private bool ShowReport(Report report) { if (report == null) return false; if (report.Events.Count > 0) { string output = ""; //Found a malicious string foreach (Event ev in report.Events) { output += "<div class=\"result\"><h3>found injection: <br/>"; if (ev.Name.Length >= 60) { output += "param: " + Server.HtmlEncode(ev.Name.Substring(0, 60)) + "...<br/>"; } else { output += "param: " + Server.HtmlEncode(ev.Name) + "<br/>"; } if (ev.Value.Length >= 60) { output += "value: " + Server.HtmlEncode(ev.Value.Substring(0, 60)) + "...</h3></div>"; } else { output += "value: " + Server.HtmlEncode(ev.Value) + "</h3></div>"; } int impact = 0; foreach (Filter f in ev.Filters) { impact += f.Impact; if (f.Rule.Length > 60) { output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule.Substring(0, 60)) + "...<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>"; } else { output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule) + "<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>"; } } output += "<div class=\"result\"><h3>Overall impact: <strong style=\"color:red;\">" + ev.Impact + "</strong></h3></div>"; } Literal foundblock = new Literal(); foundblock.Text = output; idsoutput.Controls.Add(foundblock); return true; } return false; }
public void IDSEventHandler(Report report, IScanRunner Sender) { switch (report.RequestType) { case RequestType.Get: if (!ShowReport(report)) { WriteAllClearGet(report); } else { _found = true; } break; case RequestType.Post: if (!ShowReport(report)) { WriteAllClearPost(report); } else { _found = true; } break; case RequestType.Cookie: if (!ShowReport(report)) { WriteAllClearCookie(report); } else { _found = true; } break; case RequestType.Header: if (!ShowReport(report)) { WriteAllClearHeader(report); } else { _found = true; } if (!_found) { //NOW WRITE THE SPACE FOR THE OUTPUT PARAMETER Literal outputspace = new Literal(); outputspace.Text = WriteAllClearFragmented(); _replace = outputspace.Text; idsoutput.Controls.Add(outputspace); } else { //NOW WRITE THE SPACE FOR THE OUTPUT PARAMETER Literal outputspace = new Literal(); outputspace.Text = "<h3 class=\"clean\">Fragmented input not written because non-fragmented events were detected.</h3><br/>"; _replace = outputspace.Text; idsoutput.Controls.Add(outputspace); } break; case RequestType.Output: if (report.Events.Count == 0) { //Write new output with concaternated strings Sender.WriteResponse(); } else { if (!_found) { WriteFragmented(report, Sender); } else { Sender.WriteResponse(); } } break; } }
private void WriteFragmented(Report report, IScanRunner Sender) { if (report.Events.Count > 0) { string output = ""; //Found a malicious string foreach (Event ev in report.Events) { output += "<div class=\"result\"><h3>found fragmented injection: </h3></div>"; //output += "<div class=\"value\">value: " + Server.HtmlEncode(ev.Value) + "</div>"; int impact = 0; foreach (Filter f in ev.Filters) { impact += f.Impact; if (f.Rule.Length > 60) { output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule.Substring(0, 60)) + "...<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>"; } else { output += "<div class=\"result\">rule: " + Server.HtmlEncode(f.Rule) + "<br />rule-description: <i>" + Server.HtmlEncode(f.Description) + "</i><br />impact: " + f.Impact + "</div>"; } } output += "<div class=\"result\"><h3>Overall impact: <strong style=\"color:red;\">" + ev.Impact + "</strong></h3></div>"; } if (_replace != string.Empty) { string newoutput = PageHTML.Replace(_replace, output); Sender.WriteResponse(newoutput); } else { Sender.WriteResponse(); } } }
private void WriteAllClearPost(Report report) { foreach (string s in Request.Form.AllKeys) { if (!report.Exclusions.Contains(s)) { values.Add(Request.Form[s]); Literal clean = new Literal(); clean.Text = "<h3 class=\"clean\">Clean POST parameter: " + s + "</h3><table class=\"clean\"><tr><td><strong>HTML injection</strong></td><td>" + Request.Form[s] + "</td></tr><tr><td><strong>a href doublequoted</strong></td><td><a href=\"SmokeTest.aspx?test=" + Request.Form[s] + "\">click</a></td></tr><tr><td><strong>a href singlequoted</strong></td><td><a href='SmokeTest.aspx?test=" + Request.Form[s] + "'>click</a></td></tr><tr><td><strong>a href no quotes</strong></td><td><a href=SmokeTest.aspx?test=" + Request.Form[s] + ">click</a></td></tr></table>"; idsoutput.Controls.Add(clean); } } }
/// <summary> /// Initialise the IDS to scan cookies using the same filters as an already existing IDS object /// </summary> /// <param name="cookies">The cookie collection to detect intrusions within</param> /// <param name="ids">The IDS containing the preloaded filters</param> public IDS(System.Web.HttpCookieCollection cookies, IDS ids) { _store = ids._store; _cookies = cookies; _report = new Report(RequestType.Cookie); IsCookie = true; }
/// <summary> /// Initialise the IDS to scan cookies /// </summary> /// <param name="cookies">The cookie collection to detect intrusions within</param> /// <param name="xmlPath">The path to the filters file</param> public IDS(System.Web.HttpCookieCollection cookies, string xmlPath) { XmlDocument xd = new XmlDocument(); xd.Load(xmlPath); _store = new Storage(xd, typeof(RegexFilter)); _cookies = cookies; _report = new Report(RequestType.Cookie); IsCookie = true; }
/// <summary> /// Initialise the IDS to scan a GET, POST or other request /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> /// <param name="xmlPath">The path to the filters file</param> /// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param> public IDS(NameValueCollection request, string xmlPath, RequestType requestType) { XmlDocument xd = new XmlDocument(); xd.Load(xmlPath); _store = new Storage(xd, typeof(RegexFilter)); _request = request; _report = new Report(requestType); switch (requestType) { case RequestType.Cookie: IsCookie = true; break; case RequestType.Post: IsForm = true; break; case RequestType.Header: IsHeader = true; break; } }
/// <summary> /// Initialise the IDS to scan a GET, POST or other request using the same filters as an already existing IDS object /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> /// <param name="ids">The IDS containing the preloaded filters</param> /// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param> public IDS(NameValueCollection request, IDS ids, RequestType requestType) { _store = ids._store; _request = request; _report = new Report(requestType); switch (requestType) { case RequestType.Cookie: IsCookie = true; break; case RequestType.Post: IsForm = true; break; case RequestType.Header: IsHeader = true; break; } }
/// <summary> /// Initialise the IDS to scan a GET, POST or other request /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> /// <param name="requestType">Indicates What type of request this is and therefore whether to exclude certain parameters.</param> public IDS(NameValueCollection request, RequestType requestType) { XmlDocument xd = new XmlDocument(); xd.Load(this.GetType().Assembly.GetManifestResourceStream("IDS.default_filter.xml")); _store = new Storage(xd, typeof(RegexFilter)); _request = request; _report = new Report(requestType); switch (requestType) { case RequestType.Cookie: IsCookie = true; break; case RequestType.Post: IsForm = true; break; case RequestType.Header: IsHeader = true; break; } }
/// <summary> /// Initialise the IDS to scan a GET request using the same filters as an already existing IDS object /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> /// <param name="ids">The IDS containing the preloaded filters</param> public IDS(NameValueCollection request, IDS ids) { _store = ids._store; _request = request; _report = new Report(RequestType.Get); }
/// <summary> /// Initialise the IDS to scan a GET request /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> /// <param name="xmlPath">The path to the filters file</param> public IDS(NameValueCollection request, string xmlPath) { XmlDocument xd = new XmlDocument(); xd.Load(xmlPath); _store = new Storage(xd, typeof(RegexFilter)); _request = request; _report = new Report(RequestType.Get); }
/// <summary> /// Initialise the IDS to scan a GET request /// </summary> /// <param name="request">The Name-Value collection to detect intrusions within</param> public IDS(NameValueCollection request) { XmlDocument xd = new XmlDocument(); xd.Load(this.GetType().Assembly.GetManifestResourceStream("IDS.default_filter.xml")); _store = new Storage(xd, typeof(RegexFilter)); _request = request; _report = new Report(RequestType.Get); }
/// <summary> /// Initialise the IDS to scan output /// </summary> /// <param name="oF">An OutputFilter</param> internal IDS(OutputFilter oF) { _store = oF._store; _pageOutput = oF.Output; _page = oF.Page; _report = new Report(RequestType.Output); _isRaw = true; _oF = oF; }