Testing Fundamentalstesting~10 mins

XSS testing in Testing Fundamentals - Test Execution Trace

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Test Overview

This test checks if a web application is vulnerable to Cross-Site Scripting (XSS) attacks by injecting a script payload into an input field and verifying that it does not execute.

Test Code - Selenium with Python unittest

Testing Fundamentals

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import unittest

class TestXSS(unittest.TestCase):
    def setUp(self):
        self.driver = webdriver.Chrome()
        self.driver.get('http://example.com/comment')

    def test_xss_injection(self):
        driver = self.driver
        # Locate the comment input box
        comment_box = WebDriverWait(driver, 10).until(
            EC.presence_of_element_located((By.ID, 'comment'))
        )
        # Inject XSS payload
        xss_payload = '<script>alert("XSS")</script>'
        comment_box.clear()
        comment_box.send_keys(xss_payload)

        # Submit the comment
        submit_button = driver.find_element(By.ID, 'submit-comment')
        submit_button.click()

        # Wait for the comment to appear
        comment_display = WebDriverWait(driver, 10).until(
            EC.presence_of_element_located((By.ID, 'comment-display'))
        )

        # Verify that the script tag is not executed but escaped or removed
        page_source = driver.page_source
        self.assertNotIn('<script>alert("XSS")</script>', page_source, 'XSS script tag found in page source')

    def tearDown(self):
        self.driver.quit()

if __name__ == '__main__':
    unittest.main()

Execution Trace - 7 Steps

Step	Action	System State	Assertion	Result
1	Test starts and browser opens	Browser window opens at http://example.com/comment page	-	PASS
2	Waits for comment input box to be present	Comment input box with id 'comment' is visible on the page	Presence of element located by ID 'comment'	PASS
3	Injects XSS payload '<script>alert("XSS")</script>' into comment box	Comment input box contains the XSS payload text	-	PASS
4	Clicks the submit button with id 'submit-comment'	Form is submitted, page reloads or updates to show the comment	-	PASS
5	Waits for the comment display area with id 'comment-display' to appear	Comment display area is visible showing submitted comments	Presence of element located by ID 'comment-display'	PASS
6	Checks page source to verify script tag is not present	Page source loaded after comment submission	Assert that '<script>alert("XSS")</script>' is NOT in page source	PASS
7	Test ends and browser closes	Browser window closes	-	PASS

Failure Scenario

Failing Condition: The page source contains the injected script tag, indicating XSS vulnerability

Execution Trace Quiz - 3 Questions

Test your understanding

What does the test verify after submitting the comment with the XSS payload?

AThat the alert popup appears

BThat the script tag is not present in the page source

CThat the comment box is cleared

DThat the submit button is disabled

Key Result

Always verify that user inputs are properly sanitized or escaped to prevent XSS attacks by checking that injected scripts do not appear or execute in the page output.