XSS by changing request parameters
Testing vulnerability by injecting malicious scripts in query parameters to bypass security measures and execute unauthorized code.
Cross-site scripting (XSS)
How this template works
The template uses API selection filters to specify the criteria for selecting the APIs to be tested. In this case, the filters include response code, method, response payload, and query parameters. For example, it selects APIs with a response code between 200 and 299, uses the "GET" method, and checks if the response payload contains the HTML doctype declaration.
The template defines a single request to be executed. It modifies the query parameter by injecting a malicious script that triggers an alert with the document's domain. This is done to test for XSS vulnerabilities in the targeted API.
The template specifies the expected response payload for validation. It checks if the response payload contains either the script that triggers the alert or the HTML doctype declaration. If the validation fails, it indicates that the API is vulnerable to XSS attacks.
Frequently asked questions
What is the purpose of this XSS test
What is the impact of an XSS vulnerability
What category and subcategory does this test fall under
What are the selection filters used for this test
What is the modification made to the query parameter in the execute phase
What is the validation criteria for a successful test