private string BuildLogMessage(string ip, ValidateRequestResult validateRequestResult)
{
StringBuilder message = new StringBuilder();
message.AppendFormat("Detected xss vulnerability. Time: {0}, IP:{1}, Request Part: {2}",
DateTime.Now.ToString(CultureInfo.InvariantCulture), ip,
validateRequestResult.DiseasedRequestPart);
return message.ToString();
}
public ValidateRequestResult HasVulnerability(HttpRequest request)
{
if (string.IsNullOrWhiteSpace(_configuration.ControlRegex))
{
_xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
}
else
{
try
{
_xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase);
}
catch
{
_xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
}
}
ValidateRequestResult result = new ValidateRequestResult
{
IsValid = true,
DiseasedRequestPart = DiseasedRequestPart.None
};
if (request != null)
{
string queryString = request.QueryString.ToString();
if (!string.IsNullOrEmpty(queryString) && _regexHelper.ExecFor(_xssDetectionRegex, queryString))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.QueryString;
}
if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase))
{
string formPostValues;
try
{
formPostValues = request.Form.ToString();
}
catch (Exception ex)
{
if (_configuration.Log.Equals(bool.TrueString))
{
string message = $@"Request.Form getter called, Method :{MethodBase.GetCurrentMethod().Name}, Requested Page: {request.Url}";
_logger.Error(message, ex);
}
throw;
}
if (!string.IsNullOrEmpty(formPostValues) && _regexHelper.ExecFor(_xssDetectionRegex, formPostValues))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.Form;
}
}
}
return result;
}
private void LogXssWarning(HttpRequest request, ValidateRequestResult validateRequestResult)
{
string ipInformation = _ipAdressHelper.GetIpInformation(request);
_logger.Warn(BuildLogMessage(ipInformation, validateRequestResult));
}
