public Either <string, long> AddUrl(string url)
{
try
{
var existingUrlHolder = _dbContext.FilteredUrls.Find(filteredUrl => filteredUrl.Url.Equals(url));
if (existingUrlHolder.IsSome)
{
_logger.LogInformation("URL: {0} already exists in filtered url set", url);
return(string.Format("URL: {0} already exists in filtered url set", url));
}
_logger.LogInformation("Adding URL: {0} to filtered sites", url);
var filteredUrl = new FilteredUrl()
{
Url = url
};
_dbContext.FilteredUrls.Add(filteredUrl);
_dbContext.SaveChanges();
return(filteredUrl.Id);
}
catch (Exception ex)
{
_logger.LogError("Can't add new URL: {0} to be filtered - {1}", url, ex.Message);
return(string.Format("Can't add URL: {0} to filtered sites", url));
}
}
public FilteredUrlTest()
{
_timeProvider = new Mock <ITimeProvider>();
_timeProvider.Setup(o => o.Now()).Returns(new DateTime(2017, 02, 21));
_filteredUrl = new FilteredUrl(_timeProvider.Object);
}
public void parseUrls()
{
const string urlTest1 = "http://aa";
const string urlTest2 = "http://aa/page.aspx";
const string urlTest3 = "http://aa.bb.cc/page.aspx#tag";
const string urlTest4 = "http://aa.bb.cc/path/page.aspx?param1=aaa";
const string urlTest5 = "http://aa.bb.cc/path1/path2/page.aspx?param1=aaa¶m1=bbb¶m3=ccc#fragment1";
var test1 = new FilteredUrl(urlTest1);
Assert.IsTrue(test1.host == "aa", "test1");
var test2 = new FilteredUrl(urlTest2);
Assert.IsTrue(test2.page == "page.aspx", "test2");
var test3 = new FilteredUrl(urlTest3);
Assert.IsTrue(test3.host == "aa.bb.cc" && test3.fragement == "#tag", "test3");
var test4 = new FilteredUrl(urlTest4);
Assert.IsTrue(test4.path == "/path/" && test4.page == "page.aspx" && test4.parametersRaw == "param1=aaa" &&
test4.parameters[0].name == "param1" && test4.parameters[0].value == "aaa", "test4");
var test5 = new FilteredUrl(urlTest5);
Assert.IsTrue(
test5.path == "/path1/path2/" && test5.wordsInPath[0] == "path1" && test5.wordsInPath[1] == "path2" &&
test5.wordsInPathAndPage[2] == "page.aspx" && test5.parameters[1].name == "param1" &&
test5.parameters[2].name == "param3" && test5.parameters[2].value == "ccc", "test5");
Assert.IsTrue(
test5.words[0] == "http:" && test5.words[1] == "aa.bb.cc" && test5.words[2] == "path1" &&
test5.words[3] == "path2" && test5.words[4] == "page.aspx" && test5.words[5] == "param1" &&
test5.words[6] == "aaa" &&
test5.words[7] == "param1" && test5.words[8] == "bbb" && test5.words[9] == "param3" &&
test5.words[10] == "ccc" && test5.words[11] == "fragment1"
, "test 5 words");
}
// ------------------------------------------------------------------------------------------
private FilteredUrlView BuildFilteredUrlView(FilteredUrl filteredUrl)
{
return(new FilteredUrlView()
{
Id = filteredUrl.Id,
Url = filteredUrl.Url
});
}
public void ShouldReturnEmptyIfHasNullQueryUrlForWithoutTagFilter()
{
var filteredUrl = new FilteredUrl(_timeProvider.Object);
var result = filteredUrl.WithoutTagFilter();
result.Should().BeEmpty();
}
public void ShouldReturnEmptyIfHasNullQueryUrlForHasNoDateFilter()
{
var filteredUrl = new FilteredUrl(_timeProvider.Object);
var result = filteredUrl.HasNoDateFilter();
result.Should().BeFalse();
}
public void ShouldReturnEmptyIfHasNullQueryUrlForAddCategoryFilter()
{
var filteredUrl = new FilteredUrl(_timeProvider.Object);
var result = filteredUrl.AddCategoryFilter("test");
result.Should().BeEmpty();
}
public void ShouldReturnEmptyIfHasNullQueryUrlForAddMonthFilter()
{
var filteredUrl = new FilteredUrl(_timeProvider.Object);
var result = filteredUrl.AddMonthFilter(new DateTime(2017, 01, 01));
result.Should().BeEmpty();
}
public static IO2Trace createSink(WebInspectFinding webInspectFinding)
{
var filteredUrl = new FilteredUrl(webInspectFinding.fullUrl);
return(new O2Trace("WebInspect: " + filteredUrl.pathAndPageAndParameters, TraceType.Known_Sink)
{
context = webInspectFinding.payload,
method = webInspectFinding.param
});
}
public static List <IO2Finding> loadWebInspectResultsAndReturnO2FindingsFor_SqlInjection_PoC2(
string webInspectResultsFile)
{
var results = new List <IO2Finding>();
var webInspectResults = new XmlDocument();
webInspectResults.Load(webInspectResultsFile);
List <XmlNode> sessionsCheckFoundWithEngineId = getSessionsCheckFoundWithEngineId(webInspectResults,
sqlInjectionEngineId);
foreach (XmlNode sessionCheckFound in sessionsCheckFoundWithEngineId)
{
// ReSharper disable PossibleNullReferenceException
string sessionId = sessionCheckFound["VulnerableSessionID"].InnerText;
List <XmlNode> sessionsFoundWithSessionId = getSessionsWithSessionID(webInspectResults, sessionId);
foreach (XmlNode session in sessionsFoundWithSessionId)
{
string attackParam = session["AttackParamDescriptor"].InnerText;
// Hack to handle crl#: form parameter names in ASP.NET
if (attackParam.IndexOf(':') > -1)
{
attackParam = attackParam.Split(new[] { ':' })[1];
}
string attackPayload = session["AttackDescriptor"].InnerText;
var filteredUrl = new FilteredUrl(session["FullURL"].InnerText);
foreach (var word in filteredUrl.words)
{
var sink = new O2Trace("WebInspect: " + filteredUrl.pathAndPageAndParameters,
TraceType.Known_Sink)
{
context = attackPayload,
method = attackParam
};
//var sink = new O2Trace("WebInspect: " + attackParam, TraceType.Known_Sink);
//source.childTraces.Add(sink);
var o2Trace = new O2Trace("WebInspect -> Ounce Mapping (Sql Injection)");
//o2Trace.childTraces.Add(source);
o2Trace.childTraces.Add(sink);
//source.context = "This is the context of the Source";
//sink.context = attackPayload;
var o2Finding = new O2Finding
{
o2Traces = new List <IO2Trace> {
o2Trace
},
context = attackPayload,
vulnName = word + "_" + attackParam,
vulnType = "Sql Injection (from WebInspect)"
};
results.Add(o2Finding);
}
/*
*
*
*
* var o2Finding = new O2Finding
* {
* o2Trace = new O2Trace("WebInspect -> Ounce Mapping"),
* context = attackDescriptor,
* vulnName = fullURL,
* vulnType = "WebInspect Vulnerability"
* };
* var source = new O2Trace(fullURL, TraceType.Source);
* source.childTraces.Add(new O2Trace(attackDescriptor));
*
* var Sink = new O2Trace(attackParamDescriptor)
* {
* traceType = TraceType.Known_Sink
* };
*
* source.childTraces.Add(Sink);
*
* o2Finding.o2Trace.childTraces.Add(source);
*
* results.Add(o2Finding);*/
}
// ReSharper restore PossibleNullReferenceException
}
return(results);
}
