private string BuildLogMessage(string ip, ValidateRequestResult validateRequestResult) { StringBuilder message = new StringBuilder(); message.AppendFormat("Detected xss vulnerability. Time: {0}, IP:{1}, Request Part: {2}", DateTime.Now.ToString(CultureInfo.InvariantCulture), ip, validateRequestResult.DiseasedRequestPart); return message.ToString(); }
public ValidateRequestResult HasVulnerability(HttpRequest request) { if (string.IsNullOrWhiteSpace(_configuration.ControlRegex)) { _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase); } else { try { _xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase); } catch { _xssDetectionRegex = new Regex(_regexHelper.XssPattern, RegexOptions.IgnoreCase); } } ValidateRequestResult result = new ValidateRequestResult { IsValid = true, DiseasedRequestPart = DiseasedRequestPart.None }; if (request != null) { string queryString = request.QueryString.ToString(); if (!string.IsNullOrEmpty(queryString) && _regexHelper.ExecFor(_xssDetectionRegex, queryString)) { result.IsValid = false; result.DiseasedRequestPart = DiseasedRequestPart.QueryString; } if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase)) { string formPostValues; try { formPostValues = request.Form.ToString(); } catch (Exception ex) { if (_configuration.Log.Equals(bool.TrueString)) { string message = $@"Request.Form getter called, Method :{MethodBase.GetCurrentMethod().Name}, Requested Page: {request.Url}"; _logger.Error(message, ex); } throw; } if (!string.IsNullOrEmpty(formPostValues) && _regexHelper.ExecFor(_xssDetectionRegex, formPostValues)) { result.IsValid = false; result.DiseasedRequestPart = DiseasedRequestPart.Form; } } } return result; }
private void LogXssWarning(HttpRequest request, ValidateRequestResult validateRequestResult) { string ipInformation = _ipAdressHelper.GetIpInformation(request); _logger.Warn(BuildLogMessage(ipInformation, validateRequestResult)); }