Created
December 13, 2018 14:16
-
-
Save JonCooperWorks/2c6ec3af2d3864cf0e1240988ad9d218 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"info": { | |
"name": "Gruyere Collection", | |
"_postman_id": "9efdd931-ac99-5996-8bcd-07c07652dcfa", | |
"description": "", | |
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" | |
}, | |
"item": [ | |
{ | |
"name": "Login Request", | |
"event": [ | |
{ | |
"listen": "test", | |
"script": { | |
"id": "1ffd2f0e-7e41-47ed-9d7e-70b2a42d4613", | |
"type": "text/javascript", | |
"exec": [ | |
"pm.test(\"Login is no longer done via GET request\", function () {", | |
" pm.response.to.have.status(405);", | |
"});", | |
"", | |
"const cookie = postman.getResponseHeader(\"Set-Cookie\");", | |
"pm.environment.set(\"cookie\", cookie);" | |
] | |
} | |
} | |
], | |
"request": { | |
"method": "GET", | |
"header": [], | |
"body": {}, | |
"url": { | |
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/login?uid={username}&pw={password}", | |
"protocol": "https", | |
"host": [ | |
"google-gruyere", | |
"appspot", | |
"com" | |
], | |
"path": [ | |
"574774670130385288196824622060987712038", | |
"login" | |
], | |
"query": [ | |
{ | |
"key": "uid", | |
"value": "{username}", | |
"equals": true | |
}, | |
{ | |
"key": "pw", | |
"value": "{password}", | |
"equals": true | |
} | |
] | |
}, | |
"description": "" | |
}, | |
"response": [] | |
}, | |
{ | |
"name": "XSS Submission", | |
"event": [ | |
{ | |
"listen": "test", | |
"script": { | |
"id": "73ce03de-0aa0-4191-863b-68f757fe9c5f", | |
"type": "text/javascript", | |
"exec": [ | |
"pm.test(\"Input validation flaw leading to XSS has been fixed\", function () {", | |
" pm.response.to.have.status(400);", | |
"});" | |
] | |
} | |
} | |
], | |
"request": { | |
"method": "GET", | |
"header": [ | |
{ | |
"key": "Cookie", | |
"value": "{{cookie}}" | |
} | |
], | |
"body": {}, | |
"url": { | |
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/newsnippet2?snippet=<a+href=\"javascript:alert(document.cookie);\">test</a>", | |
"protocol": "https", | |
"host": [ | |
"google-gruyere", | |
"appspot", | |
"com" | |
], | |
"path": [ | |
"574774670130385288196824622060987712038", | |
"newsnippet2" | |
], | |
"query": [ | |
{ | |
"key": "snippet", | |
"value": "<a+href=\"javascript:alert(document.cookie);\">test</a>", | |
"equals": true | |
} | |
] | |
}, | |
"description": "" | |
}, | |
"response": [] | |
}, | |
{ | |
"name": "XSS Payload Execution", | |
"event": [ | |
{ | |
"listen": "test", | |
"script": { | |
"id": "4d8b1fa7-bbba-4825-80fc-766e82c112ff", | |
"type": "text/javascript", | |
"exec": [ | |
"pm.test(\"User input is properly escaped when displayed.\", function () {", | |
" pm.expect(pm.response.text()).not.to.include('<a href=\"javascript:');", | |
"});" | |
] | |
} | |
} | |
], | |
"request": { | |
"method": "GET", | |
"header": [ | |
{ | |
"key": "Cookie", | |
"value": "{{cookie}}" | |
} | |
], | |
"body": {}, | |
"url": { | |
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/snippets.gtl", | |
"protocol": "https", | |
"host": [ | |
"google-gruyere", | |
"appspot", | |
"com" | |
], | |
"path": [ | |
"574774670130385288196824622060987712038", | |
"snippets.gtl" | |
] | |
}, | |
"description": "" | |
}, | |
"response": [] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment