[英]How to test XSS vulnerability using Selenium WebDriver?
I am in the process of writing automated tests for my application. 我正在为我的应用程序编写自动化测试。 One of the tests I have thought of is to check for XSS vulnerabilities (specifically script/markup injection) in the application.
我想到的测试之一是检查应用程序中的XSS漏洞(特别是脚本/标记注入)。
Suppose I have a field that accepts a text input: 假设我有一个接受文本输入的字段:
<input id="messageInput" name="message" />
And assume it prints the input message else where as follows: 并假设它在其他地方打印输入消息,如下所示:
<p id="messageOutput">You entered ${message}</p>
The simplest of test cases would attempt to feed in markup such as <b>Hello</b>
instead of plain text. 最简单的测试用例将尝试提供诸如
<b>Hello</b>
标记,而不是纯文本。
How can I verify that the markup isn't actually rendered on the browser? 如何验证标记实际上未在浏览器上呈现? One dirty way I can think of is to go down to the element which displays the input.
我可以想到的一种肮脏的方法是转到显示输入的元素。
@FindBy(id = "messageOutput")
WebElement messageOutput;
public boolean isMarkupRendered() {
try {
messageOutput.findElement(By.tagName("b"));
return true;
} catch (NoSuchElementException e) {
return false;
}
}
However, this ties my method to the kind of test data that I may supply - it isn't generic enough to work with inputs such as 但是,这将我的方法与我可能提供的测试数据联系在一起-它的通用性不足以与诸如
<script>document.body.style.backgroundColor='red'</script>
Any suggestions here? 有什么建议吗? Does Selenium offer a cleaner way of doing this?
硒是否提供更清洁的方法?
Not so far I've come across with getting element css properties (in particular, color): 到目前为止,我还没有遇到过获取元素css属性(特别是颜色)的情况:
public String jsGetColor(String css){
JavascriptExecutor js = (JavascriptExecutor) driver;
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("var x=$(\'"+css+"\');");
stringBuilder.append("return x.css('color')");
String res= (String) js.executeScript(stringBuilder.toString());
return res;
}
So the idea is to manipulate with css properties of the element if you definitely know what kind of element it be: text , picture , etc. 因此,如果您确切知道元素的类型,那就是使用该元素的CSS属性进行操作:文本,图片等。
-How can I verify that the markup isn't actually rendered on the browser? -如何确认标记实际上未在浏览器上呈现? - there are a lot of ways for veryfying that somehing is present or absent with selenium:
-有很多方法可以证明硒中存在或不存在某种物质:
input.findElements(By.xpath("//xpath")).size() > 0
driver.findElement(By.cssSelector(html>blablabla....)).isDisplayed()
public bool IsElementPresent(By selector)
{
return driver.FindElements(selector).Any();
}
Hope this somehow helps you) 希望这可以对您有所帮助)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.