Example #1
0
        private void IterateCleanUp(EncoderType encoderType, NameValueCollection collection, int index)
        {
            switch (encoderType)
            {
            case EncoderType.Javascript:
            {
                collection[collection.Keys[index]] = Encoder.JavaScriptEncode(collection[index]);
                break;
            }

            case EncoderType.HtmlFragment:
            {
                collection[collection.Keys[index]] = _regexHelper.IsNumber(collection[index])
                                                             ? collection[index]
                                                             : Sanitizer.GetSafeHtmlFragment(collection[index]);
                break;
            }

            case EncoderType.Html:
            {
                collection[collection.Keys[index]] = Encoder.HtmlEncode(collection[index]);
            }
            break;

            case EncoderType.HtmlAttribute:
            {
                collection[collection.Keys[index]] = Encoder.HtmlAttributeEncode(collection[index]);
            }
            break;

            case EncoderType.AutoDetect:
            {
                if (_regexHelper.ExecFor(_xssDetectRegex, collection[index]))
                {
                    collection[collection.Keys[index]] = Encoder.JavaScriptEncode(collection[index]);
                }
                break;
            }
            }
        }
Example #2
0
        public ValidateRequestResult HasVulnerability(HttpRequest request)
        {
            if (string.IsNullOrWhiteSpace(_configuration.ControlRegex))
            {
                _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
            }
            else
            {
                try
                {
                    _xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase);
                }
                catch
                {
                    _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase);
                }
            }

            ValidateRequestResult result = new ValidateRequestResult
            {
                IsValid             = true,
                DiseasedRequestPart = DiseasedRequestPart.None
            };

            if (request != null)
            {
                string queryString = request.QueryString.ToString();

                if (!string.IsNullOrEmpty(queryString) && _regexHelper.ExecFor(_xssDetectionRegex, queryString))
                {
                    result.IsValid             = false;
                    result.DiseasedRequestPart = DiseasedRequestPart.QueryString;
                }

                if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase))
                {
                    string formPostValues;

                    try
                    {
                        formPostValues = request.Form.ToString();
                    }
                    catch (Exception ex)
                    {
                        if (_configuration.Log.Equals(bool.TrueString))
                        {
                            string message = $@"Request.Form getter called, Method :{MethodBase.GetCurrentMethod().Name}, Requested Page: {request.Url}";
                            _logger.Error(message, ex);
                        }

                        throw;
                    }


                    if (!string.IsNullOrEmpty(formPostValues) && _regexHelper.ExecFor(_xssDetectionRegex, formPostValues))
                    {
                        result.IsValid             = false;
                        result.DiseasedRequestPart = DiseasedRequestPart.Form;
                    }
                }
            }

            return(result);
        }