Friday, February 15, 2013

Test exceptions.

I need a way to pull all of the TextBox types from a web form and then check their contents for questionable items which could be used in cross-site scripting attacks:

public static void FailIfDangerous(List<TextBox> textBoxes, string connectionString)
{
   List<string> textBoxValues = (from textBox in textBoxes where textBox.Text != null
         select textBox.Text).ToList();
   Dictionary<int, string> blacklist = UseSelectStoredProcedure(connectionString);
   foreach (string textBoxValue in from blacklistItem in blacklist from textBoxValue in
         textBoxValues where textBoxValue.ToLower().Contains(
         blacklistItem.Value.ToLower()) select textBoxValue)
   {
      throw new System.InvalidOperationException("Cannot pass " + textBoxValue + " as
            it has content that falls inside of the blacklisted content for prevention of
            cross-site scripting attacks.");
   }
}

 
 

I wrote the code snippet above which I am testing like so:

[TestMethod]
public void happy_pass_test_passes()
{
   
//Arrange
   TextBox foo = new TextBox() { Text = "foo" };
   TextBox bar = new TextBox() { Text = "bar" };
   TextBox baz = new TextBox() { Text = "baz" };
   TextBox qux = new TextBox();
   List<TextBox> textBoxes = new List<TextBox>() { foo, bar, baz, qux };
   string exception = null;
   
   
//Act
   try { SanityChecker.FailIfDangerous(textBoxes, connectionString); }
   catch (InvalidOperationException e) { exception = e.Message; }
   
   
//Assert
   Assert.AreEqual(exception, null);
}
 
[TestMethod]
public void happy_fail_test_passes()
{
   
//Arrange
   TextBox foo = new TextBox() { Text = "foo" };
   TextBox bar = new TextBox() { Text = "bar" };
   TextBox baz = new TextBox() { Text = "baz" };
   TextBox qux = new TextBox() { Text = "ascii" };
   List<TextBox> textBoxes = new List<TextBox>() { foo, bar, baz, qux };
   string exception = null;
   
   
//Act
   try { SanityChecker.FailIfDangerous(textBoxes, connectionString); }
   catch (InvalidOperationException e) { exception = e.Message; }
   
   
//Assert
   Assert.AreEqual(exception, "Cannot pass ascii as it has content that falls inside of the
         blacklisted content for prevention of cross-site scripting attacks.");
}

 
 

HP Fortify was reporting some security holes to do with passing values in forms and Response.Redirect implementations for which there was little cure. Our security consultant suggested that the bugs could go unfixed if we were to use a blacklisting means to make sure potential values for cross-site scripting attacks were not passed in form fields and a whitelisting means to make sure that Response.Redirect only passed to legitimate URLs legitimate URL line variables. In the case of the inbound form values causing Fortify bugs, many such errors may be curtailed by rewriting direct SQL as stored procedures with parameterized inputs, HOWEVER, when data comes back out of the database and binds to a GridView type there is the opportunity for HTML pushed in through user inputs to be malicious.

No comments:

Post a Comment