public async Task GetGitFolder()
{
using var factory = new TestWebApplicationFactory();
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/.git/HEAD");
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
}
public async Task GetSqlExtension()
{
using var factory = new TestWebApplicationFactory();
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/x.sql");
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
}
public async Task HttpMethodGETS()
{
using var factory = new TestWebApplicationFactory();
using var http = factory.CreateDefaultClient();
using var message = new HttpRequestMessage(new HttpMethod("GETS"), "/");
using var response = await http.SendAsync(message);
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
}
public async Task UserAgentHeader()
{
using var factory = new TestWebApplicationFactory();
using var http = factory.CreateDefaultClient();
using var request = new HttpRequestMessage(HttpMethod.Get, "/");
request.Headers.TryAddWithoutValidation("User-Agent", "acunetix");
using var response = await http.SendAsync(request);
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
}
public async Task InjectXssFromParameter_ShouldBlock()
{
using var factory = new TestWebApplicationFactory(async context =>
{
var p = context.Request.Query["p"];
context.Response.Cookies.Append("Session", p);
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/?p=ZP1hBzeiqjdPFiPRf2JH");
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
}
public async Task InjectSimpleFromParameter_ShouldAccept()
{
using var factory = new TestWebApplicationFactory(async context =>
{
context.Response.StatusCode = 204;
context.Response.Cookies.Append("Session", "ZP1hBzeiqjdPFiPRf2JH");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/?p=asd");
Assert.AreEqual(HttpStatusCode.NoContent, response.StatusCode);
}
public async Task RemoveCommentsExceptKnockout()
{
using var factory = new TestWebApplicationFactory(async context =>
{
await context.Response.SetBodyFromStringAsync("<!DOCTYPE html><html><body><!-- ko if: true -->Hello world!<!-- /ko --><!-- secret comment --></body></html>", "text/html");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("<!DOCTYPE html><html><body><!-- ko if: true -->Hello world!<!-- /ko --></body></html>", await response.Content.ReadAsStringAsync());
}
public async Task RemoveGeneratorHtmlTag()
{
using var factory = new TestWebApplicationFactory(async context =>
{
await context.Response.SetBodyFromStringAsync("<!DOCTYPE html><html><head><meta name=\"generator\" value=\"test\" /></head><body>Hello world!</body></html>", "text/html");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("<!DOCTYPE html><html><head></head><body>Hello world!</body></html>", await response.Content.ReadAsStringAsync());
}
public async Task DoesNotRewriteXmlns()
{
using var factory = new TestWebApplicationFactory(async context =>
{
await context.Response.SetBodyFromStringAsync("<!DOCTYPE html><html xmlns=\"http://www.w3.org/TR/html4/\"><head><link type=\"text/css\" rel=\"stylesheet\" href=\"http://example.org\" /></head></html>", "text/html");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("<!DOCTYPE html><html xmlns=\"http://www.w3.org/TR/html4/\"><head><link type=\"text/css\" rel=\"stylesheet\" href=\"https://example.org\" /></head></html>", await response.Content.ReadAsStringAsync());
}
public async Task RewriteScriptTag()
{
using var factory = new TestWebApplicationFactory(async context =>
{
await context.Response.SetBodyFromStringAsync("<!DOCTYPE html><html><head><script src=\"http://example.org\"></script></head></html>", "text/html");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("<!DOCTYPE html><html><head><script src=\"https://example.org\"></script></head></html>", await response.Content.ReadAsStringAsync());
}
public async Task InjectXssFromParameterEncoded_ShouldAccept()
{
using var factory = new TestWebApplicationFactory(async context =>
{
var p = context.Request.Query["p"];
await context.Response.SetBodyFromStringAsync($"<div>{HtmlEncoder.Default.Encode(p)}</div>", "text/html");
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/?p=<script>");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
}
public async Task RemoveXPoweredByHeader()
{
using var factory = new TestWebApplicationFactory(async context =>
{
context.Response.Headers["X-Powered-By"] = "Test";
context.Response.StatusCode = 204;
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.NoContent, response.StatusCode);
Assert.IsFalse(response.Headers.Contains("Server"));
}
public async Task RewriteLocationHeader()
{
using var factory = new TestWebApplicationFactory(async context =>
{
context.Response.Headers["Location"] = "http://example.org/";
context.Response.StatusCode = 302;
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.Redirect, response.StatusCode);
Assert.AreEqual("https://example.org/", response.Headers.Location.ToString());
}
public async Task HttpMethodGETS()
{
var reference = "Hello world!";
using var factory = new TestWebApplicationFactory(async context =>
{
await context.Response.SetBodyFromStringAsync(reference);
});
using var http = factory.CreateDefaultClient();
using var response = await http.GetAsync("/");
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual(reference, await response.Content.ReadAsStringAsync());
}