All Tests  /  Test 2042

Test Id

Test 2042

Test Trace Id

fbf3d6f5-1c71-4bdf-a266-01a6c9c462dd

Timestamp

Tue, 23 Jun 2026 21:28:45 GMT

Scenario

Send XSS injection payload in field [density]: [<img src=x onerror=alert('XSS')>]

Expected Result

Should return 4XX

Result

Result Details

The following keywords were detected in the response which might suggest an error details leak: [forbidden]

Contract Path

/api/account/preferences

Fuzzer

XssInjectionInStringFields

Full Request Path

https://qa-api.puk3p.online/api/account/preferences

Http Method

put
Request Details
Payload
{
  "theme": "GAMDDCYSHUMV",
  "density": "<img src=x onerror=alert('XSS')>",
  "autoRefresh": false,
  "landingPage": "SEAOLVOUIXZMBQZMSYD",
  "timeFormat": "IUYYLQRBNU"
}
Request Details
Headers
[
  {
    "key": "Accept",
    "value": "application/json"
  },
  {
    "key": "Content-Type",
    "value": "application/json"
  },
  {
    "key": "User-Agent",
    "value": "cats/13.8.1-SNAPSHOT (Test 2042 - XssInjectionInStringFields)"
  },
  {
    "key": "X-Cats-Trace-Id",
    "value": "fbf3d6f5-1c71-4bdf-a266-01a6c9c462dd"
  }
]
Request Details
cURL
curl  -X PUT \
     -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "User-Agent: cats/13.8.1-SNAPSHOT (Test 2042 - XssInjectionInStringFields)" \
-H "X-Cats-Trace-Id: fbf3d6f5-1c71-4bdf-a266-01a6c9c462dd" \
 \
      -d '{"theme":"GAMDDCYSHUMV","density":"<img src=x onerror=alert('XSS')>","autoRefresh":false,"landingPage":"SEAOLVOUIXZMBQZMSYD","timeFormat":"IUYYLQRBNU"}' \
      https://qa-api.puk3p.online/api/account/preferences
Response
{
  "responseCode": 403,
  "httpMethod": "PUT",
  "responseTimeInMs": "129",
  "numberOfWordsInResponse": "1",
  "numberOfLinesInResponse": "1",
  "contentLengthInBytes": "107",
  "jsonBody": {
    "timestamp": "2026-06-23T21:28:45.120Z",
    "status": 403,
    "error": "Forbidden",
    "path": "/api/account/preferences"
  },
  "headers": [
    {
      "key": "cache-control",
      "value": "no-cache, no-store, max-age=0, must-revalidate"
    },
    {
      "key": "content-type",
      "value": "application/json"
    },
    {
      "key": "date",
      "value": "Tue, 23 Jun 2026 21:28:45 GMT"
    },
    {
      "key": "expires",
      "value": "0"
    },
    {
      "key": "pragma",
      "value": "no-cache"
    },
    {
      "key": "server",
      "value": "nginx/1.24.0 (Ubuntu)"
    },
    {
      "key": "strict-transport-security",
      "value": "max-age=31536000 ; includeSubDomains"
    },
    {
      "key": "vary",
      "value": "Origin"
    },
    {
      "key": "x-content-type-options",
      "value": "nosniff"
    },
    {
      "key": "x-frame-options",
      "value": "DENY"
    },
    {
      "key": "x-xss-protection",
      "value": "0"
    }
  ],
  "responseContentType": "application/json"
}
CATS Replay
cats replay Test2042