DinisCruz/XSS_Tests.cs

## readme.md

      
    Raw
  

              readme.md
            
          
    As can be seen by this blog post from Microsoft and this mapping of asp.net control encodings, there are a large number of ASP.NET built in controls that don't escape the values provided
This is one of the root causes of a large number of XSS issues
Here is test that proves that the ASP.NET HtmlTitle, Literal and LinkButton are not escaping the .Text value

  
## XSS_Tests.cs
namespace Tests.XSS_Tests
{
    public static class HtmlControls_ExtensionMethods
    {
        public static string render_Control(this Control control)
        {
            var stringBuilder = new StringBuilder();
            using (var stringWriter = new StringWriter(stringBuilder))
                using (var htmlTextWriter = new HtmlTextWriter(stringWriter))

                    control.RenderControl(htmlTextWriter);
            return stringBuilder.str();
        }

        public static string set_Text_and_Render_Control<T>(this T control, string text) where T : Control
        {
            control.invoke("set_Text", text);
            return control.render_Control();
        }

        public static T assert_Text_Render<T>(this T control, string html_Before, string html_After, string text) where T : Control
        {
            control.set_Text_and_Render_Control(text).assert_Is(html_Before + text + html_After);
            return control;
        }
    }

    [TestFixture]
    class XSS_Web_Controls
    {
        string payload_1 = "aa '\"> bb <b1> cc ";
        string payload_2 = "<script>alert(42)</script>";
        string payload_3 = "aaa</title></head><body><img src=xxx onerror=alert(42) />";

        [Test]
        public void HtmlTitle()
        {
            var html_Before = "<title>\r\n\t";
            var html_After  = "\r\n</title>";


            new HtmlTitle().assert_Text_Render(html_Before, html_After, payload_1)
                           .assert_Text_Render(html_Before, html_After, payload_2)
                           .assert_Text_Render(html_Before, html_After, payload_3);

        }

        [Test]
        public void Literal()
        {
            var html_Before = "";
            var html_After  = "";

            new Literal().assert_Text_Render(html_Before, html_After, payload_1)
                         .assert_Text_Render(html_Before, html_After, payload_2)
                         .assert_Text_Render(html_Before, html_After, payload_3);

        }

        [Test]
        public void LinkButton()
        {
            var html_Before = "<a>";
            var html_After  = "</a>";

            new LinkButton().assert_Text_Render(html_Before, html_After, payload_1)
                            .assert_Text_Render(html_Before, html_After, payload_2)
                            .assert_Text_Render(html_Before, html_After, payload_3);
        }

    }
}
	namespace Tests.XSS_Tests
	{
	public static class HtmlControls_ExtensionMethods
	{
	public static string render_Control(this Control control)
	{
	var stringBuilder = new StringBuilder();
	using (var stringWriter = new StringWriter(stringBuilder))
	using (var htmlTextWriter = new HtmlTextWriter(stringWriter))

	control.RenderControl(htmlTextWriter);
	return stringBuilder.str();
	}

	public static string set_Text_and_Render_Control<T>(this T control, string text) where T : Control
	{
	control.invoke("set_Text", text);
	return control.render_Control();
	}

	public static T assert_Text_Render<T>(this T control, string html_Before, string html_After, string text) where T : Control
	{
	control.set_Text_and_Render_Control(text).assert_Is(html_Before + text + html_After);
	return control;
	}
	}

	[TestFixture]
	class XSS_Web_Controls
	{
	string payload_1 = "aa '\"> bb <b1> cc ";
	string payload_2 = "<script>alert(42)</script>";
	string payload_3 = "aaa</title></head><body><img src=xxx onerror=alert(42) />";

	[Test]
	public void HtmlTitle()
	{
	var html_Before = "<title>\r\n\t";
	var html_After = "\r\n</title>";


	new HtmlTitle().assert_Text_Render(html_Before, html_After, payload_1)
	.assert_Text_Render(html_Before, html_After, payload_2)
	.assert_Text_Render(html_Before, html_After, payload_3);

	}

	[Test]
	public void Literal()
	{
	var html_Before = "";
	var html_After = "";

	new Literal().assert_Text_Render(html_Before, html_After, payload_1)
	.assert_Text_Render(html_Before, html_After, payload_2)
	.assert_Text_Render(html_Before, html_After, payload_3);

	}

	[Test]
	public void LinkButton()
	{
	var html_Before = "<a>";
	var html_After = "</a>";

	new LinkButton().assert_Text_Render(html_Before, html_After, payload_1)
	.assert_Text_Render(html_Before, html_After, payload_2)
	.assert_Text_Render(html_Before, html_After, payload_3);
	}

	}
	}