Merge pull request #1395 from WebFuzzing/xss-option

arcuri82 · web-flow · commit f40c3d4a8cb4 · 2025-11-30T21:16:57.000+01:00
xss option
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/reflected/html/XSSReflectedEMTest.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/reflected/html/XSSReflectedEMTest.kt
@@ -29,6 +29,7 @@ class XSSReflectedEMTest : SpringTestBase() {
         ) { args: MutableList<String> ->
 
             setOption(args, "security", "true")
+            setOption(args, "xss", "true")
 
 
             val solution = initAndRun(args)
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/reflected/json/XSSReflectedJSONEMTest.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/reflected/json/XSSReflectedJSONEMTest.kt
@@ -29,6 +29,7 @@ class XSSReflectedJSONEMTest : SpringTestBase() {
         ) { args: MutableList<String> ->
 
             setOption(args, "security", "true")
+            setOption(args, "xss", "true")
 
 
             val solution = initAndRun(args)
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/html/XSSStoredEMTest.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/html/XSSStoredEMTest.kt
@@ -29,6 +29,7 @@ class XSSStoredEMTest : SpringTestBase() {
         ) { args: MutableList<String> ->
 
             setOption(args, "security", "true")
+            setOption(args, "xss", "true")
 
 
             val solution = initAndRun(args)
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONEMTest.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONEMTest.kt
@@ -29,6 +29,7 @@ class XSSStoredJSONEMTest : SpringTestBase() {
         ) { args: MutableList<String> ->
 
             setOption(args, "security", "true")
+            setOption(args, "xss", "true")
 
 
             val solution = initAndRun(args)
diff --git a/core/src/main/kotlin/org/evomaster/core/EMConfig.kt b/core/src/main/kotlin/org/evomaster/core/EMConfig.kt
@@ -598,6 +598,10 @@ class EMConfig {
             throw ConfigProblemException("The use of 'ssrf' requires 'security'")
         }
 
+        if(!security && xss) {
+            throw ConfigProblemException("The use of 'xss' requires 'security'")
+        }
+
         if (ssrf &&
             vulnerableInputClassificationStrategy == VulnerableInputClassificationStrategy.LLM &&
             !languageModelConnector) {
@@ -2597,6 +2601,10 @@ class EMConfig {
     @Cfg("To apply SSRF detection as part of security testing.")
     var ssrf = false
 
+    @Experimental
+    @Cfg("To apply XSS detection as part of security testing.")
+    var xss = false
+
     @Regex(faultCodeRegex)
     @Cfg("Disable oracles. Provide a comma-separated list of codes to disable. " +
                 "By default, all oracles are enabled."
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
@@ -285,7 +285,7 @@ class SecurityRest {
             handleNotRecognizedAuthenticated()
         }
 
-        if (!config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {
+        if (!config.xss || !config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {
             LoggingUtil.uniqueUserInfo("Skipping security test for XSS as disabled in configuration")
         } else {
             handleXSSCheck()
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt
@@ -1345,7 +1345,7 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         actionResults: List<ActionResult>,
         fv: FitnessValue
     ) {
-        if (!config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {
+        if(!config.xss || !config.isEnabledFaultCategory(DefinedFaultCategory.XSS)){
             return
         }
 
diff --git a/docs/options.md b/docs/options.md
@@ -323,3 +323,4 @@ There are 3 types of options:
 |`vulnerableInputClassificationStrategy`| __Enum__. Strategy to classify inputs for potential vulnerability classes related to an REST endpoint. *Valid values*: `MANUAL, LLM`. *Default value*: `MANUAL`.|
 |`wbProbabilityUseDataPool`| __Double__. Specify the probability of using the data pool when sampling test cases. This is for white-box (wb) mode. *Constraints*: `probability 0.0-1.0`. *Default value*: `0.2`.|
 |`writeSnapshotTestsIntervalInSeconds`| __Int__. The size (in seconds) of the interval that the snapshots will be printed, if enabled. *Default value*: `3600`.|
+|`xss`| __Boolean__. To apply XSS detection as part of security testing. *Default value*: `false`.|

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ class SecurityRest {`
`285`	`285`	`handleNotRecognizedAuthenticated()`
`286`	`286`	`}`
`287`	`287`
`288`		`- if (!config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {`
	`288`	`+ if (!config.xss \|\| !config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {`
`289`	`289`	`LoggingUtil.uniqueUserInfo("Skipping security test for XSS as disabled in configuration")`
`290`	`290`	`} else {`
`291`	`291`	`handleXSSCheck()`
Original file line number	Diff line number	Diff line change
`@@ -1345,7 +1345,7 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {`
`1345`	`1345`	`actionResults: List<ActionResult>,`
`1346`	`1346`	`fv: FitnessValue`
`1347`	`1347`	`) {`
`1348`		`- if (!config.isEnabledFaultCategory(DefinedFaultCategory.XSS)) {`
	`1348`	`+ if(!config.xss \|\| !config.isEnabledFaultCategory(DefinedFaultCategory.XSS)){`
`1349`	`1349`	`return`
`1350`	`1350`	`}`
`1351`	`1351`