSSFilterIFrame() throws IOException, ServletException {
- String dirty = "<iframe src=http://evil-site.com/evil.html ";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertBody() throws IOException, ServletException {
- String dirty = "<BODY BACKGROUND=\"javascript:alert('XSS')\"> ";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertLink() throws IOException, ServletException {
- String dirty = "<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertMeta() throws IOException, ServletException {
- String dirty = "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertVBScript() throws IOException, ServletException {
- String dirty = "<IMG SRC='vbscript:msgbox(\"XSS\")'>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertImage() throws IOException, ServletException {
- String dirty = "<img src=\"javascript:alert('XSS');\">";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertScript() throws IOException, ServletException {
- String dirty = "<script>alert('attack');</script>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertScriptSecond() throws IOException, ServletException {
- String dirty = "<SCRIPT>x=/XSS/ alert(x.source)</SCRIPT>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterAlertScriptThird() throws IOException, ServletException {
- String dirty = "<SCRIPT SRC=http://evil-site.com/xss.js> </SCRIPT>";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("", parameter);
- }
- @Test
- public void testXSSFilterEscaping() throws IOException, ServletException {
- String dirty = "&, <, >, , , /.";
- request.setParameter(dirty, dirty);
- xssRequestWrapper = new XSSRequestWrapper(request);
- String parameter = xssRequestWrapper.getParameter(dirty);
- assertEquals("&, <, >, , , /.", parameter);
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement