public void GivenInjectedHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedHeaderValue()
{
WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();
whiteListedHeaders.AllowedHttpHeaders = new [] { "Authorization" };
whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer <script>function attack(){ alert(\"i created XSS\"); } attack();</script>");
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None));
}
public void GivenStandardHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustByPassRelevantHeaders()
{
WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();
whiteListedHeaders.AllowedHttpHeaders = new [] { StaticHeader };
whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer hashme");
SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None);
Assert.IsTrue(result.IsValid);
}
