/// <summary> /// Validate if the user has attempted to over or under supply fields to the application /// </summary> /// <param name="controller"></param> /// <param name="expectedFormKeys"></param> public void ValidateFormData(Controller controller, List <string> expectedFormKeys) { var keysSent = controller.Request.Form.AllKeys.ToList(); var controllerMethod = controller.Request.CurrentExecutionFilePath.Trim('~').Trim('/').Split('/'); var controllerName = controllerMethod[0]; var methodName = controllerMethod[1]; var httpMethod = controller.Request.HttpMethod; if (!expectedFormKeys.Contains("__RequestVerificationToken") && (httpMethod == "POST" || httpMethod == "PUT")) { expectedFormKeys.Add("__RequestVerificationToken"); } // Check if any additional fields have been provided var additionalKeys = keysSent.Except(expectedFormKeys).ToList(); if (additionalKeys.Count > 0) { var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.Re5); if (controllerName == "Account" && methodName == "LogOn" && httpMethod == "POST") { requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae10; } var additionalFormKeys = string.Join(",", additionalKeys); Log.Information( "AppSensor {@controllerName} {@methodName} {@httpMethod} additional form keys {additionalFormKeys} sent by requester {@requester}", controllerName, methodName, httpMethod, additionalFormKeys, requester); } // Check if any fields are missing from request var missingKeys = expectedFormKeys.Except(keysSent).ToList(); if (missingKeys.Count > 0) { var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.Re6); if (controllerName == "Account" && methodName == "LogOn" && httpMethod == "POST") { requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae11; } var missingFormKeys = string.Join(",", missingKeys); Log.Information( "AppSensor {@controllerName} {@methodName} {@httpMethod} missing form keys {missingFormKeys} sent by requester {@requester}", controllerName, methodName, httpMethod, missingFormKeys, requester); } //// Check for potential SQL Injection Comments //foreach(var keySent in keysSent) //{ // var valuesSent = controller.Request.Form.GetValues(keySent); // foreach(var valueSent in valuesSent) // { // if (Regex.Match(valueSent, @"\*!?|\*|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00").Success) // { // var requester = _userIdentity.GetRequester(controller, AppSensorDetectionPointKind.CIE1); // _logger.Information("AppSensor {@controllerName} {@methodName} {@httpMethod} SQL injection sent in form submission {@valueSent} by requester {@requester}", // controllerName, methodName, httpMethod, valueSent, requester); // } // } //} }
public void OnException(ExceptionContext filterContext) { if (!filterContext.ExceptionHandled) { var action = filterContext.RouteData.Values["action"].ToString(); var controller = filterContext.RouteData.Values["controller"].ToString(); var requester = _userIdentity.GetRequester(filterContext.Controller as Controller); if (filterContext.Exception is HttpRequestValidationException) { // SECURE: Log XSS Attempt requester.AppSensorDetectionPoint = AppSensorDetectionPointKind.Ae1; Log.Logger.Information("Failed XSS attempt on controller {controller} and action {action}", controller, action); } else { Log.Logger.Information( "Failed XSS attempt on controller {controller} and action {action} by requester {@requester}", controller, action, requester); #if !DEBUG filterContext.Result = new RedirectResult("/Error/Index/"); filterContext.ExceptionHandled = true; filterContext.HttpContext.ClearError(); #endif } } }
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { string action = filterContext.ActionDescriptor.ActionName; string controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName; Requester requester = _userIdentity.GetRequester(filterContext.Controller as Controller, null); if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { // The user is not authenticated Log.Logger.Information("Failed access attempt on controller {controller} and action {action} which required authorization by requester {@requester}", controller, action, requester); base.HandleUnauthorizedRequest(filterContext); } else if (!this.Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole)) { // The user is not in any of the listed roles then log and show the unauthorized view Log.Logger.Information("Failed access attempt on controller {controller} and action {action} which required roles {roles} by requester {@requester}", controller, action, this.Roles, requester); filterContext.Result = new ViewResult { ViewName = "~/Views/Error/Unauthorized.cshtml" }; } else { base.HandleUnauthorizedRequest(filterContext); } }
public void OnException(ExceptionContext filterContext) { if (!filterContext.ExceptionHandled && filterContext.Exception is HttpRequestValidationException) { // SECURE: Log XSS Attempt string action = filterContext.RouteData.Values["action"].ToString(); string controller = filterContext.RouteData.Values["controller"].ToString(); Requester requester = _userIdentity.GetRequester(filterContext.Controller as Controller, Constants.AppSensorDetectionPointKind.AE1); Log.Logger.Information("Failed XSS attempt on controller {controller} and action {action} by requester {@requester}", controller, action, requester); } }