public void InitializeTests()
{
// Reset cached data
Esapi.Reset();
EsapiConfig.Reset();
SetCurrentUser(null);
}
public void InitializeTest()
{
Esapi.Reset();
EsapiConfig.Reset();
SurrogateEncoder.DefaultEncoder = null;
}
public void InitializeTest()
{
Esapi.Reset();
EsapiConfig.Reset();
SurrogateValidator.DefaultValidator = null;
}
private void Application_BeginRequest(Object source, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = (HttpRequest)context.Request;
HttpResponse response = (HttpResponse)context.Response;
try
{
// figure out who the current user is
try
{
((Authenticator)Esapi.Authenticator()).Context = WebContext.Cast(HttpContext.Current);
Esapi.Authenticator().Login();
}
catch (AuthenticationException ex)
{
((Authenticator)Esapi.Authenticator()).Logout();
// FIXME: use safeforward!
// FIXME: make configurable with config
// int position = request.Url.ToString().LastIndexOf('/') + 1;
// string page = request.Url.ToString().Substring(position, request.Url.ToString().Length - position);
// if (!page.ToLower().Equals("default.aspx"))
// {
// response.Redirect("default.aspx");
// }
// return;
}
// log this request, obfuscating any parameter named password
logger.LogHttpRequest(new ArrayList(ignore));
// check access to this URL
if (!Esapi.AccessController().IsAuthorizedForUrl(request.RawUrl.ToString()))
{
context.Items["message"] = "Unauthorized";
context.Server.Transfer("login.aspx");
}
// verify if this request meets the baseline input requirements
if (!Esapi.Validator().IsValidHttpRequest(WebContext.Cast(request)))
{
context.Items["message"] = "Validation error";
context.Server.Transfer("login.aspx");
}
// check for CSRF attacks and set appropriate caching headers
IHttpUtilities utils = Esapi.HttpUtilities();
// utils.checkCSRFToken();
utils.SetNoCacheHeaders();
//utils.SafeSetContentType();
// forward this request on to the web application
}
catch (Exception ex)
{
logger.LogSpecial("Security error in ESAPI Filter", ex);
response.Output.WriteLine("<H1>Security Error</H1>");
}
}
/// <summary> Creates a new instance of EnterpriseSecurityException. This exception is automatically logged, so that simply by
/// using this API, applications will generate an extensive security log. In addition, this exception is
/// automatically registrered with the IntrusionDetector, so that quotas can be checked.
///
/// </summary>
/// <param name="userMessage">The message for the user.
/// </param>
/// <param name="logMessage">The message for the log.
/// </param>
public EnterpriseSecurityException(string userMessage, string logMessage)
: base(userMessage)
{
this._logMessage = logMessage;
Esapi.IntrusionDetector().AddException(this);
}
public void InitializeTest()
{
Esapi.Reset();
EsapiConfig.Reset();
}
