Bug in XSS ajax tests?

[iosebyte]

I'm using Benchmark suite to test an XSS vulnerability detector.
In ajax tests (e.g. BenchmarkTest00036, BenchmarkTest00541 ...) I have found an issue. The ajax request is not setting the 'Content-Type' header, so XMLHttpRequest uses the default value 'text/plain;charset=UTF-8' instead of 'application/x-www-form-urlencoded', which is not valid to parse the parameters from the server side, and the response is always empty. Is this an actual bug or just an extra issue to bypass?

[davewichers]

I've been researching for the past hour and this appears to be a bug. Working on a fix now.

[davewichers]

OK. There are three types of UIs in Benchmark for different parameter types that submit AJAX requests like this. Both of the test cases specifically pointed out here are related to one of them. I updated that one UI template to set the Content-Type as requested and then regenerated all those UIs. Can you let me know if the commit referenced above fixes ALL of the instances of this problem that you can detect or if there are still more that need to be fixed? I haven't had time to research the other 2 template types yet to see if they need to be fixed too but wanted to push out this change to at least make some progress on this issue. This change might possibly fix all instances of this issue.

[davewichers]

@iosebyte - someone else did some testing and they believe all instances of this issue are now fixed. Can you confirm?

[iosebyte]

Yes, it works!
Thanks for the fix and the effort on this project

[davewichers]

Thanks for confirming the fix. Closing this issue.

If you run into any other issues, please let us know as we want every test case to work properly!