Pushing test for Persistent XSS in HTML

src/test/java/org/sasanlabs/service/vulnerability/xss/reflected/PersistentXSSInHTMLTagVulnerabilityTest.java

@@ -0,0 +1,367 @@
+package org.sasanlabs.service.vulnerability.xss.reflected;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+import org.sasanlabs.service.vulnerability.xss.persistent.PersistentXSSInHTMLTagVulnerability;
+import org.sasanlabs.service.vulnerability.xss.persistent.Post;
+import org.sasanlabs.service.vulnerability.xss.persistent.PostRepository;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.Mockito.*;
+
+public class PersistentXSSInHTMLTagVulnerabilityTest{
+    @Mock
+    private PostRepository postRepository;
+
+    private PersistentXSSInHTMLTagVulnerability vulnerability;
+
+    @BeforeEach
+    public void setup() {
+        MockitoAnnotations.initMocks(this);
+        vulnerability = new PersistentXSSInHTMLTagVulnerability(postRepository);
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel1(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel1(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the content of the post being saved
+        assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel1WithXSSInAttributeValue(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<a href='javascript:alert(1)'>Click me</a>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel1(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the content of the post being saved
+        assertEquals("<a href='javascript:alert(1)'>Click me</a>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel2(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel2(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel3(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel3(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+
+    @Test
+    public void testGetVulnerablePayloadLevel4(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel4(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel5(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel5(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel6(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel7(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel7(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel5WithNullByte(){
+        // Prepare test data with NullByte
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>\u0000alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel5(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved (assuming it's not modified)
+        assertEquals("<script>\u0000alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel6WithNullByte(){
+        // Prepare test data with NullByte
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>\u0000");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved (assuming it's not modified)
+        assertEquals("<img src='x' onerror='alert(1)'>\u0000", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(200, response.getStatusCodeValue());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel4WithResponseStatusAssertions(){
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel4(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the HTTP response status code
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel6WithHtmlEscaping(){
+        Post post = new Post();
+        post.setContent("<img src='x' onerror='alert(1)'>");
+
+        when(postRepository.findByLevelIdentifier("LEVEL_6")).thenReturn(Arrays.asList(post));
+
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel6(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the modified content of the post being saved (HTML escaped)
+        assertEquals("<div id=\"comments\">&lt;img src='x' onerror='alert(1)'&gt;</div>", response.getBody());
+
+        // Assert on the HTTP response status code
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel2_WithPatternReplacement(){
+        Post post = new Post();
+        post.setContent("<img src='x' onerror='alert(1)'>");
+
+        when(postRepository.findByLevelIdentifier("LEVEL_2")).thenReturn(Arrays.asList(post));
+
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<img src='x' onerror='alert(1)'>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel2(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the content of the post being saved
+        assertEquals("<img src='x' onerror='alert(1)'>", postCaptor.getValue().getContent());
+
+        // Assert on the modified content of the post being saved (pattern replaced)
+        assertEquals("<div id=\"comments\"> src='x' onerror='alert(1)'></div>", response.getBody());
+
+        // Assert on the HTTP response status code
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+    @Test
+    public void testGetVulnerablePayloadLevel3_WithResponseContentAssertions(){
+        Post post = new Post();
+        post.setContent("<script>alert('XSS')</script>");
+
+        when(postRepository.findByLevelIdentifier("LEVEL_3")).thenReturn(Arrays.asList(post));
+
+        // Prepare test data
+        Map<String, String> queryParams = Collections.singletonMap("comment", "<script>alert('XSS')</script>");
+
+        // Perform the test
+        ResponseEntity<String> response = vulnerability.getVulnerablePayloadLevel3(queryParams);
+
+        // Verify that the save method is called once
+        verify(postRepository, times(1)).save(any());
+
+        // Capture the argument passed to the save method
+        ArgumentCaptor<Post> postCaptor = ArgumentCaptor.forClass(Post.class);
+        verify(postRepository).save(postCaptor.capture());
+
+        // Assert on the modified content of the post being saved
+        assertEquals("<script>alert('XSS')</script>", postCaptor.getValue().getContent());
+
+        // Assert on the content of the response
+        assertEquals("<div id=\"comments\">>alert('XSS')</script></div>", response.getBody());
+
+        // Assert on the HTTP response status code
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+}