private bool ShowReport(Report report)
{
if (report == null) return false;
if (report.Events.Count > 0)
{
string output = "";
//Found a malicious string
foreach (Event ev in report.Events)
{
output += "<div class=\"result\"><h3>found injection: <br/>";
if (ev.Name.Length >= 60)
{
output += "param: " + Server.HtmlEncode(ev.Name.Substring(0, 60)) + "...<br/>";
}
else
{
output += "param: " + Server.HtmlEncode(ev.Name) + "<br/>";
}
if (ev.Value.Length >= 60)
{
output += "value: " + Server.HtmlEncode(ev.Value.Substring(0, 60)) + "...</h3></div>";
}
else
{
output += "value: " + Server.HtmlEncode(ev.Value) + "</h3></div>";
}
int impact = 0;
foreach (Filter f in ev.Filters)
{
impact += f.Impact;
if (f.Rule.Length > 60)
{
output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule.Substring(0, 60)) + "...<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>";
}
else
{
output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule) + "<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>";
}
}
output += "<div class=\"result\"><h3>Overall impact: <strong style=\"color:red;\">" + ev.Impact + "</strong></h3></div>";
}
Literal foundblock = new Literal();
foundblock.Text = output;
idsoutput.Controls.Add(foundblock);
return true;
}
return false;
}
public void IDSEventHandler(Report report, IScanRunner Sender)
{
switch (report.RequestType)
{
case RequestType.Get:
if (!ShowReport(report))
{
WriteAllClearGet(report);
}
else
{
_found = true;
}
break;
case RequestType.Post:
if (!ShowReport(report))
{
WriteAllClearPost(report);
}
else
{
_found = true;
}
break;
case RequestType.Cookie:
if (!ShowReport(report))
{
WriteAllClearCookie(report);
}
else
{
_found = true;
}
break;
case RequestType.Header:
if (!ShowReport(report))
{
WriteAllClearHeader(report);
}
else
{
_found = true;
}
if (!_found)
{
//NOW WRITE THE SPACE FOR THE OUTPUT PARAMETER
Literal outputspace = new Literal();
outputspace.Text = WriteAllClearFragmented();
_replace = outputspace.Text;
idsoutput.Controls.Add(outputspace);
}
else
{
//NOW WRITE THE SPACE FOR THE OUTPUT PARAMETER
Literal outputspace = new Literal();
outputspace.Text = "<h3 class=\"clean\">Fragmented input not written because non-fragmented events were detected.</h3><br/>";
_replace = outputspace.Text;
idsoutput.Controls.Add(outputspace);
}
break;
case RequestType.Output:
if (report.Events.Count == 0)
{
//Write new output with concaternated strings
Sender.WriteResponse();
}
else
{
if (!_found)
{
WriteFragmented(report, Sender);
}
else
{
Sender.WriteResponse();
}
}
break;
}
}
private void WriteFragmented(Report report, IScanRunner Sender)
{
if (report.Events.Count > 0)
{
string output = "";
//Found a malicious string
foreach (Event ev in report.Events)
{
output += "<div class=\"result\"><h3>found fragmented injection: </h3></div>";
//output += "<div class=\"value\">value: " + Server.HtmlEncode(ev.Value) + "</div>";
int impact = 0;
foreach (Filter f in ev.Filters)
{
impact += f.Impact;
if (f.Rule.Length > 60)
{
output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule.Substring(0, 60)) + "...<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>";
}
else
{
output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule) + "<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>";
}
}
output += "<div class=\"result\"><h3>Overall impact: <strong style=\"color:red;\">" + ev.Impact + "</strong></h3></div>";
}
if (_replace != string.Empty)
{
string newoutput = PageHTML.Replace(_replace, output);
Sender.WriteResponse(newoutput);
}
else
{
Sender.WriteResponse();
}
}
}
private void WriteAllClearPost(Report report)
{
foreach (string s in Request.Form.AllKeys)
{
if (!report.Exclusions.Contains(s))
{
values.Add(Request.Form[s]);
Literal clean = new Literal();
clean.Text = "<h3 class=\"clean\">Clean POST parameter: " + s + "</h3><table class=\"clean\"><tr><td><strong>HTML injection</strong></td><td>" + Request.Form[s] + "</td></tr><tr><td><strong>a href doublequoted</strong></td><td><a href=\"SmokeTest.aspx?test=" + Request.Form[s] + "\">click</a></td></tr><tr><td><strong>a href singlequoted</strong></td><td><a href='SmokeTest.aspx?test=" + Request.Form[s] + "'>click</a></td></tr><tr><td><strong>a href no quotes</strong></td><td><a href=SmokeTest.aspx?test=" + Request.Form[s] + ">click</a></td></tr></table>";
idsoutput.Controls.Add(clean);
}
}
}
/// <summary>
/// Initialise the IDS to scan cookies using the same filters as an already existing IDS object
/// </summary>
/// <param name="cookies">The cookie collection to detect intrusions within</param>
/// <param name="ids">The IDS containing the preloaded filters</param>
public IDS(System.Web.HttpCookieCollection cookies, IDS ids)
{
_store = ids._store;
_cookies = cookies;
_report = new Report(RequestType.Cookie);
IsCookie = true;
}
/// <summary>
/// Initialise the IDS to scan cookies
/// </summary>
/// <param name="cookies">The cookie collection to detect intrusions within</param>
/// <param name="xmlPath">The path to the filters file</param>
public IDS(System.Web.HttpCookieCollection cookies, string xmlPath)
{
XmlDocument xd = new XmlDocument();
xd.Load(xmlPath);
_store = new Storage(xd, typeof(RegexFilter));
_cookies = cookies;
_report = new Report(RequestType.Cookie);
IsCookie = true;
}
/// <summary>
/// Initialise the IDS to scan a GET, POST or other request
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
/// <param name="xmlPath">The path to the filters file</param>
/// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param>
public IDS(NameValueCollection request, string xmlPath, RequestType requestType)
{
XmlDocument xd = new XmlDocument();
xd.Load(xmlPath);
_store = new Storage(xd, typeof(RegexFilter));
_request = request;
_report = new Report(requestType);
switch (requestType)
{
case RequestType.Cookie:
IsCookie = true;
break;
case RequestType.Post:
IsForm = true;
break;
case RequestType.Header:
IsHeader = true;
break;
}
}
/// <summary>
/// Initialise the IDS to scan a GET, POST or other request using the same filters as an already existing IDS object
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
/// <param name="ids">The IDS containing the preloaded filters</param>
/// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param>
public IDS(NameValueCollection request, IDS ids, RequestType requestType)
{
_store = ids._store;
_request = request;
_report = new Report(requestType);
switch (requestType)
{
case RequestType.Cookie:
IsCookie = true;
break;
case RequestType.Post:
IsForm = true;
break;
case RequestType.Header:
IsHeader = true;
break;
}
}
/// <summary>
/// Initialise the IDS to scan a GET, POST or other request
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
/// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param>
public IDS(NameValueCollection request, RequestType requestType)
{
XmlDocument xd = new XmlDocument();
xd.Load(this.GetType().Assembly.GetManifestResourceStream("IDS.default_filter.xml"));
_store = new Storage(xd, typeof(RegexFilter));
_request = request;
_report = new Report(requestType);
switch (requestType)
{
case RequestType.Cookie:
IsCookie = true;
break;
case RequestType.Post:
IsForm = true;
break;
case RequestType.Header:
IsHeader = true;
break;
}
}
/// <summary>
/// Initialise the IDS to scan a GET request using the same filters as an already existing IDS object
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
/// <param name="ids">The IDS containing the preloaded filters</param>
public IDS(NameValueCollection request, IDS ids)
{
_store = ids._store;
_request = request;
_report = new Report(RequestType.Get);
}
/// <summary>
/// Initialise the IDS to scan a GET request
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
/// <param name="xmlPath">The path to the filters file</param>
public IDS(NameValueCollection request, string xmlPath)
{
XmlDocument xd = new XmlDocument();
xd.Load(xmlPath);
_store = new Storage(xd, typeof(RegexFilter));
_request = request;
_report = new Report(RequestType.Get);
}
/// <summary>
/// Initialise the IDS to scan a GET request
/// </summary>
/// <param name="request">The Name-Value collection to detect intrusions within</param>
public IDS(NameValueCollection request)
{
XmlDocument xd = new XmlDocument();
xd.Load(this.GetType().Assembly.GetManifestResourceStream("IDS.default_filter.xml"));
_store = new Storage(xd, typeof(RegexFilter));
_request = request;
_report = new Report(RequestType.Get);
}
/// <summary>
/// Initialise the IDS to scan output
/// </summary>
/// <param name="oF">An OutputFilter</param>
internal IDS(OutputFilter oF)
{
_store = oF._store;
_pageOutput = oF.Output;
_page = oF.Page;
_report = new Report(RequestType.Output);
_isRaw = true;
_oF = oF;
}
