internal ArrayList validateAndHandleMaliciousInput(XmlElement objXmlElementWithFormMappings, Hashtable hashtableWithValidator_FormRules) { ArrayList listOfRulesProcessed = new ArrayList(); try { foreach (XmlNode objXmlControls in objXmlElementWithFormMappings) { if (objXmlControls.ChildNodes.Count > 0) //i.e. there are rules in the Form's Control { string fieldToAnalyse = objXmlControls.Attributes["ControlId"].InnerText; if (null == HttpRequestToAnalyse.Form[fieldToAnalyse]) // this occours when we are dealing with a asp.net control (which for example looks like this _ctl3:txtPassword) { foreach (string sFormKey in HttpRequestToAnalyse.Form.AllKeys) { string[] sSplittedFormItem = sFormKey.Split(':'); if (sSplittedFormItem.Length > 1) { if (sSplittedFormItem[1] == fieldToAnalyse) { fieldToAnalyse = sFormKey; break; } } } } string dataToAnalyse = HttpRequestToAnalyse.Form[fieldToAnalyse]; string FormsProcessed = "Applying to Field <b>'" + fieldToAnalyse + "'</b> (containing '" + dataToAnalyse + "') :"; foreach (XmlNode objXmlRules in objXmlControls) { string validatorRuleName = objXmlRules.Attributes["name"].InnerText; string RulesProcessed = " the Rule <b>'" + validatorRuleName + "'</b> which contains the classes: "; XmlElement objRuleInformation = (XmlElement)hashtableWithValidator_FormRules[validatorRuleName]; foreach (XmlNode objXmlRulesClass in objRuleInformation) { string validatorClassName = objXmlRulesClass.Attributes["name"].InnerText; RulesProcessed += " <b>'" + validatorClassName + "</b>"; switch (validatorClassName) { case "RequiredFieldValidator": { if (ValidatorFunctions.RuleClass_RequiredFieldValidator(dataToAnalyse)) { RulesProcessed += htmlGreen(" [OK] , "); } else { RulesProcessed += htmlRed(" [FAILED] , "); } break; } case "RegExValidator": { string regularExpersionString = objXmlRulesClass.Attributes["ValidationExpression"].InnerText; if (ValidatorFunctions.RuleClass_RegExValidator(dataToAnalyse, regularExpersionString)) { RulesProcessed += htmlGreen(" [OK] , "); } else { HttpRequestToAnalyse.Form[fieldToAnalyse] = ""; // this cleans the value of the offending form field RulesProcessed += htmlRed(" [FAILED] , "); } break; } case "RangeValidator": { if (ValidatorFunctions.RuleClass_RangeValidator(dataToAnalyse)) { RulesProcessed += htmlOrange(" [Not Implemented yet] , "); } else { HttpRequestToAnalyse.Form[fieldToAnalyse] = ""; // this cleans the value of the offending form field RulesProcessed += htmlRed(" [FAILED] , "); } break; } case "CustomValidator": { if (ValidatorFunctions.RuleClass_CustomValidator(dataToAnalyse)) { RulesProcessed += htmlOrange("[Not Implemented yet] , "); } else { HttpRequestToAnalyse.Form[fieldToAnalyse] = ""; // this cleans the value of the offending form field RulesProcessed += htmlRed(" [FAILED] , "); } break; } case "ValidationSummary": { if (ValidatorFunctions.RuleClass_ValidationSummary(dataToAnalyse)) { RulesProcessed += htmlOrange(" [Not Implemented yet] , "); } else { HttpRequestToAnalyse.Form[fieldToAnalyse] = ""; // this cleans the value of the offending form field RulesProcessed += htmlRed(" [FAILED] , "); } break; } } } // // This final rule is Hard coded (i.e. will always be executed (as long as there is 1 rule)) // if (ValidatorFunctions.RuleClass_SQLInjectionDetector(dataToAnalyse)) // { // // don't show message when no attack is detected // // RulesProcessed += "SQLInjectionDetector" + htmlGreen(" [OK] , "); // } // else // { // HttpRequestToAnalyse.Form[fieldToAnalyse] = HttpRequestToAnalyse.Form[fieldToAnalyse].Replace("'",""); // RulesProcessed += "<b>SQLInjectionDetector</b> " + htmlRed(" [FAILED: SQL INJECTION ATTACK DETECTED (and mitigated)] , "); // } listOfRulesProcessed.Add(FormsProcessed + RulesProcessed); } } } } catch (Exception objEx) { listOfRulesProcessed.Add(htmlRed("Exception in 'validateAndHandleMaliciousInput' method")); listOfRulesProcessed.Add(htmlRed(objEx.GetType().ToString())); listOfRulesProcessed.Add(htmlRed(objEx.Message)); listOfRulesProcessed.Add(htmlRed(objEx.StackTrace)); } return(listOfRulesProcessed); }