public void GivenDoubleEncodedUrlInjectionInURIFormatWhenChallengingValidationThenSecurityThreatDiagnosticsMustRaiseExceptionDueToDoubleEncodedURI() { string unsecureUrl = "http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\";"; validation.Payload = unsecureUrl; options.MaxIterations = 2; Assert.Throws <ApplicationException>(() => SecurityThreatDiagnostics.ChallengeUrlEncoding(validation, options, CancellationToken.None)); }