XSS Injection in String Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | XssInjectionInStringFieldsFuzzer |
| Log Key | XSS |
| Description | This fuzzer sends XSS (Cross-Site Scripting) payloads into string fields to test input validation and resilience against storing/transporting dangerous markup. For APIs, the goal is not HTML output encoding (that’s a front-end responsibility), but ensuring constrained fields do not accept clearly dangerous payloads that could be abused in secondary contexts (emails, PDFs, admin UIs, logs) or in downstream consumers that fail to encode output properly. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each string field with XSS payloads and sends the request to the API: 1. By default, uses a curated top list of payloads to keep execution time low. 2. If the --includeAllInjectionPayloads flag is enabled, uses an expanded payload set including script tags, event handlers, javascript: URLs, template injections, data URIs, and iframe/object/embed variants. 3. Injects one payload at a time into one field at a time while keeping the rest of the request unchanged. 4. Requests are expected to be rejected with 4XX. |
| Conditions when this fuzzer will be skipped | When the request payload is empty OR no string fields are present in the request payload (base behavior inherited from BaseSecurityInjectionFuzzer). |
| HTTP methods that will be skipped | HEAD, TRACE (inherited from BaseSecurityInjectionFuzzer) |
| Injection evidence detection | Flags a likely validation issue when dangerous XSS markers are reflected back in the response body, such as: • <script> tags • <img ... onerror=...> • <svg ... onload=...> • <iframe ... javascript:...> • inline event handlers like onmouseover= or onfocus= Reflection is treated as a warning-level security signal (because APIs may legitimately return raw stored data), but it strongly suggests missing validation and potential downstream XSS risk. |
| Reporting | Reports warn if: 1. Dangerous XSS payload patterns are reflected in the response body (missing validation; downstream consumers may be vulnerable). Reports info if: 1. The API rejects the payload with 4XX (proper validation for constrained fields). Reports error if: 1. Server returns 5XX while processing XSS payloads (possible unsafe handling). 2. Any unexpected response code is returned for the injected payload. |