/// <summary>
/// Challenges character encoding of the given data.
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find that character is not part of the encoding set.
/// </summary>
/// <param name="validation">Known data to be bypassed into the validation.</param>
/// <param name="options">Configuration parameters</param>
/// <param name="cancellationToken"></param>
/// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns>
public static SecurityThreatDiagnosticsResult ChallengeUrlEncoding
(
[PropertyTab] Validation validation,
[PropertyTab] Options options,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
try
{
validation.Payload = Decode(validation.Payload, options);
ChallengeAgainstSecurityThreats(validation, options, cancellationToken);
}
catch (Exception exception)
{
StringBuilder builder = new StringBuilder("Invalid URL encoding in character set [");
builder
.Append(validation.Payload)
.Append("]");
ArgumentException argumentException = new ArgumentException("Invalid URL encoding information " + exception.ToString(), exception);
throw new ApplicationException(builder.ToString(), argumentException);
}
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
return(securityThreatDiagnosticsResult);
}
private static SecurityThreatDiagnosticsResult BuildResponseMessage()
{
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
return(securityThreatDiagnosticsResult);
}
/// <summary>
/// This is task which validates the common attack patterns against the underlying system from payload attributes.
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find vulnerability from the payload challenge.
/// </summary>
public static SecurityThreatDiagnosticsResult ChallengeAttributesAgainstSecurityThreats(
[PropertyTab] ValidationAttributes validationAttributes,
[PropertyTab] Options options,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
var invalidAttributes = new Dictionary <string, ArgumentException>();
ConcurrentDictionary <string, SecurityRuleFilter> securityRuleFilters = SecurityFilterReader.Instance;
foreach (var attribute in validationAttributes.Attribute)
{
foreach (SecurityRuleFilter securityRuleFilter in securityRuleFilters.Values)
{
Validation validation = new Validation();
validation.Payload = attribute;
try
{
ChallengeAgainstSecurityThreats(validation, options, cancellationToken);
}
catch (ArgumentException argumentException)
{
invalidAttributes.Add(attribute, argumentException);
}
}
}
if (invalidAttributes.Count > 0)
{
StringBuilder argumentExceptions = new StringBuilder(
"Security Threat Diagnostics vulnerability report for attributes contains the following invalid messages:");
StringBuilder applicationExceptions =
new StringBuilder("Security Threat Diagnostics deep scanned the following attack vectors: ");
try
{
foreach (var securityRuleFilter in invalidAttributes)
{
argumentExceptions.Append(securityRuleFilter.Value.Message).Append("\n");
applicationExceptions.Append(securityRuleFilter.Value.InnerException.Message).Append("\n");
}
ApplicationException applicationException = new ApplicationException(argumentExceptions.ToString());
ArgumentException argumentException = new ArgumentException(applicationExceptions.ToString());
throw new ApplicationException(applicationException.ToString(), argumentException);
}
finally
{
if (applicationExceptions != null)
{
argumentExceptions.Clear();
applicationExceptions.Clear();
}
}
}
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
return(securityThreatDiagnosticsResult);
}
/// <summary>
/// This is a task which challenges the payload attributes from client side character set encoding to target system character set encoding.
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find vulnerability from the payload challenge.
/// </summary>
public static SecurityThreatDiagnosticsResult ChallengeCharacterSetEncoding(string payload, Options options)
{
string data = null;
{
try
{
data = ChangeCharacterEncoding(payload, options);
}
catch (Exception exception)
{
StringBuilder argumentExceptions =
new StringBuilder("Security Threat Diagnostics vulnerability report invalid character encoding:");
StringBuilder applicationExceptions =
new StringBuilder("Security Threat Diagnostics deep scanned the following attack vectors: ");
try
{
argumentExceptions.Append(exception.Message.ToString()).Append("\n");
applicationExceptions.Append("Contains illegal characters: ").Append(payload).Append("\n");
ApplicationException applicationException =
new ApplicationException(argumentExceptions.ToString());
ArgumentException argumentException = new ArgumentException(applicationExceptions.ToString());
throw new ApplicationException(applicationException.ToString(), argumentException);
}
finally
{
if (applicationExceptions != null)
{
argumentExceptions.Clear();
applicationExceptions.Clear();
}
}
}
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
//securityThreatDiagnosticsResult.Data.Add("data", data);
return(securityThreatDiagnosticsResult);
}
}
/// <summary>
/// Verifies that the IP is in given whitelist of known IP addresses.
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find that IP address is not valid.
/// </summary>
/// <param name="allowedIpAddresses">Define IP addresses which can bypass the validation.</param>
/// <param name="cancellationToken"></param>
/// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns>
public static SecurityThreatDiagnosticsResult ChallengeIPAddresses(
[PropertyTab] AllowedIPAddresses allowedIpAddresses,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
List <string> invalidIPAddresses = new List <string>();
allowedIpAddresses.WhiteListedIpAddress?.ToList().ForEach(
entry =>
{
Regex allowedInboundTrafficRule = new Regex(entry);
if (!allowedInboundTrafficRule.IsMatch(allowedIpAddresses.Host))
{
invalidIPAddresses.Add(entry);
}
});
allowedIpAddresses.BlackListedIpAddresses?.ToList().ForEach(
entry =>
{
Regex allowedInboundTrafficRule = new Regex(entry);
if (allowedInboundTrafficRule.IsMatch(allowedIpAddresses.Host))
{
invalidIPAddresses.Add(entry);
}
});
if (invalidIPAddresses.Count > 0)
{
throw new ApplicationException("Invalid IP Address or range [" + allowedIpAddresses.Host + "]");
}
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
return(securityThreatDiagnosticsResult);
}
/// <summary>
/// This is task which validates data
/// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics
/// Throws application exception if diagnostics find vulnerability from the payload challenge.
/// </summary>
/// <param name="validation">Runtime element to be diagnosted.</param>
/// <param name="options">Options for the runtime validation.</param>
/// <param name="cancellationToken"></param>
/// <returns>{bool challenges for validation} </returns>
public static SecurityThreatDiagnosticsResult ChallengeAgainstSecurityThreats(
[PropertyTab] Validation validation,
[PropertyTab] Options options,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
Dictionary <string, string> dictionary = new Dictionary <string, string>();
StringBuilder validationChallengeMessage = new StringBuilder();
validationChallengeMessage
.Append("Payload challenged for input validation [")
.Append(validation.Payload)
.Append("] \n\n");
StringBuilder innerExceptionMessage = new StringBuilder();
innerExceptionMessage
.Append("Payload challenged for input validation [")
.Append(validation.Payload)
.Append("] \n\n");
ConcurrentDictionary <string, SecurityRuleFilter> ruleDictionary = SecurityFilterReader.Instance;
foreach (var entry in ruleDictionary)
{
ChallengeCharacterSetEncoding(validation.Payload, options);
string base64DecodedPayload = DecodeBase64Encoding(validation.Payload);
if (entry.Value.Rule.IsMatch(validation.Payload) ||
entry.Value.Rule.IsMatch(base64DecodedPayload) &&
options.Base64Decode)
{
validationChallengeMessage
.Append("id [")
.Append(entry.Key)
.Append("]")
.Append(" contains vulnerability [")
.Append(entry.Value.Description)
.Append("], ")
.Append("encoded value [")
.Append(base64DecodedPayload)
.Append("]");
dictionary.Add(entry.Key, validationChallengeMessage.ToString());
innerExceptionMessage
.Append("id [")
.Append(entry.Key)
.Append("] ")
.Append("Validation pattern [")
.Append(entry.Value.Rule.ToString())
.Append("], ")
.Append("encoded value [")
.Append(base64DecodedPayload)
.Append("]");
}
}
if (dictionary.Count > 0)
{
ArgumentException argumentException = new ArgumentException("Invalid argument information " + innerExceptionMessage.ToString());
ApplicationException applicationException = new ApplicationException(validationChallengeMessage.ToString(), argumentException);
throw applicationException;
}
SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult();
securityThreatDiagnosticsResult.IsValid = true;
return(securityThreatDiagnosticsResult);
}
