How to test XSS vulnerability using Selenium WebDriver?
Question
I am in the process of writing automated tests for my application. One of the tests I have thought of is to check for XSS vulnerabilities (specifically script/markup injection) in the application.
Suppose I have a field that accepts a text input:
<input id="messageInput" name="message" />
And assume it prints the input message else where as follows:
<p id="messageOutput">You entered ${message}</p>
The simplest of test cases would attempt to feed in markup such as <b>Hello</b> instead of plain text.
How can I verify that the markup isn't actually rendered on the browser? One dirty way I can think of is to go down to the element which displays the input.
@FindBy(id = "messageOutput")
WebElement messageOutput;
public boolean isMarkupRendered() {
try {
messageOutput.findElement(By.tagName("b"));
return true;
} catch (NoSuchElementException e) {
return false;
}
}
However, this ties my method to the kind of test data that I may supply - it isn't generic enough to work with inputs such as
<script>document.body.style.backgroundColor='red'</script>
Any suggestions here? Does Selenium offer a cleaner way of doing this?
1 answers
solution1
1 ACCPTED 2012-09-19 11:56:48
Not so far I've come across with getting element css properties (in particular, color):
public String jsGetColor(String css){
JavascriptExecutor js = (JavascriptExecutor) driver;
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("var x=$(\'"+css+"\');");
stringBuilder.append("return x.css('color')");
String res= (String) js.executeScript(stringBuilder.toString());
return res;
}
So the idea is to manipulate with css properties of the element if you definitely know what kind of element it be: text , picture , etc.
-How can I verify that the markup isn't actually rendered on the browser? - there are a lot of ways for veryfying that somehing is present or absent with selenium:
input.findElements(By.xpath("//xpath")).size() > 0
driver.findElement(By.cssSelector(html>blablabla....)).isDisplayed()
public bool IsElementPresent(By selector)
{
return driver.FindElements(selector).Any();
}
Hope this somehow helps you)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.