WebTestCase('Change Details with XSS attack'); } function testChangeDetails_XSS() { global $user; // open website $this->get('http://' . BASE_URL); $this->assertText('Login'); $this->clickLink('Normal Login'); // Password Login $this->assertText('Pass Phrase:'); // correct password $this->setField('email', $user['1']['username']); $this->setField('pword', $user['1']['password']); $this->clickSubmit('Login'); $this->assertText('Logout', "Login failed - don't see logout button"); // Open Change Details page directly. "Edit" might be ambiguous $this->get('https://'.BASE_URL.'/account.php?id=13'); $this->setField('fname', $user['1']['details']['fname'].""); $this->setField('mname', $user['1']['details']['mname'].""); $this->setField('lname', $user['1']['details']['lname'].""); $this->setField('suffix', $user['1']['details']['suffix'].""); $this->setField('day', $user['1']['dob']['day'].""); $this->setField('month', $user['1']['dob']['month'].""); $this->setField('year', $user['1']['dob']['year'].""); $this->setField('Q1', $user['1']['lostpw']['questions']['1'].""); $this->setField('A1', $user['1']['lostpw']['answers']['1'].""); $this->setField('Q2', $user['1']['lostpw']['questions']['2'].""); $this->setField('A2', $user['1']['lostpw']['answers']['2'].""); $this->setField('Q3', $user['1']['lostpw']['questions']['3'].""); $this->setField('A3', $user['1']['lostpw']['answers']['3'].""); $this->setField('Q4', $user['1']['lostpw']['questions']['4'].""); $this->setField('A4', $user['1']['lostpw']['answers']['4'].""); $this->setField('Q5', $user['1']['lostpw']['questions']['5'].""); $this->setField('A5', $user['1']['lostpw']['answers']['5'].""); $this->clickSubmit('Update'); $this->assertText('Your details have been updated with the database.', "Changing details to test dataset failed"); $this->get('https://'.BASE_URL.'/account.php?id=13'); $this->assertNoPattern('//', "XSS possible! Our test string wasn't removed from one of the user fields"); // logout again $this->clickLink('Logout'); // Logout $this->assertText('Login', "Logout faild - don't see login button"); } } ?>