private void Application_BeginRequest(Object source, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = (HttpRequest)context.Request;
HttpResponse response = (HttpResponse)context.Response;
try
{
// figure out who the current user is
try
{
((Authenticator)Esapi.Authenticator()).Context = WebContext.Cast(HttpContext.Current);
Esapi.Authenticator().Login();
}
catch (AuthenticationException ex)
{
((Authenticator)Esapi.Authenticator()).Logout();
// FIXME: use safeforward!
// FIXME: make configurable with config
// int position = request.Url.ToString().LastIndexOf('/') + 1;
// string page = request.Url.ToString().Substring(position, request.Url.ToString().Length - position);
// if (!page.ToLower().Equals("default.aspx"))
// {
// response.Redirect("default.aspx");
// }
// return;
}
// log this request, obfuscating any parameter named password
logger.LogHttpRequest(new ArrayList(ignore));
// check access to this URL
if (!Esapi.AccessController().IsAuthorizedForUrl(request.RawUrl.ToString()))
{
context.Items["message"] = "Unauthorized";
context.Server.Transfer("login.aspx");
}
// verify if this request meets the baseline input requirements
if (!Esapi.Validator().IsValidHttpRequest(WebContext.Cast(request)))
{
context.Items["message"] = "Validation error";
context.Server.Transfer("login.aspx");
}
// check for CSRF attacks and set appropriate caching headers
IHttpUtilities utils = Esapi.HttpUtilities();
// utils.checkCSRFToken();
utils.SetNoCacheHeaders();
//utils.SafeSetContentType();
// forward this request on to the web application
}
catch (Exception ex)
{
logger.LogSpecial("Security error in ESAPI Filter", ex);
response.Output.WriteLine("<H1>Security Error</H1>");
}
}
/// <summary>
/// The HTTP utilities accessor.
/// </summary>
/// <returns> The HTTP utilities implementation.
/// </returns>
public static IHttpUtilities HttpUtilities()
{
if (Esapi.httpUtilities == null)
{
Esapi.httpUtilities = new HttpUtilities();
}
return(Esapi.httpUtilities);
}
public void Test_LoadCustom()
{
EsapiConfig.Instance.HttpUtilities.Type = typeof(SurrogateHttpUtilities).AssemblyQualifiedName;
IHttpUtilities utilities = Esapi.HttpUtilities;
Assert.AreEqual(utilities.GetType(), typeof(SurrogateHttpUtilities));
}
public static IHttpUtilities HttpUtilities()
{
if (Owasp.Esapi.Esapi.httpUtilities == null)
{
Owasp.Esapi.Esapi.httpUtilities = (IHttpUtilities) new HttpUtilities();
}
return(Owasp.Esapi.Esapi.httpUtilities);
}
private void Application_BeginRequest(object source, EventArgs e)
{
HttpContext current = HttpContext.Current;
HttpRequest request = current.Request;
HttpResponse response = current.Response;
try
{
IHttpUtilities httpUtilities = Owasp.Esapi.Esapi.HttpUtilities();
httpUtilities.checkCSRFToken();
httpUtilities.SetNoCacheHeaders();
httpUtilities.SafeSetContentType();
}
catch (Exception ex)
{
EsapiFilter.logger.LogSpecial("Security error in ESAPI Filter", ex);
response.Output.WriteLine("<H1>Security Error</H1>");
}
}
public ContactsController(IHttpUtilities <ContactsController> httpUtilities, IMapper mapper)
{
_httpUtilities = httpUtilities;
_mapper = mapper;
}
/// <summary>
/// The HTTP utilities accessor.
/// </summary>
/// <returns> The HTTP utilities implementation.
/// </returns>
public static IHttpUtilities HttpUtilities()
{
if (Esapi.httpUtilities == null)
Esapi.httpUtilities = new HttpUtilities();
return Esapi.httpUtilities;
}
public HomeController(IHttpUtilities httpUtilities)
{
_httpUtilities = httpUtilities;
}