public void GivenInvalidAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInjectedAttributss() { string invalidAttribute1 = "<script>function xss() { alert('injection'); } xss();</script>"; string invalidAttribute2 = "<script>function xss() { alert('injection'); } xss();</script>"; string[] attributes = { invalidAttribute1, invalidAttribute2 }; validationAttributes.Attribute = attributes; Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None)); }
public void GivenAttackVectorWithCharacterEscapedAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToInvalidException() { string invalidAttribute1 = "{payload : {Name" + ":" + "PHNjcmlwdD5mdW5jdGlvbiBhdHRhY2sgKCkge2FsZXJ0KCd4c3MnKTt9YXR0YWNrKCk7PC9zY3JpcHQ+"; string invalidAttribute2 = "Address : test"; string invalidAttribute3 = "Mobile +358123456789 }}' >> mysqldump --all-databases > dump.sql"; string parallel = invalidAttribute1 + invalidAttribute2 + invalidAttribute3; string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel }; validationAttributes.Attribute = attributes; options.Base64Decode = true; Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None)); }
public void GivenAttackVectorWithMultipleAttributesWhenChallengingPayloadAttributesForValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToFoundAttackPattern() { string invalidAttribute1 = "{ payload : {Name" + ":" + "%27 %3E%3E"; string invalidAttribute2 = "Address" + ":" + "%3Cscript%3E function attack() %7B alert(%27xss%27)%3B %7D"; string invalidAttribute3 = "Mobile" + ":" + "attack()%3B %3C%2Fscript%3E}}"; string parallel = invalidAttribute1 + invalidAttribute2 + invalidAttribute3; string[] attributes = { invalidAttribute1, invalidAttribute2, invalidAttribute3, parallel }; validationAttributes.Attribute = attributes; Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeAttributesAgainstSecurityThreats(validationAttributes, options, CancellationToken.None)); }