/// <summary> /// Challenges character encoding of the given data. /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics /// Throws application exception if diagnostics find that character is not part of the encoding set. /// </summary> /// <param name="validation">Known data to be bypassed into the validation.</param> /// <param name="options">Configuration parameters</param> /// <param name="cancellationToken"></param> /// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns> public static SecurityThreatDiagnosticsResult ChallengeUrlEncoding ( [PropertyTab] Validation validation, [PropertyTab] Options options, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); try { validation.Payload = Decode(validation.Payload, options); ChallengeAgainstSecurityThreats(validation, options, cancellationToken); } catch (Exception exception) { StringBuilder builder = new StringBuilder("Invalid URL encoding in character set ["); builder .Append(validation.Payload) .Append("]"); ArgumentException argumentException = new ArgumentException("Invalid URL encoding information " + exception.ToString(), exception); throw new ApplicationException(builder.ToString(), argumentException); } SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; return(securityThreatDiagnosticsResult); }
private static SecurityThreatDiagnosticsResult BuildResponseMessage() { SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; return(securityThreatDiagnosticsResult); }
/// <summary> /// This is task which validates the common attack patterns against the underlying system from payload attributes. /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics /// Throws application exception if diagnostics find vulnerability from the payload challenge. /// </summary> public static SecurityThreatDiagnosticsResult ChallengeAttributesAgainstSecurityThreats( [PropertyTab] ValidationAttributes validationAttributes, [PropertyTab] Options options, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); var invalidAttributes = new Dictionary <string, ArgumentException>(); ConcurrentDictionary <string, SecurityRuleFilter> securityRuleFilters = SecurityFilterReader.Instance; foreach (var attribute in validationAttributes.Attribute) { foreach (SecurityRuleFilter securityRuleFilter in securityRuleFilters.Values) { Validation validation = new Validation(); validation.Payload = attribute; try { ChallengeAgainstSecurityThreats(validation, options, cancellationToken); } catch (ArgumentException argumentException) { invalidAttributes.Add(attribute, argumentException); } } } if (invalidAttributes.Count > 0) { StringBuilder argumentExceptions = new StringBuilder( "Security Threat Diagnostics vulnerability report for attributes contains the following invalid messages:"); StringBuilder applicationExceptions = new StringBuilder("Security Threat Diagnostics deep scanned the following attack vectors: "); try { foreach (var securityRuleFilter in invalidAttributes) { argumentExceptions.Append(securityRuleFilter.Value.Message).Append("\n"); applicationExceptions.Append(securityRuleFilter.Value.InnerException.Message).Append("\n"); } ApplicationException applicationException = new ApplicationException(argumentExceptions.ToString()); ArgumentException argumentException = new ArgumentException(applicationExceptions.ToString()); throw new ApplicationException(applicationException.ToString(), argumentException); } finally { if (applicationExceptions != null) { argumentExceptions.Clear(); applicationExceptions.Clear(); } } } SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; return(securityThreatDiagnosticsResult); }
/// <summary> /// This is a task which challenges the payload attributes from client side character set encoding to target system character set encoding. /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics /// Throws application exception if diagnostics find vulnerability from the payload challenge. /// </summary> public static SecurityThreatDiagnosticsResult ChallengeCharacterSetEncoding(string payload, Options options) { string data = null; { try { data = ChangeCharacterEncoding(payload, options); } catch (Exception exception) { StringBuilder argumentExceptions = new StringBuilder("Security Threat Diagnostics vulnerability report invalid character encoding:"); StringBuilder applicationExceptions = new StringBuilder("Security Threat Diagnostics deep scanned the following attack vectors: "); try { argumentExceptions.Append(exception.Message.ToString()).Append("\n"); applicationExceptions.Append("Contains illegal characters: ").Append(payload).Append("\n"); ApplicationException applicationException = new ApplicationException(argumentExceptions.ToString()); ArgumentException argumentException = new ArgumentException(applicationExceptions.ToString()); throw new ApplicationException(applicationException.ToString(), argumentException); } finally { if (applicationExceptions != null) { argumentExceptions.Clear(); applicationExceptions.Clear(); } } } SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; //securityThreatDiagnosticsResult.Data.Add("data", data); return(securityThreatDiagnosticsResult); } }
/// <summary> /// Verifies that the IP is in given whitelist of known IP addresses. /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics /// Throws application exception if diagnostics find that IP address is not valid. /// </summary> /// <param name="allowedIpAddresses">Define IP addresses which can bypass the validation.</param> /// <param name="cancellationToken"></param> /// <returns>{SecurityThreatDiagnosticsResult.IsValid challenge}</returns> public static SecurityThreatDiagnosticsResult ChallengeIPAddresses( [PropertyTab] AllowedIPAddresses allowedIpAddresses, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); List <string> invalidIPAddresses = new List <string>(); allowedIpAddresses.WhiteListedIpAddress?.ToList().ForEach( entry => { Regex allowedInboundTrafficRule = new Regex(entry); if (!allowedInboundTrafficRule.IsMatch(allowedIpAddresses.Host)) { invalidIPAddresses.Add(entry); } }); allowedIpAddresses.BlackListedIpAddresses?.ToList().ForEach( entry => { Regex allowedInboundTrafficRule = new Regex(entry); if (allowedInboundTrafficRule.IsMatch(allowedIpAddresses.Host)) { invalidIPAddresses.Add(entry); } }); if (invalidIPAddresses.Count > 0) { throw new ApplicationException("Invalid IP Address or range [" + allowedIpAddresses.Host + "]"); } SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; return(securityThreatDiagnosticsResult); }
/// <summary> /// This is task which validates data /// Documentation: https://github.com/CommunityHiQ/Frends.Community.SecurityThreatDiagnostics /// Throws application exception if diagnostics find vulnerability from the payload challenge. /// </summary> /// <param name="validation">Runtime element to be diagnosted.</param> /// <param name="options">Options for the runtime validation.</param> /// <param name="cancellationToken"></param> /// <returns>{bool challenges for validation} </returns> public static SecurityThreatDiagnosticsResult ChallengeAgainstSecurityThreats( [PropertyTab] Validation validation, [PropertyTab] Options options, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); Dictionary <string, string> dictionary = new Dictionary <string, string>(); StringBuilder validationChallengeMessage = new StringBuilder(); validationChallengeMessage .Append("Payload challenged for input validation [") .Append(validation.Payload) .Append("] \n\n"); StringBuilder innerExceptionMessage = new StringBuilder(); innerExceptionMessage .Append("Payload challenged for input validation [") .Append(validation.Payload) .Append("] \n\n"); ConcurrentDictionary <string, SecurityRuleFilter> ruleDictionary = SecurityFilterReader.Instance; foreach (var entry in ruleDictionary) { ChallengeCharacterSetEncoding(validation.Payload, options); string base64DecodedPayload = DecodeBase64Encoding(validation.Payload); if (entry.Value.Rule.IsMatch(validation.Payload) || entry.Value.Rule.IsMatch(base64DecodedPayload) && options.Base64Decode) { validationChallengeMessage .Append("id [") .Append(entry.Key) .Append("]") .Append(" contains vulnerability [") .Append(entry.Value.Description) .Append("], ") .Append("encoded value [") .Append(base64DecodedPayload) .Append("]"); dictionary.Add(entry.Key, validationChallengeMessage.ToString()); innerExceptionMessage .Append("id [") .Append(entry.Key) .Append("] ") .Append("Validation pattern [") .Append(entry.Value.Rule.ToString()) .Append("], ") .Append("encoded value [") .Append(base64DecodedPayload) .Append("]"); } } if (dictionary.Count > 0) { ArgumentException argumentException = new ArgumentException("Invalid argument information " + innerExceptionMessage.ToString()); ApplicationException applicationException = new ApplicationException(validationChallengeMessage.ToString(), argumentException); throw applicationException; } SecurityThreatDiagnosticsResult securityThreatDiagnosticsResult = new SecurityThreatDiagnosticsResult(); securityThreatDiagnosticsResult.IsValid = true; return(securityThreatDiagnosticsResult); }