public void GivenUnknownCharacterWhenChallengingEncodingThenSecurityThreatDiagnosticsMustConvertToKnownCharacterSetEncoding()
        {
            string unknownCharacters = "ዩኒኮድ ወረጘ የጝ00F800F8يونِكودö'>>B$ôI#€%&/()?@∂öيونِكود";

            validation.Payload = unknownCharacters;
            Assert.DoesNotThrow(() => SecurityThreatDiagnostics.ChallengeCharacterSetEncoding(validation.Payload, options));
        }
        public void GivenUrlInjectionInURIFormatWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundSQLInjection()
        {
            string unsecureUrl = "select * from Customers;`insert into";

            validation.Payload    = unsecureUrl;
            options.MaxIterations = 2;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
        }
        public void GivenXSScriptAttackScriptAsAnAttributeWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedValue()
        {
            string invalidXml = "function xss() { alert('injection'); } xss();";

            validation.Payload    = invalidXml;
            options.MaxIterations = 2;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
        }
        public void GivenDoubleEncodedUrlInjectionInURIFormatWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToDoubleEncodedURI()
        {
            string unsecureUrl = "http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\";";

            validation.Payload    = unsecureUrl;
            options.MaxIterations = 2;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeUrlEncoding(validation, options, CancellationToken.None));
        }
        public void GivenXXEInjectedXMLWhenChallengingValidationOfTheXMLThenSecurityThreatDiagnosticsMustNotRaiseException()
        {
            string validXml = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>";

            validation.Payload    = validXml;
            options.MaxIterations = 2;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
        }
        public void GivenScriptInjectedXMLWithDoubleQuatesWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedXML()
        {
            string invalidXml = "<xml><entity><script>function xss() { alert(\"injection\"); } xss();</script></entity></xml>";

            validation.Payload    = invalidXml;
            options.MaxIterations = 2;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
        }
        public void GivenInjectedHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedHeaderValue()
        {
            WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();

            whiteListedHeaders.AllowedHttpHeaders = new [] { "Authorization" };
            whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
            whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer <script>function attack(){ alert(\"i created XSS\"); } attack();</script>");
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None));
        }
        public void GivenValidTextWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundInjection()
        {
            string validXml = "This is a valid content.";

            validation.Payload    = validXml;
            options.MaxIterations = 2;
            SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None);

            Assert.IsTrue(result.IsValid);
        }
        public void GivenInvalidAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedAttributss()
        {
            string invalidAttribute1 = "<script>function xss() { alert('injection'); } xss();</script>";
            string invalidAttribute2 = "<script>function xss() { alert('injection'); } xss();</script>";

            string[] attributes = { invalidAttribute1, invalidAttribute2 };
            validationAttributes.Attribute = attributes;

            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
        }
        public void GivenStandardHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustByPassRelevantHeaders()
        {
            WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();

            whiteListedHeaders.AllowedHttpHeaders = new [] { StaticHeader };
            whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
            whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer hashme");
            SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None);

            Assert.IsTrue(result.IsValid);
        }
        public void GivenAttackVectorWithCharacterEscapedAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInvalidException()
        {
            string invalidAttribute1 = "{payload : {Name" + ":" + "PHNjcmlwdD5mdW5jdGlvbiBhdHRhY2sgKCkge2FsZXJ0KCd4c3MnKTt9YXR0YWNrKCk7PC9zY3JpcHQ+";
            string invalidAttribute2 = "Address : test";
            string invalidAttribute3 = "Mobile +358123456789 }}' >> mysqldump --all-databases > dump.sql";
            string parallel          = invalidAttribute1 + invalidAttribute2 + invalidAttribute3;

            string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel };
            validationAttributes.Attribute = attributes;
            options.Base64Decode           = true;
            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
        }
        public void GivenAttackVectorWithMultipleAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundAttackPattern()
        {
            string invalidAttribute1 = "{ payload : {Name" + ":" + "%27 %3E%3E";
            string invalidAttribute2 = "Address" + ":" + "%3Cscript%3E function attack() %7B alert(%27xss%27)%3B %7D";
            string invalidAttribute3 = "Mobile" + ":" + "attack()%3B %3C%2Fscript%3E}}";
            string parallel          = invalidAttribute1 + invalidAttribute2 + invalidAttribute3;

            string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel };
            validationAttributes.Attribute = attributes;

            Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
        }
        public void GivenAllowedIPAddressWhenChallengingIPForValidationThenSecurityThreatDiagnosticsMustNotRaiseExceptionDueToAllowedIPs()
        {
            AllowedIPAddresses allowedIpAddresses = new AllowedIPAddresses();

            //IPV4 and IPV6
            string[] allowedIPAddressesRegex =
            {
                "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
            };

            string[] denyBroadcastIPAddressesRegex =
            {
                "255.255.255.255"
            };

            allowedIpAddresses.WhiteListedIpAddress   = allowedIPAddressesRegex;
            allowedIpAddresses.BlackListedIpAddresses = denyBroadcastIPAddressesRegex;
            allowedIpAddresses.Host = "127.0.0.1";
            Assert.DoesNotThrow(() => SecurityThreatDiagnostics.ChallengeIPAddresses(allowedIpAddresses, CancellationToken.None));
        }