public void GivenUnknownCharacterWhenChallengingEncodingThenSecurityThreatDiagnosticsMustConvertToKnownCharacterSetEncoding()
{
string unknownCharacters = "ዩኒኮድ ወረጘ የጝ00F800F8يونِكودö'>>B$ôI#€%&/()?@∂öيونِكود";
validation.Payload = unknownCharacters;
Assert.DoesNotThrow(() => SecurityThreatDiagnostics.ChallengeCharacterSetEncoding(validation.Payload, options));
}
public void GivenUrlInjectionInURIFormatWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundSQLInjection()
{
string unsecureUrl = "select * from Customers;`insert into";
validation.Payload = unsecureUrl;
options.MaxIterations = 2;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
}
public void GivenXSScriptAttackScriptAsAnAttributeWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedValue()
{
string invalidXml = "function xss() { alert('injection'); } xss();";
validation.Payload = invalidXml;
options.MaxIterations = 2;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
}
public void GivenDoubleEncodedUrlInjectionInURIFormatWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToDoubleEncodedURI()
{
string unsecureUrl = "http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\";";
validation.Payload = unsecureUrl;
options.MaxIterations = 2;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeUrlEncoding(validation, options, CancellationToken.None));
}
public void GivenXXEInjectedXMLWhenChallengingValidationOfTheXMLThenSecurityThreatDiagnosticsMustNotRaiseException()
{
string validXml = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>";
validation.Payload = validXml;
options.MaxIterations = 2;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
}
public void GivenScriptInjectedXMLWithDoubleQuatesWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedXML()
{
string invalidXml = "<xml><entity><script>function xss() { alert(\"injection\"); } xss();</script></entity></xml>";
validation.Payload = invalidXml;
options.MaxIterations = 2;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None));
}
public void GivenInjectedHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedHeaderValue()
{
WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();
whiteListedHeaders.AllowedHttpHeaders = new [] { "Authorization" };
whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer <script>function attack(){ alert(\"i created XSS\"); } attack();</script>");
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None));
}
public void GivenValidTextWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundInjection()
{
string validXml = "This is a valid content.";
validation.Payload = validXml;
options.MaxIterations = 2;
SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeAgainstSecurityThreats(validation, options, CancellationToken.None);
Assert.IsTrue(result.IsValid);
}
public void GivenInvalidAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedAttributss()
{
string invalidAttribute1 = "<script>function xss() { alert('injection'); } xss();</script>";
string invalidAttribute2 = "<script>function xss() { alert('injection'); } xss();</script>";
string[] attributes = { invalidAttribute1, invalidAttribute2 };
validationAttributes.Attribute = attributes;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
}
public void GivenStandardHeaderInWhenChallengingHeadersForValidationThenSecurityThreatDiagnosticsMustByPassRelevantHeaders()
{
WhiteListedHeaders whiteListedHeaders = new WhiteListedHeaders();
whiteListedHeaders.AllowedHttpHeaders = new [] { StaticHeader };
whiteListedHeaders.CurrentHttpHeaders = new Dictionary <string, string>();
whiteListedHeaders.CurrentHttpHeaders.Add("Authorization: ", "Bearer hashme");
SecurityThreatDiagnosticsResult result = SecurityThreatDiagnostics.ChallengeSecurityHeaders(whiteListedHeaders, options, CancellationToken.None);
Assert.IsTrue(result.IsValid);
}
public void GivenAttackVectorWithCharacterEscapedAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInvalidException()
{
string invalidAttribute1 = "{payload : {Name" + ":" + "PHNjcmlwdD5mdW5jdGlvbiBhdHRhY2sgKCkge2FsZXJ0KCd4c3MnKTt9YXR0YWNrKCk7PC9zY3JpcHQ+";
string invalidAttribute2 = "Address : test";
string invalidAttribute3 = "Mobile +358123456789 }}' >> mysqldump --all-databases > dump.sql";
string parallel = invalidAttribute1 + invalidAttribute2 + invalidAttribute3;
string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel };
validationAttributes.Attribute = attributes;
options.Base64Decode = true;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
}
public void GivenAttackVectorWithMultipleAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundAttackPattern()
{
string invalidAttribute1 = "{ payload : {Name" + ":" + "%27 %3E%3E";
string invalidAttribute2 = "Address" + ":" + "%3Cscript%3E function attack() %7B alert(%27xss%27)%3B %7D";
string invalidAttribute3 = "Mobile" + ":" + "attack()%3B %3C%2Fscript%3E}}";
string parallel = invalidAttribute1 + invalidAttribute2 + invalidAttribute3;
string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel };
validationAttributes.Attribute = attributes;
Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None));
}
public void GivenAllowedIPAddressWhenChallengingIPForValidationThenSecurityThreatDiagnosticsMustNotRaiseExceptionDueToAllowedIPs()
{
AllowedIPAddresses allowedIpAddresses = new AllowedIPAddresses();
//IPV4 and IPV6
string[] allowedIPAddressesRegex =
{
"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"
};
string[] denyBroadcastIPAddressesRegex =
{
"255.255.255.255"
};
allowedIpAddresses.WhiteListedIpAddress = allowedIPAddressesRegex;
allowedIpAddresses.BlackListedIpAddresses = denyBroadcastIPAddressesRegex;
allowedIpAddresses.Host = "127.0.0.1";
Assert.DoesNotThrow(() => SecurityThreatDiagnostics.ChallengeIPAddresses(allowedIpAddresses, CancellationToken.None));
}
