Skip to content

Fixed XSS vulns in deserialization testfiles#6

Open
Mike-Ki wants to merge 2 commits intoOWASP-Benchmark:mainfrom
Mike-Ki:main
Open

Fixed XSS vulns in deserialization testfiles#6
Mike-Ki wants to merge 2 commits intoOWASP-Benchmark:mainfrom
Mike-Ki:main

Conversation

@Mike-Ki
Copy link
Copy Markdown

@Mike-Ki Mike-Ki commented May 7, 2026

Summary

This PR contains two commits addressing XSS issues in the deserialization test suite.

Commit 1: Fix XSS vulns in deserialization testfiles

Fixes 11 reflected XSS vulnerabilities in deserialization test cases where
user-controlled input was rendered unescaped in the response.

Commit 2: Escape non-vuln cases to prevent false XSS hits

The remaining non-vulnerable deserialization test cases were escaping output
to ensure they are not incorrectly flagged as XSS vulnerabilities. These
cases are intended for deserialization coverage only.

PoCs

BenchmarkTest00079.py 
POST /benchmark/deserialization-00/BenchmarkTest00079 HTTP/1.1
Host: 127.0.0.1:5000
Cookie: BenchmarkTest00079=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E
BenchmarkTest00269.py 
POST /benchmark/deserialization-00/BenchmarkTest00269 HTTP/1.1
Host: 127.0.0.1:5000
Content-Type: application/x-www-form-urlencoded

BenchmarkTest00269=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E
BenchmarkTest00270.py 
POST /benchmark/deserialization-00/BenchmarkTest00270 HTTP/1.1
Host: 127.0.0.1:5000
Content-Type: application/x-www-form-urlencoded

BenchmarkTest00270=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E
BenchmarkTest00271.py 
POST /benchmark/deserialization-00/BenchmarkTest00271 HTTP/1.1
Host: 127.0.0.1:5000
Content-Type: application/x-www-form-urlencoded

BenchmarkTest00271=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E
BenchmarkTest00434.py 
POST /benchmark/deserialization-00/BenchmarkTest00433 HTTP/1.1
Host: 127.0.0.1:5000
Content-Type: application/x-www-form-urlencoded

text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E=BenchmarkTest00433
BenchmarkTest00435.py 
POST /benchmark/deserialization-00/BenchmarkTest00435 HTTP/1.1
Host: 127.0.0.1:5000
Content-Type: application/x-www-form-urlencoded

%7B%22text%22%3A%22%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%7D=BenchmarkTest00435
BenchmarkTest00827.py 
GET /benchmark/deserialization-00/BenchmarkTest00827?BenchmarkTest00827=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E HTTP/1.1
Host: 127.0.0.1:5000
BenchmarkTest00828.py 
POST /benchmark/deserialization-00/BenchmarkTest00828?BenchmarkTest00828=%7B%22text%22%3A%22%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%7D HTTP/1.1
Host: 127.0.0.1:5000
BenchmarkTest00904.py 
POST /benchmark/deserialization-00/BenchmarkTest00904?BenchmarkTest00904=%7B%22text%22%3A%22%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%7D HTTP/1.1
Host: 127.0.0.1:5000
BenchmarkTest00994.py 
POST /benchmark/deserialization-00/BenchmarkTest00994?BenchmarkTest00994=text%3A+%3Cscript%3Ealert(1)%3C%2Fscript%3E HTTP/1.1
Host: 127.0.0.1:5000
BenchmarkTest00998.py 
POST /benchmark/deserialization-00/BenchmarkTest00998?BenchmarkTest00998=%7B%22text%22%3A%22%3Cscript%3Ealert(1)%3C%2Fscript%3E%22%7D HTTP/1.1
Host: 127.0.0.1:5000

Mike-Ki added 2 commits May 7, 2026 17:21
@Mike-Ki
Fixed XSS vulns in deserialization testfiles
c59c80e
@Mike-Ki
Escape non-vuln cases to prevent false XSS hits
250290a 
These test cases are intended for deserialization coverage, not XSS.
Escaping prevents them from being potentially incorrectly flagged as
XSS vulns.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mike-Ki