public void GivenInjectedHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedHeaderValue() { WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders(); whiteListedHeaders.AllowedHttpHeaders = new [] { "Authorization" }; whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>(); whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer <script>function attack(){ alert(\"i created XSS\"); } attack();</script>"); Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None)); }
public void GivenStandardHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustByPassRelevantHeaders() { WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders(); whiteListedHeaders.AllowedHttpHeaders = new [] { StaticHeader }; whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>(); whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer hashme"); SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None); Assert.IsTrue(result.IsValid); }