/// <summary>
/// Validate if the user has attempted to over or under supply fields to the application
/// </summary>
/// <param name="controller"></param>
/// <param name="expectedFormKeys"></param>
public void ValidateFormData(Controller controller, List <string> expectedFormKeys)
{
var keysSent = controller.Request.Form.AllKeys.ToList();
var controllerMethod = controller.Request.CurrentExecutionFilePath.Trim('~').Trim('/').Split('/');
var controllerName = controllerMethod[0];
var methodName = controllerMethod[1];
var httpMethod = controller.Request.HttpMethod;
if (!expectedFormKeys.Contains("__RequestVerificationToken") &&
(httpMethod == "POST" || httpMethod == "PUT"))
{
expectedFormKeys.Add("__RequestVerificationToken");
}
// Check if any additional fields have been provided
var additionalKeys = keysSent.Except(expectedFormKeys).ToList();
if (additionalKeys.Count > 0)
{
var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.Re5);
if (controllerName == "Account" && methodName == "LogOn" && httpMethod == "POST")
{
requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae10;
}
var additionalFormKeys = string.Join(",", additionalKeys);
Log.Information(
"AppSensor {@controllerName} {@methodName} {@httpMethod} additional form keys {additionalFormKeys} sent by requester {@requester}",
controllerName, methodName, httpMethod, additionalFormKeys, requester);
}
// Check if any fields are missing from request
var missingKeys = expectedFormKeys.Except(keysSent).ToList();
if (missingKeys.Count > 0)
{
var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.Re6);
if (controllerName == "Account" && methodName == "LogOn" && httpMethod == "POST")
{
requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae11;
}
var missingFormKeys = string.Join(",", missingKeys);
Log.Information(
"AppSensor {@controllerName} {@methodName} {@httpMethod} missing form keys {missingFormKeys} sent by requester {@requester}",
controllerName, methodName, httpMethod, missingFormKeys, requester);
}
//// Check for potential SQL Injection Comments
//foreach(var keySent in keysSent)
//{
// var valuesSent = controller.Request.Form.GetValues(keySent);
// foreach(var valueSent in valuesSent)
// {
// if (Regex.Match(valueSent, @"\*!?|\*|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00").Success)
// {
// var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.CIE1);
// _logger.Information("AppSensor {@controllerName} {@methodName} {@httpMethod} SQL injection sent in form submission {@valueSent} by requester {@requester}",
// controllerName, methodName, httpMethod, valueSent, requester);
// }
// }
//}
}
public void OnException(ExceptionContext filterContext)
{
if (!filterContext.ExceptionHandled)
{
var action = filterContext.RouteData.Values["action"].ToString();
var controller = filterContext.RouteData.Values["controller"].ToString();
var requester = _userIdentity.GetRequester(filterContext.Controller as Controller);
if (filterContext.Exception is HttpRequestValidationException)
{
// SECURE: Log XSS Attempt
requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae1;
Log.Logger.Information("Failed XSS attempt on controller {controller} and action {action}",
controller, action);
}
else
{
Log.Logger.Information(
"Failed XSS attempt on controller {controller} and action {action} by requester {@requester}",
controller, action, requester);
#if !DEBUG
filterContext.Result = new RedirectResult("/Error/Index/");
filterContext.ExceptionHandled = true;
filterContext.HttpContext.ClearError();
#endif
}
}
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
string action = filterContext.ActionDescriptor.ActionName;
string controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
Requester requester = _userIdentity.GetRequester(filterContext.Controller as Controller, null);
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// The user is not authenticated
Log.Logger.Information("Failed access attempt on controller {controller} and action {action} which required authorization by requester {@requester}", controller, action, requester);
base.HandleUnauthorizedRequest(filterContext);
}
else if (!this.Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole))
{
// The user is not in any of the listed roles then log and show the unauthorized view
Log.Logger.Information("Failed access attempt on controller {controller} and action {action} which required roles {roles} by requester {@requester}", controller, action, this.Roles, requester);
filterContext.Result = new ViewResult
{
ViewName = "~/Views/Error/Unauthorized.cshtml"
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
public void OnException(ExceptionContext filterContext)
{
if (!filterContext.ExceptionHandled && filterContext.Exception is HttpRequestValidationException)
{
// SECURE: Log XSS Attempt
string action = filterContext.RouteData.Values["action"].ToString();
string controller = filterContext.RouteData.Values["controller"].ToString();
Requester requester = _userIdentity.GetRequester(filterContext.Controller as Controller, Constants.AppSensorDetectionPointKind.AE1);
Log.Logger.Information("Failed XSS attempt on controller {controller} and action {action} by requester {@requester}", controller, action, requester);
}
}
