I3:FeatureTest-RP Sanitization of Claims Containing HTML Entities

From OSIS Open Source Identity Systems

Jump to: navigation, search

   list help  copy  as XML  edit
Feature Test   RP Sanitization of Claims Containing HTML Entities
Test Type   Claim Processing
Identifier   FTI3-irp-claimprocessing-1  
Description   Tests that an RP is not susceptible to script-based injection attacks  
Role tested   Information Card Relying Party  
Known Successful Reference Solution(s)    
Success Criteria   No popups are displayed  
Failure Criteria   One or more popups are displayed  

Features Proven

Feature feature_type solution_role
RP Sanitizes Received Claims To Prevent Injection Attacks Information Card Relying Party Features condition

Instructions

  1. Open the result page for the Relying Party solution for this particular featuretest.
  2. Download the | HTML Entities Test Card
  3. Install it in your selector
  4. Navigate to the Relying Party Site
  5. Invoke the Selector
  6. Select Select the HTML Entities Card
  7. Validate Relying Party response
  8. Set outcome:
    1. If the RP does not popup any windows saying "hacked", set outcome to Works
    2. If javascript alert windows pop up, set outcome to Failed
    3. If you saw specific issues, mark the outcome as "Issues" and outline the issues by commenting on the "Talk" tab of this page
  9. Add either four tilde ~~~~ signs or a text name into the "testedby" parameter
  10. Update the date tested, operating systems, and tested solutions parameters of the results page
Retrieved from "http://osis.idcommons.net/wiki/I3:FeatureTest-RP_Sanitization_of_Claims_Containing_HTML_Entities"