How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?

Question

I have a java web app. I'm using OWASP Java Encoder to encode for html, javascript and url components to mitigate reflected XSS. I'm new to this so I'm not sure on how to test on my web app for the following scenarios where there's no direct user input. So I have the following questions with examples. The java variable, testVarFromJava, is retrieved from backend code that do not rely on user input directly.

Questions:

1. How to test on encoded title of webpage?

   <title> <%= Encode.forHtml("testVarFromJava")> </title>

2. How to test on encoded java script variable?

    var testVar = '<%= Encode.forJavaScript(testVarFromJava)>'; if (testVar == "Y") { alert("testVar is Y"); } 

3. How to test on encoded component in url path?

   <frame src="testApp/main.jsp?param=<%=Encode.forUriComponent(testVarFromJava)%>">

Answer 1

For DOM-based vulnerabilities (the first part of your question), here is a payload that, if sent by the server as a reflected XSS, will produce an alert when the page loads. If you give this value to your testVarFromJava and refresh, an alert will show up if the encoding does not handle XSS properly.

#jaVasCript:/*-/*`/*\\`/*\'/*\"/**/(/* */onCliCk=alert('BOOM') ' ')//%0D%0A%0d%0a//</sTyle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()>\\x3e"> 

For URL components, you are testing the server so, you first need to see if the above payload is reflected back unchanged. If so, the page is vulnerable if it's fed into any part of it unhandled.