Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
{
"info": {
"name": "Gruyere Collection",
"_postman_id": "9efdd931-ac99-5996-8bcd-07c07652dcfa",
"description": "",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "Login Request",
"event": [
{
"listen": "test",
"script": {
"id": "1ffd2f0e-7e41-47ed-9d7e-70b2a42d4613",
"type": "text/javascript",
"exec": [
"pm.test(\"Login is no longer done via GET request\", function () {",
" pm.response.to.have.status(405);",
"});",
"",
"const cookie = postman.getResponseHeader(\"Set-Cookie\");",
"pm.environment.set(\"cookie\", cookie);"
]
}
}
],
"request": {
"method": "GET",
"header": [],
"body": {},
"url": {
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/login?uid={username}&pw={password}",
"protocol": "https",
"host": [
"google-gruyere",
"appspot",
"com"
],
"path": [
"574774670130385288196824622060987712038",
"login"
],
"query": [
{
"key": "uid",
"value": "{username}",
"equals": true
},
{
"key": "pw",
"value": "{password}",
"equals": true
}
]
},
"description": ""
},
"response": []
},
{
"name": "XSS Submission",
"event": [
{
"listen": "test",
"script": {
"id": "73ce03de-0aa0-4191-863b-68f757fe9c5f",
"type": "text/javascript",
"exec": [
"pm.test(\"Input validation flaw leading to XSS has been fixed\", function () {",
" pm.response.to.have.status(400);",
"});"
]
}
}
],
"request": {
"method": "GET",
"header": [
{
"key": "Cookie",
"value": "{{cookie}}"
}
],
"body": {},
"url": {
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/newsnippet2?snippet=<a+href=\"javascript:alert(document.cookie);\">test</a>",
"protocol": "https",
"host": [
"google-gruyere",
"appspot",
"com"
],
"path": [
"574774670130385288196824622060987712038",
"newsnippet2"
],
"query": [
{
"key": "snippet",
"value": "<a+href=\"javascript:alert(document.cookie);\">test</a>",
"equals": true
}
]
},
"description": ""
},
"response": []
},
{
"name": "XSS Payload Execution",
"event": [
{
"listen": "test",
"script": {
"id": "4d8b1fa7-bbba-4825-80fc-766e82c112ff",
"type": "text/javascript",
"exec": [
"pm.test(\"User input is properly escaped when displayed.\", function () {",
" pm.expect(pm.response.text()).not.to.include('<a href=\"javascript:');",
"});"
]
}
}
],
"request": {
"method": "GET",
"header": [
{
"key": "Cookie",
"value": "{{cookie}}"
}
],
"body": {},
"url": {
"raw": "https://google-gruyere.appspot.com/574774670130385288196824622060987712038/snippets.gtl",
"protocol": "https",
"host": [
"google-gruyere",
"appspot",
"com"
],
"path": [
"574774670130385288196824622060987712038",
"snippets.gtl"
]
},
"description": ""
},
"response": []
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.