XSS Reflected and XXE Vulnerability Changes

src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSInImgTagAttribute.java

@@ -201,4 +201,63 @@ public ResponseEntity<String> getVulnerablePayloadLevelSecure(
             return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
         }
     }
+
+     // Escape all the input which provides eval expression in a payload
+    // and validate input.
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description = "XSS_QUOTES_AND_WITH_HTML_ESCAPE_PLUS_FILTERING_EVAL_EXPRESSION_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_8, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel8(
+            @RequestParam(PARAMETER_NAME) String imageLocation) {
+
+        String vulnerablePayloadWithPlaceHolder = "<img src=%s width=\"400\" height=\"300\"/>";
+
+        String payload =
+                String.format(
+                        vulnerablePayloadWithPlaceHolder,
+                        StringEscapeUtils.escapeHtml4(imageLocation));
+
+        return new ResponseEntity<>(payload, HttpStatus.OK);
+    }
+
+    // Escape all paranoid characters to their corresponding HTML tag
+    // and validate input.
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description =
+                    "XSS_HTML_ESCAPE_ON_DIRECT_INPUT_AND_REMOVAL_OF_PARANOID_VALUES_WITH_SRC_ATTRIBUTE_IMG_TAG")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_9, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel9(
+            @RequestParam(PARAMETER_NAME) String imageLocation) {
+
+        String vulnerablePayloadWithPlaceHolder = "<img src=%s width=\"400\" height=\"300\"/>";
+
+        String payload =
+                String.format(
+                        vulnerablePayloadWithPlaceHolder,
+                        StringEscapeUtils.escapeHtml4(imageLocation));
+
+        return new ResponseEntity<>(payload, HttpStatus.OK);
+    }
+
+     // Checking for onload function which is passing into the html tag
+    // and validate input.'
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description =
+                    "XSS_HTML_ESCAPE_ON_DIRECT_INPUT_AND_REMOVAL_OF_ONLOAD_FUNCTIONS_WITH_PARENTHESIS_SRC_ATTRIBUTE_IMG_TAG")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_10, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel10(
+            @RequestParam(PARAMETER_NAME) String imageLocation) {
+
+        String vulnerablePayloadWithPlaceHolder = "<img src=%s width=\"400\" height=\"300\"/>";
+
+        String payload =
+                String.format(
+                        vulnerablePayloadWithPlaceHolder,
+                        StringEscapeUtils.escapeHtml4(imageLocation));
+
+        return new ResponseEntity<>(payload, HttpStatus.OK);
+    }
 }

src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java

@@ -85,4 +85,70 @@ public ResponseEntity<String> getVulnerablePayloadLevel3(
         }
         return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
     }
+
+    // Just adding User defined input(Untrusted Data) into div tag if doesn't contains
+    // eval(...) expression which evaluates the string expression and returns its value.
+    // Can be broken by various ways
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description = "XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_EVAL_EXPRESSION")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_8, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel8(
+            @RequestParam Map<String, String> queryParams) {
+        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
+        StringBuilder payload = new StringBuilder();
+        Pattern pattern = Pattern.compile("eval\\((.*?)\\)");
+        for (Map.Entry<String, String> map : queryParams.entrySet()) {
+            Matcher matcher = pattern.matcher(map.getValue());
+            if (!matcher.find()) {
+                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
+            }
+        }
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
+
+    // Just adding User defined input(Untrusted Data) into div tag if doesn't contains
+    // Paranoid regex.
+    // Can be broken by various ways
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description = "XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_PARANOID")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_9, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel9(
+            @RequestParam Map<String, String> queryParams) {
+        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
+        StringBuilder payload = new StringBuilder();
+        Pattern pattern = Pattern.compile("<script(.*?)[\r\n]*(.*?)/script>");
+        for (Map.Entry<String, String> map : queryParams.entrySet()) {
+            Matcher matcher = pattern.matcher(map.getValue());
+            if (!matcher.find()) {
+                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
+            }
+        }
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
+
+    // Just adding User defined input(Untrusted Data) into div tag if contains
+    // onLoad expression which deals with the cookies.
+    // Can be broken by various ways
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description =
+                    "XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ONLOAD_EXPRESSION")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_10, htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getVulnerablePayloadLevel10(
+            @RequestParam Map<String, String> queryParams) {
+        String vulnerablePayloadWithPlaceHolder = "<div>%s<div>";
+        StringBuilder payload = new StringBuilder();
+        Pattern pattern = Pattern.compile("onload(.*?)=");
+        for (Map.Entry<String, String> map : queryParams.entrySet()) {
+            Matcher matcher = pattern.matcher(map.getValue());
+            if (!matcher.find()) {
+                payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue()));
+            }
+        }
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
 }