public void ValidateInput_XSS_Unicode ()
{
string problem = "http://server.com/attack2.aspx?test=%uff1cscript%uff1ealert('vulnerability')%uff1c/script%uff1e";
string decoded = HttpUtility.UrlDecode (problem);
int n = decoded.IndexOf ('?');
HttpRequest request = new HttpRequest (null, decoded.Substring (0,n), decoded.Substring (n+1));
request.ValidateInput ();
// the next statement throws
Assert.AreEqual ("\xff1cscript\xff1ealert('vulnerability')\xff1c/script\xff1e", request.QueryString ["test"], "QueryString");
}
public void ValidateInput_XSS_Null ()
{
string problem = "http://secunia.com/?test=<%00SCRIPT>alert(document.cookie)</SCRIPT>";
string decoded = HttpUtility.UrlDecode (problem);
int n = decoded.IndexOf ('?');
HttpRequest request = new HttpRequest (null, decoded.Substring (0,n), decoded.Substring (n+1));
request.ValidateInput ();
// the next statement throws
Assert.AreEqual ("<SCRIPT>alert(document.cookie)</SCRIPT>", request.QueryString ["test"], "QueryString");
}
public override void ValidateInput()
{
w.ValidateInput();
}
public override void ValidateInput()
{
_httpRequest.ValidateInput();
}
void IHttpHandler.ProcessRequest(HttpContext context) {
// VSWhidbey 448844: Disable handler if retail is set to true
if (DeploymentSection.RetailInternal ||
(!context.Request.IsLocal && HttpRuntime.Profile.LocalOnly)) {
HttpException e = new HttpException(403, null);
e.SetFormatter(new TraceHandlerErrorFormatter(!DeploymentSection.RetailInternal));
throw e;
}
_context = context;
_response = _context.Response;
_request = _context.Request;
_writer = Page.CreateHtmlTextWriterInternal(_response.Output, _request);
// if we're in integrated mode, we need to set the content type explicitly
if (context.WorkerRequest is IIS7WorkerRequest) {
_response.ContentType = _request.Browser.PreferredRenderingMime;
}
if (_writer == null) {
// Can't create a writer, horked at this point, just return
return;
}
_context.Trace.IsEnabled = false;
// Validate the input to prevent XSS attacks.
_request.ValidateInput();
_writer.Write("<html>\r\n");
_writer.Write("<head>\r\n");
_writer.Write(StyleSheet);
_writer.Write("</head>\r\n");
_writer.Write("<body>\r\n");
_writer.Write("<span class=\"tracecontent\">\r\n");
if (!HttpRuntime.Profile.IsConfigEnabled) {
HttpException e = new HttpException();
e.SetFormatter(new TraceHandlerErrorFormatter(false));
throw e;
}
IList datasets = HttpRuntime.Profile.GetData();
// first check if we should clear data
if (_request.QueryString["clear"] != null) {
HttpRuntime.Profile.Reset();
string url = _request.RawUrl;
_response.Redirect(url.Substring(0, url.IndexOf("?", StringComparison.Ordinal)));
}
// then check if we are drilling down
string strid = _request.QueryString["id"];
if (strid != null) {
int index = Int32.Parse(strid, CultureInfo.InvariantCulture);
if (index >=0 && index < datasets.Count) {
ShowDetails((DataSet) datasets[index]);
ShowVersionDetails();
_writer.Write("</span>\r\n</body>\r\n</html>\r\n");
return;
}
}
// if we get here, its just generic request
ShowRequests(datasets);
ShowVersionDetails();
_writer.Write("</span>\r\n</body>\r\n</html>\r\n");
}