├── .gitignore ├── DeployWebAppDotNet451.bat ├── DeployWebAppDotNet452.bat ├── DeployWebAppDotNet46.bat ├── DotNET Tests and Results.xlsx ├── DotNetUnitTests.sln ├── DotNetUnitTests ├── App_Data │ ├── Sample.mdf │ ├── Sample_log.ldf │ ├── dbo.Student.data.sql │ └── dbo.Student.sql ├── DotNetUnitTests.csproj ├── Mappings │ └── Student.hbm.xml ├── Properties │ ├── AssemblyInfo.cs │ └── PublishProfiles │ │ └── LocalWeb.pubxml ├── Student.cs ├── TestCases │ ├── HQLTestCases │ │ ├── DeleteSafeParam.aspx │ │ ├── DeleteSafeParam.aspx.cs │ │ ├── DeleteSafeParam.aspx.designer.cs │ │ ├── DeleteUnsafe.aspx │ │ ├── DeleteUnsafe.aspx.cs │ │ ├── DeleteUnsafe.aspx.designer.cs │ │ ├── DeleteUnsafeStringPlace.aspx │ │ ├── DeleteUnsafeStringPlace.aspx.cs │ │ ├── DeleteUnsafeStringPlace.aspx.designer.cs │ │ ├── HQLTestCasePage.cs │ │ ├── SafeDefault.aspx │ │ ├── SafeDefault.aspx.cs │ │ ├── SafeDefault.aspx.designer.cs │ │ ├── SafeParam.aspx │ │ ├── SafeParam.aspx.cs │ │ ├── SafeParam.aspx.designer.cs │ │ ├── SafeParamSQL.aspx │ │ ├── SafeParamSQL.aspx.cs │ │ ├── SafeParamSQL.aspx.designer.cs │ │ ├── Unsafe.aspx │ │ ├── Unsafe.aspx.cs │ │ ├── Unsafe.aspx.designer.cs │ │ ├── UnsafeHQLStringPlace.aspx │ │ ├── UnsafeHQLStringPlace.aspx.cs │ │ ├── UnsafeHQLStringPlace.aspx.designer.cs │ │ ├── UnsafeSQL.aspx │ │ ├── UnsafeSQL.aspx.cs │ │ ├── UnsafeSQL.aspx.designer.cs │ │ ├── UnsafeSQLStringPlace.aspx │ │ ├── UnsafeSQLStringPlace.aspx.cs │ │ └── UnsafeSQLStringPlace.aspx.designer.cs │ ├── InvalidParameterException.cs │ ├── XPathTestCases │ │ ├── XPathSafeList.aspx │ │ ├── XPathSafeList.aspx.cs │ │ ├── XPathSafeList.aspx.designer.cs │ │ ├── XPathTestCasePage.cs │ │ ├── XPathUnsafeConcat.aspx │ │ ├── XPathUnsafeConcat.aspx.cs │ │ ├── XPathUnsafeConcat.aspx.designer.cs │ │ ├── XPathUnsafeEscape.aspx │ │ ├── XPathUnsafeEscape.aspx.cs │ │ ├── XPathUnsafeEscape.aspx.designer.cs │ │ ├── XPathUnsafePlaceholder.aspx │ │ ├── XPathUnsafePlaceholder.aspx.cs │ │ └── XPathUnsafePlaceholder.aspx.designer.cs │ ├── XQueryTestCases │ │ ├── XQuerySafeBind.aspx │ │ ├── XQuerySafeBind.aspx.cs │ │ ├── XQuerySafeBind.aspx.designer.cs │ │ ├── XQuerySafeEscape.aspx │ │ ├── XQuerySafeEscape.aspx.cs │ │ ├── XQuerySafeEscape.aspx.designer.cs │ │ ├── XQuerySafeList.aspx │ │ ├── XQuerySafeList.aspx.cs │ │ ├── XQuerySafeList.aspx.designer.cs │ │ ├── XQueryTestCasePage.cs │ │ ├── XQueryUnsafeConcat.aspx │ │ ├── XQueryUnsafeConcat.aspx.cs │ │ ├── XQueryUnsafeConcat.aspx.designer.cs │ │ ├── XQueryUnsafePlaceholder.aspx │ │ ├── XQueryUnsafePlaceholder.aspx.cs │ │ └── XQueryUnsafePlaceholder.aspx.designer.cs │ └── XXETestCases │ │ ├── LINQXDocumentSafe.aspx │ │ ├── LINQXDocumentSafe.aspx.cs │ │ ├── LINQXDocumentSafe.aspx.designer.cs │ │ ├── LINQXDocumentUnsafe.aspx │ │ ├── LINQXDocumentUnsafe.aspx.cs │ │ ├── LINQXDocumentUnsafe.aspx.designer.cs │ │ ├── LINQXElementSafe.aspx │ │ ├── LINQXElementSafe.aspx.cs │ │ ├── LINQXElementSafe.aspx.designer.cs │ │ ├── XPathNavigatorSafe.aspx │ │ ├── XPathNavigatorSafe.aspx.cs │ │ ├── XPathNavigatorSafe.aspx.designer.cs │ │ ├── XPathNavigatorSafe452.aspx │ │ ├── XPathNavigatorSafe452.aspx.cs │ │ ├── XPathNavigatorSafe452.aspx.designer.cs │ │ ├── XXETestCasePage.cs │ │ ├── XmlDictionaryReaderSafe.aspx │ │ ├── XmlDictionaryReaderSafe.aspx.cs │ │ ├── XmlDictionaryReaderSafe.aspx.designer.cs │ │ ├── XmlDictionaryReaderUnsafe.aspx │ │ ├── XmlDictionaryReaderUnsafe.aspx.cs │ │ ├── XmlDictionaryReaderUnsafe.aspx.designer.cs │ │ ├── XmlDocumentSafe.aspx │ │ ├── XmlDocumentSafe.aspx.cs │ │ ├── XmlDocumentSafe.aspx.designer.cs │ │ ├── XmlDocumentSafe452.aspx │ │ ├── XmlDocumentSafe452.aspx.cs │ │ ├── XmlDocumentSafe452.aspx.designer.cs │ │ ├── XmlDocumentUnsafe.aspx │ │ ├── XmlDocumentUnsafe.aspx.cs │ │ ├── XmlDocumentUnsafe.aspx.designer.cs │ │ ├── XmlNodeReaderSafe.aspx │ │ ├── XmlNodeReaderSafe.aspx.cs │ │ ├── XmlNodeReaderSafe.aspx.designer.cs │ │ ├── XmlNodeReaderSafeXmlReader.aspx │ │ ├── XmlNodeReaderSafeXmlReader.aspx.cs │ │ ├── XmlNodeReaderSafeXmlReader.aspx.designer.cs │ │ ├── XmlReaderSafe.aspx │ │ ├── XmlReaderSafe.aspx.cs │ │ ├── XmlReaderSafe.aspx.designer.cs │ │ ├── XmlReaderUnsafe.aspx │ │ ├── XmlReaderUnsafe.aspx.cs │ │ ├── XmlReaderUnsafe.aspx.designer.cs │ │ ├── XmlTextReaderSafe.aspx │ │ ├── XmlTextReaderSafe.aspx.cs │ │ ├── XmlTextReaderSafe.aspx.designer.cs │ │ ├── XmlTextReaderSafe452.aspx │ │ ├── XmlTextReaderSafe452.aspx.cs │ │ ├── XmlTextReaderSafe452.aspx.designer.cs │ │ ├── XmlTextReaderUnsafe.aspx │ │ ├── XmlTextReaderUnsafe.aspx.cs │ │ ├── XmlTextReaderUnsafe.aspx.designer.cs │ │ ├── XslCompiledTransformSafe.aspx │ │ ├── XslCompiledTransformSafe.aspx.cs │ │ ├── XslCompiledTransformSafe.aspx.designer.cs │ │ ├── XslCompiledTransformUnsafe.aspx │ │ ├── XslCompiledTransformUnsafe.aspx.cs │ │ └── XslCompiledTransformUnsafe.aspx.designer.cs ├── codeview.aspx ├── codeview.aspx.cs ├── codeview.aspx.designer.cs ├── hibernate.cfg.xml ├── hqlview.aspx ├── hqlview.aspx.cs ├── hqlview.aspx.designer.cs ├── index.aspx ├── index.aspx.cs ├── index.aspx.designer.cs ├── nhibernate.aspx ├── nhibernate.aspx.cs ├── nhibernate.aspx.designer.cs ├── packages.config ├── resources │ ├── students.xml │ ├── test.xsd │ ├── test.xsl │ ├── xxe_attack.txt │ └── xxetest.xml ├── webconfigs │ ├── Web.451.config │ ├── Web.452.config │ └── Web.46.config ├── xmlview.aspx ├── xmlview.aspx.cs ├── xmlview.aspx.designer.cs ├── xpath.aspx ├── xpath.aspx.cs ├── xpath.aspx.designer.cs ├── xpathview.aspx ├── xpathview.aspx.cs ├── xpathview.aspx.designer.cs ├── xquery.aspx ├── xquery.aspx.cs ├── xquery.aspx.designer.cs ├── xqueryview.aspx ├── xqueryview.aspx.cs └── xqueryview.aspx.designer.cs ├── INSTRUCTIONS.txt ├── LICENSE ├── README.md ├── RunAllTests.bat ├── WebTestCrawler.py └── packages ├── Iesi.Collections.4.0.0.4000 ├── Iesi.Collections.4.0.0.4000.nupkg └── lib │ └── net40 │ ├── Iesi.Collections.dll │ └── Iesi.Collections.xml ├── NHibernate.4.1.1.4000 ├── ConfigurationTemplates │ ├── FireBird.cfg.xml │ ├── MSSQL.cfg.xml │ ├── MySql.cfg.xml │ ├── Oracle.cfg.xml │ ├── PostgreSQL.cfg.xml │ ├── SQLite.cfg.xml │ ├── SybaseASE.cfg.xml │ └── SybaseSQLAnywhere.cfg.xml ├── NHibernate.4.1.1.4000.nupkg ├── NHibernate.license.txt ├── NHibernate.readme.html ├── NHibernate.releasenotes.txt ├── lib │ └── net40 │ │ ├── NHibernate.dll │ │ └── NHibernate.xml ├── nhibernate-configuration.xsd └── nhibernate-mapping.xsd └── SaxonPE9.8N ├── IKVM.OpenJDK.Core.dll ├── IKVM.OpenJDK.XML.API.dll └── saxon9pe.dll /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # Project-specific files 7 | DotNetUnitTests/App_Data/Sample.mdf 8 | DotNetUnitTests/App_Data/Sample_log.ldf 9 | DotNetUnitTests/Web.config 10 | DotNetUnitTests/resources/xxetestuser.xml 11 | chromedriver.exe 12 | 13 | # User-specific files 14 | *.suo 15 | *.user 16 | *.userosscache 17 | *.sln.docstates 18 | 19 | # User-specific files (MonoDevelop/Xamarin Studio) 20 | *.userprefs 21 | 22 | # Build results 23 | [Dd]ebug/ 24 | [Dd]ebugPublic/ 25 | [Rr]elease/ 26 | [Rr]eleases/ 27 | x64/ 28 | x86/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | 34 | # Visual Studio 2015 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # MSTest test Results 40 | [Tt]est[Rr]esult*/ 41 | [Bb]uild[Ll]og.* 42 | 43 | # NUNIT 44 | *.VisualState.xml 45 | TestResult.xml 46 | 47 | # Build Results of an ATL Project 48 | [Dd]ebugPS/ 49 | [Rr]eleasePS/ 50 | dlldata.c 51 | 52 | # .NET Core 53 | project.lock.json 54 | project.fragment.lock.json 55 | artifacts/ 56 | **/Properties/launchSettings.json 57 | 58 | *_i.c 59 | *_p.c 60 | *_i.h 61 | *.ilk 62 | *.meta 63 | *.obj 64 | *.pch 65 | *.pdb 66 | *.pgc 67 | *.pgd 68 | *.rsp 69 | *.sbr 70 | *.tlb 71 | *.tli 72 | *.tlh 73 | *.tmp 74 | *.tmp_proj 75 | *.log 76 | *.vspscc 77 | *.vssscc 78 | .builds 79 | *.pidb 80 | *.svclog 81 | *.scc 82 | 83 | # Chutzpah Test files 84 | _Chutzpah* 85 | 86 | # Visual C++ cache files 87 | ipch/ 88 | *.aps 89 | *.ncb 90 | *.opendb 91 | *.opensdf 92 | *.sdf 93 | *.cachefile 94 | *.VC.db 95 | *.VC.VC.opendb 96 | 97 | # Visual Studio profiler 98 | *.psess 99 | *.vsp 100 | *.vspx 101 | *.sap 102 | 103 | # TFS 2012 Local Workspace 104 | $tf/ 105 | 106 | # Guidance Automation Toolkit 107 | *.gpState 108 | 109 | # ReSharper is a .NET coding add-in 110 | _ReSharper*/ 111 | *.[Rr]e[Ss]harper 112 | *.DotSettings.user 113 | 114 | # JustCode is a .NET coding add-in 115 | .JustCode 116 | 117 | # TeamCity is a build add-in 118 | _TeamCity* 119 | 120 | # DotCover is a Code Coverage Tool 121 | *.dotCover 122 | 123 | # Visual Studio code coverage results 124 | *.coverage 125 | *.coveragexml 126 | 127 | # NCrunch 128 | _NCrunch_* 129 | .*crunch*.local.xml 130 | nCrunchTemp_* 131 | 132 | # MightyMoose 133 | *.mm.* 134 | AutoTest.Net/ 135 | 136 | # Web workbench (sass) 137 | .sass-cache/ 138 | 139 | # Installshield output folder 140 | [Ee]xpress/ 141 | 142 | # DocProject is a documentation generator add-in 143 | DocProject/buildhelp/ 144 | DocProject/Help/*.HxT 145 | DocProject/Help/*.HxC 146 | DocProject/Help/*.hhc 147 | DocProject/Help/*.hhk 148 | DocProject/Help/*.hhp 149 | DocProject/Help/Html2 150 | DocProject/Help/html 151 | 152 | # Click-Once directory 153 | publish/ 154 | 155 | # Publish Web Output 156 | *.[Pp]ublish.xml 157 | *.azurePubxml 158 | # TODO: Comment the next line if you want to checkin your web deploy settings 159 | # but database connection strings (with potential passwords) will be unencrypted 160 | *.pubxml 161 | *.publishproj 162 | 163 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 164 | # checkin your Azure Web App publish settings, but sensitive information contained 165 | # in these scripts will be unencrypted 166 | PublishScripts/ 167 | 168 | # NuGet Packages 169 | *.nupkg 170 | # The packages folder can be ignored because of Package Restore 171 | **/packages/* 172 | # except build/, which is used as an MSBuild target. 173 | !**/packages/build/ 174 | # Uncomment if necessary however generally it will be regenerated when needed 175 | #!**/packages/repositories.config 176 | # NuGet v3's project.json files produces more ignorable files 177 | *.nuget.props 178 | *.nuget.targets 179 | 180 | # Microsoft Azure Build Output 181 | csx/ 182 | *.build.csdef 183 | 184 | # Microsoft Azure Emulator 185 | ecf/ 186 | rcf/ 187 | 188 | # Windows Store app package directories and files 189 | AppPackages/ 190 | BundleArtifacts/ 191 | Package.StoreAssociation.xml 192 | _pkginfo.txt 193 | 194 | # Visual Studio cache files 195 | # files ending in .cache can be ignored 196 | *.[Cc]ache 197 | # but keep track of directories ending in .cache 198 | !*.[Cc]ache/ 199 | 200 | # Others 201 | ClientBin/ 202 | ~$* 203 | *~ 204 | *.dbmdl 205 | *.dbproj.schemaview 206 | *.jfm 207 | *.pfx 208 | *.publishsettings 209 | orleans.codegen.cs 210 | 211 | # Since there are multiple workflows, uncomment next line to ignore bower_components 212 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 213 | #bower_components/ 214 | 215 | # RIA/Silverlight projects 216 | Generated_Code/ 217 | 218 | # Backup & report files from converting an old project file 219 | # to a newer Visual Studio version. Backup files are not needed, 220 | # because we have git ;-) 221 | _UpgradeReport_Files/ 222 | Backup*/ 223 | UpgradeLog*.XML 224 | UpgradeLog*.htm 225 | 226 | # SQL Server files 227 | *.mdf 228 | *.ldf 229 | *.ndf 230 | 231 | # Business Intelligence projects 232 | *.rdl.data 233 | *.bim.layout 234 | *.bim_*.settings 235 | 236 | # Microsoft Fakes 237 | FakesAssemblies/ 238 | 239 | # GhostDoc plugin setting file 240 | *.GhostDoc.xml 241 | 242 | # Node.js Tools for Visual Studio 243 | .ntvs_analysis.dat 244 | node_modules/ 245 | 246 | # Typescript v1 declaration files 247 | typings/ 248 | 249 | # Visual Studio 6 build log 250 | *.plg 251 | 252 | # Visual Studio 6 workspace options file 253 | *.opt 254 | 255 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 256 | *.vbw 257 | 258 | # Visual Studio LightSwitch build output 259 | **/*.HTMLClient/GeneratedArtifacts 260 | **/*.DesktopClient/GeneratedArtifacts 261 | **/*.DesktopClient/ModelManifest.xml 262 | **/*.Server/GeneratedArtifacts 263 | **/*.Server/ModelManifest.xml 264 | _Pvt_Extensions 265 | 266 | # Paket dependency manager 267 | .paket/paket.exe 268 | paket-files/ 269 | 270 | # FAKE - F# Make 271 | .fake/ 272 | 273 | # JetBrains Rider 274 | .idea/ 275 | *.sln.iml 276 | 277 | # CodeRush 278 | .cr/ 279 | 280 | # Python Tools for Visual Studio (PTVS) 281 | __pycache__/ 282 | *.pyc 283 | 284 | # Cake - Uncomment if you are using it 285 | # tools/** 286 | # !tools/packages.config 287 | 288 | # Telerik's JustMock configuration file 289 | *.jmconfig 290 | 291 | # BizTalk build output 292 | *.btp.cs 293 | *.btm.cs 294 | *.odx.cs 295 | *.xsd.cs 296 | -------------------------------------------------------------------------------- /DeployWebAppDotNet451.bat: -------------------------------------------------------------------------------- 1 | IF EXIST "%cd%\DotNetUnitTests\Web.config" ( 2 | DEL "%cd%\DotNetUnitTests\Web.config" 3 | ) 4 | COPY "%cd%\DotNetUnitTests\webconfigs\Web.451.config" "%cd%\DotNetUnitTests" 5 | REN "%cd%\DotNetUnitTests\Web.451.config" "Web.config" 6 | 7 | msbuild /m .\DotNetUnitTests.sln /p:Configuration=Release /p:DeployOnBuild=true /p:PublishProfile=LocalWeb /p:IncludeIisSettings=false /p:IncludeAppPool=false 8 | START "" http://localhost:8080 9 | START /d "C:\Program Files\IIS Express\" iisexpress.exe /path:"%cd%\DotNetUnitTests" /port:8080 10 | -------------------------------------------------------------------------------- /DeployWebAppDotNet452.bat: -------------------------------------------------------------------------------- 1 | IF EXIST "%cd%\DotNetUnitTests\Web.config" ( 2 | DEL "%cd%\DotNetUnitTests\Web.config" 3 | ) 4 | COPY "%cd%\DotNetUnitTests\webconfigs\Web.452.config" "%cd%\DotNetUnitTests" 5 | REN "%cd%\DotNetUnitTests\Web.452.config" "Web.config" 6 | 7 | msbuild /m .\DotNetUnitTests.sln /p:Configuration=Release /p:DeployOnBuild=true /p:PublishProfile=LocalWeb /p:IncludeIisSettings=false /p:IncludeAppPool=false 8 | START "" http://localhost:8080 9 | START /d "C:\Program Files\IIS Express\" iisexpress.exe /path:"%cd%\DotNetUnitTests" /port:8080 10 | -------------------------------------------------------------------------------- /DeployWebAppDotNet46.bat: -------------------------------------------------------------------------------- 1 | IF EXIST "%cd%\DotNetUnitTests\Web.config" ( 2 | DEL "%cd%\DotNetUnitTests\Web.config" 3 | ) 4 | COPY "%cd%\DotNetUnitTests\webconfigs\Web.46.config" "%cd%\DotNetUnitTests" 5 | REN "%cd%\DotNetUnitTests\Web.46.config" "Web.config" 6 | 7 | msbuild /m .\DotNetUnitTests.sln /p:Configuration=Release /p:DeployOnBuild=true /p:PublishProfile=LocalWeb /p:IncludeIisSettings=false /p:IncludeAppPool=false 8 | START "" http://localhost:8080 9 | START /d "C:\Program Files\IIS Express\" iisexpress.exe /path:"%cd%\DotNetUnitTests" /port:8080 10 | -------------------------------------------------------------------------------- /DotNET Tests and Results.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/DotNET Tests and Results.xlsx -------------------------------------------------------------------------------- /DotNetUnitTests.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DotNetUnitTests", "DotNetUnitTests\DotNetUnitTests.csproj", "{F42F0F80-3204-4C49-83DC-2B2E47E3D013}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {F42F0F80-3204-4C49-83DC-2B2E47E3D013}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {F42F0F80-3204-4C49-83DC-2B2E47E3D013}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {F42F0F80-3204-4C49-83DC-2B2E47E3D013}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {F42F0F80-3204-4C49-83DC-2B2E47E3D013}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /DotNetUnitTests/App_Data/Sample.mdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/DotNetUnitTests/App_Data/Sample.mdf -------------------------------------------------------------------------------- /DotNetUnitTests/App_Data/Sample_log.ldf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/DotNetUnitTests/App_Data/Sample_log.ldf -------------------------------------------------------------------------------- /DotNetUnitTests/App_Data/dbo.Student.data.sql: -------------------------------------------------------------------------------- 1 | INSERT INTO [dbo].[Student] ([LastName], [FirstName], [Username], [Password]) VALUES ('Tables', 'Bobby', 'btables', 'Tr0ub4dor&3') 2 | INSERT INTO [dbo].[Student] ([LastName], [FirstName], [Username], [Password]) VALUES ('Tables', 'Bobby'' OR ''a''=''a', 'btables2', 'correcthorsebatterystaple') 3 | INSERT INTO [dbo].[Student] ([LastName], [FirstName], [Username], [Password]) VALUES ('Skywalker', 'Anakin', 'sithlord', 'ihatesand1234') 4 | INSERT INTO [dbo].[Student] ([LastName], [FirstName], [Username], [Password]) VALUES ('Morrison', 'Jack', 'soldier76', 'Number1Dad') 5 | INSERT INTO [dbo].[Student] ([LastName], [FirstName], [Username], [Password]) VALUES ('Midoriya', 'Izuku', 'deku', 'OneForAll') -------------------------------------------------------------------------------- /DotNetUnitTests/App_Data/dbo.Student.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE [dbo].[Student] ( 2 | [ID] INT IDENTITY (1, 1) NOT NULL, 3 | [LastName] VARCHAR (MAX) NULL, 4 | [FirstName] VARCHAR (MAX) NULL, 5 | [Username] VARCHAR(MAX) NULL, 6 | [Password] VARCHAR(MAX) NULL, 7 | PRIMARY KEY CLUSTERED ([ID] ASC) 8 | ); 9 | 10 | -------------------------------------------------------------------------------- /DotNetUnitTests/Mappings/Student.hbm.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.InteropServices; 3 | 4 | // General Information about an assembly is controlled through the following 5 | // set of attributes. Change these attribute values to modify the information 6 | // associated with an assembly. 7 | [assembly: AssemblyTitle("DotNetUnitTests")] 8 | [assembly: AssemblyDescription("")] 9 | [assembly: AssemblyConfiguration("")] 10 | [assembly: AssemblyCompany("")] 11 | [assembly: AssemblyProduct("DotNetUnitTests")] 12 | [assembly: AssemblyCopyright("Copyright © 2017")] 13 | [assembly: AssemblyTrademark("")] 14 | [assembly: AssemblyCulture("")] 15 | 16 | // Setting ComVisible to false makes the types in this assembly not visible 17 | // to COM components. If you need to access a type in this assembly from 18 | // COM, set the ComVisible attribute to true on that type. 19 | [assembly: ComVisible(false)] 20 | 21 | // The following GUID is for the ID of the typelib if this project is exposed to COM 22 | [assembly: Guid("f42f0f80-3204-4c49-83dc-2b2e47e3d013")] 23 | 24 | // Version information for an assembly consists of the following four values: 25 | // 26 | // Major Version 27 | // Minor Version 28 | // Build Number 29 | // Revision 30 | // 31 | // You can specify all the values or you can default the Revision and Build Numbers 32 | // by using the '*' as shown below: 33 | [assembly: AssemblyVersion("1.0.0.0")] 34 | [assembly: AssemblyFileVersion("1.0.0.0")] 35 | -------------------------------------------------------------------------------- /DotNetUnitTests/Properties/PublishProfiles/LocalWeb.pubxml: -------------------------------------------------------------------------------- 1 |  2 | 6 | 7 | 8 | MSDeploy 9 | False 10 | Release 11 | Any CPU 12 | http://localhost/DotNetUnitTests 13 | True 14 | False 15 | localhost 16 | Default Web Site/DotNetUnitTests 17 | 18 | False 19 | InProc 20 | False 21 | 22 | <_SavePWD>False 23 | 24 | -------------------------------------------------------------------------------- /DotNetUnitTests/Student.cs: -------------------------------------------------------------------------------- 1 | namespace DotNetUnitTests 2 | { 3 | public class Student 4 | { 5 | public Student() 6 | { 7 | 8 | } 9 | 10 | public Student(string lastName, string firstName, string username, string password) 11 | { 12 | LastName = lastName; 13 | FirstName = firstName; 14 | Username = username; 15 | Password = password; 16 | } 17 | 18 | public virtual int ID { get; set; } 19 | public virtual string LastName { get; set; } 20 | public virtual string FirstName { get; set; } 21 | public virtual string Username { get; set; } 22 | public virtual string Password { get; set; } 23 | } 24 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteSafeParam.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="DeleteSafeParam.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.DeleteSafeParam" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteSafeParam.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class DeleteSafeParam : HQLTestCasePage 9 | { 10 | /** 11 | * DELETE: Safe when Parameterizing Custom HQL Queries Example 12 | * By parameterizing the user input, we can succesfully block any HQL injection attempts. The only way to properly do this is write a delete query in the CreateQuery 13 | * method and add the parameters there. 14 | */ 15 | protected void Page_Load(object sender, EventArgs e) 16 | { 17 | bool expectedSafe = true; 18 | 19 | // creating the database session 20 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 21 | ISession session = sessionFactory.OpenSession(); 22 | 23 | // inserting the User students that will (hopefully) be deleted 24 | Student test = new Student("User", "Test", "test", "deleteme"); 25 | Student target = new Student("User", "Target", "target", "deleteme2"); 26 | session.Save(test); 27 | session.Save(target); 28 | 29 | // delete the inputted user 30 | IQuery query = session.CreateQuery("DELETE FROM Student WHERE FirstName = :name"); 31 | query.SetParameter("name", hqlText); // safe! 32 | query.ExecuteUpdate(); 33 | 34 | // getting the User students to see what the results of the DELETE were 35 | IQuery postQuery = session.CreateQuery("FROM Student WHERE FirstName = 'Test' OR FirstName = 'Target';"); 36 | IList students = postQuery.List(); 37 | 38 | // testing the result 39 | TestResults(students, hqlText, expectedSafe); 40 | 41 | session.Close(); 42 | sessionFactory.Close(); 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteSafeParam.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class DeleteSafeParam { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="DeleteUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.DeleteUnsafe" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class DeleteUnsafe : HQLTestCasePage 9 | { 10 | /** 11 | * DELETE: Unsafe when Using String Concatenation on Custom HQL Queries Example 12 | * By doing string concatenation in the Delete method, the query is vulnerable to injection. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // inserting the User students that will (hopefully) be deleted 23 | Student test = new Student("User", "Test", "test", "deleteme"); 24 | Student target = new Student("User", "Target", "target", "deleteme2"); 25 | session.Save(test); 26 | session.Save(target); 27 | 28 | // delete the inputted user 29 | session.Delete("FROM Student WHERE FirstName = '" + hqlText + "';"); 30 | session.Flush(); 31 | 32 | // getting the User students to see what the results of the DELETE were 33 | IQuery query = session.CreateQuery("FROM Student WHERE FirstName = 'Test' OR FirstName = 'Target';"); 34 | IList students = query.List(); 35 | 36 | // testing the result 37 | TestResults(students, hqlText, expectedSafe); 38 | 39 | session.Close(); 40 | sessionFactory.Close(); 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class DeleteUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafeStringPlace.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="DeleteUnsafeStringPlace.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.DeleteUnsafeStringPlace" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafeStringPlace.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class DeleteUnsafeStringPlace : HQLTestCasePage 9 | { 10 | /** 11 | * DELETE: Unsafe when Using String Placeholders on Custom HQL Queries Example 12 | * By using string placeholders in the Delete method, the query is vulnerable to injection. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // inserting the User students that will (hopefully) be deleted 23 | Student test = new Student("User", "Test", "test", "deleteme"); 24 | Student target = new Student("User", "Target", "target", "deleteme2"); 25 | session.Save(test); 26 | session.Save(target); 27 | 28 | // delete the inputted user 29 | session.Delete(String.Format("FROM Student WHERE FirstName = '{0}';", hqlText)); 30 | session.Flush(); 31 | 32 | // getting the User students to see what the results of the DELETE were 33 | IQuery query = session.CreateQuery("FROM Student WHERE FirstName = 'Test' OR FirstName = 'Target';"); 34 | IList students = query.List(); 35 | 36 | // testing the result 37 | TestResults(students, hqlText, expectedSafe); 38 | 39 | session.Close(); 40 | sessionFactory.Close(); 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/DeleteUnsafeStringPlace.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class DeleteUnsafeStringPlace { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/HQLTestCasePage.cs: -------------------------------------------------------------------------------- 1 | using System.Collections.Generic; 2 | using System.Web; 3 | 4 | namespace DotNetUnitTests.TestCases.HQLTestCases 5 | { 6 | public class HQLTestCasePage : System.Web.UI.Page 7 | { 8 | private string _hqlText = HttpContext.Current.Request.QueryString["payload"]; 9 | 10 | /** 11 | * The vulnerable HQL query 12 | */ 13 | protected string hqlText { get { return _hqlText; } set { _hqlText = value; } } 14 | 15 | /** 16 | * Tests the result of the query and changes the print type accordingly 17 | */ 18 | protected void TestResults(IList students, string hqlText, bool expectedSafe) 19 | { 20 | // using the default injection 21 | if (hqlText.Equals("Bobby' OR 'a'='a") || hqlText.Equals("Test' OR FirstName='Target")) 22 | { 23 | if (expectedSafe) 24 | PrintResults(expectedSafe, true, false, students); 25 | else 26 | PrintResults(expectedSafe, false, false, students); 27 | } 28 | 29 | // using a custom injection that uses a semicolon or apostrophe 30 | else if (hqlText.Contains(";") || hqlText.Contains("'")) 31 | PrintResults(expectedSafe, false, true, students); 32 | 33 | else 34 | { 35 | // using a custom injection in SELECT that returns extra rows or deletes entries 36 | if ((students.Count > 1 || students.Count == 0) && !Request.QueryString["var"].Contains("Delete")) 37 | PrintResults(expectedSafe, false, true, students); 38 | 39 | // using a query thats safe 40 | else 41 | PrintResults(expectedSafe, true, true, students); 42 | } 43 | } 44 | 45 | /** 46 | * Prints the results 47 | */ 48 | protected void PrintResults(bool expectedSafe, bool actuallySafe, bool custom, IList students) 49 | { 50 | Response.Write("

"); 51 | Response.Write("Expected result: " + (expectedSafe ? "Safe" : "Unsafe") + "
"); 52 | Response.Write("Actual result: " + (actuallySafe ? "NHibernate is safe! 😊" : "Unsafe query was injected! 😭") + "
"); 53 | Response.Write("

"); 54 | if (!custom) 55 | { 56 | if (Request.QueryString["var"].Contains("Delete")) 57 | { 58 | if (actuallySafe) 59 | Response.Write("" + "Query Result (should contain both Test User and Target User):" + "" + "
"); 60 | else 61 | Response.Write("" + "Query Result (should be an empty table):" + "" + "
"); 62 | } 63 | else 64 | { 65 | if (actuallySafe) 66 | Response.Write("" + "Query Result (should contain the Student where the first name is Bobby' OR 'a'='a):" + "" + "
"); 67 | else 68 | Response.Write("" + "Query Result (should return all Student entries instead of just Bobby):" + "" + "
"); 69 | } 70 | } 71 | else 72 | Response.Write("" + "Result of your custom query:" + "" + "
"); 73 | 74 | // print table view 75 | Response.Write(""); 76 | Response.Write(""); 77 | foreach (Student student in students) 78 | { 79 | Response.Write(""); 80 | Response.Write(""); 81 | Response.Write(""); 82 | Response.Write(""); 83 | Response.Write(""); 84 | Response.Write(""); 85 | Response.Write(""); 86 | } 87 | Response.Write("
ID Last Name First Name Username Password
" + student.ID + "" + student.LastName + "" + student.FirstName + "" + student.Username + "" + student.Password + "
"); 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeDefault.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SafeDefault.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.SafeDefault" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeDefault.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class SafeDefault : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Safe when Using Built-in Functions Example 12 | * By using NHibernate's built-in functions that aim to make executing querys more object-oriented, the input query is inherently parameterized. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the HQL query 23 | ICriteria criteria = session.CreateCriteria(); 24 | criteria.Add(NHibernate.Criterion.Expression.Eq("FirstName", hqlText)); // safe! 25 | IList students = criteria.List(); 26 | 27 | // testing the result 28 | TestResults(students, hqlText, expectedSafe); 29 | 30 | session.Close(); 31 | sessionFactory.Close(); 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeDefault.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class SafeDefault { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParam.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SafeParam.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.SafeParam" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParam.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class SafeParam : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Safe when Parameterizing Custom HQL Queries (CreateQuery) Example 12 | * By parameterizing the user input, we can succesfully block any HQL injection attempts. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom HQL query 23 | IQuery query = session.CreateQuery("FROM Student WHERE FirstName = :name"); 24 | query.SetParameter("name", hqlText); // safe! 25 | IList students = query.List(); 26 | 27 | // testing the result 28 | TestResults(students, hqlText, expectedSafe); 29 | 30 | session.Close(); 31 | sessionFactory.Close(); 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParam.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class SafeParam { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParamSQL.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SafeParamSQL.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.SafeParamSQL" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParamSQL.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class SafeParamSQL : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Safe when Parameterizing Custom SQL Queries (CreateSQLQuery) Example 12 | * By parameterizing the user input, we can succesfully block any SQL injection attempts. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom SQL query 23 | ISQLQuery query = session.CreateSQLQuery("SELECT * FROM Student WHERE FirstName = :name"); 24 | query.AddEntity(typeof(Student)); 25 | query.SetParameter("name", hqlText); // safe! 26 | 27 | IList students = query.List(); 28 | 29 | // testing the result 30 | TestResults(students, hqlText, expectedSafe); 31 | 32 | session.Close(); 33 | sessionFactory.Close(); 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/SafeParamSQL.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class SafeParamSQL { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/Unsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Unsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.Unsafe" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/Unsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class Unsafe : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Unsafe when Using String Concatenation on Custom HQL Queries (CreateQuery) Example 12 | * By doing string concatenation in the CreateQuery method, the HQL query is just as vulnerable to injection as any unsafe SQL query. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom HQL query 23 | IQuery query = session.CreateQuery("FROM Student WHERE FirstName = '" + hqlText + "';"); // unsafe! 24 | IList students = query.List(); 25 | 26 | // testing the result 27 | TestResults(students, hqlText, expectedSafe); 28 | 29 | session.Close(); 30 | sessionFactory.Close(); 31 | } 32 | } 33 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/Unsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class Unsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeHQLStringPlace.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="UnsafeHQLStringPlace.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.UnsafeHQLStringPlace" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeHQLStringPlace.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class UnsafeHQLStringPlace : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Unsafe when Using String Placeholders on Custom HQL Queries (CreateQuery) Example 12 | * By using string placeholders in the CreateQuery method, the HQL query is just as vulnerable to injection as any unsafe SQL query. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom HQL query 23 | IQuery query = session.CreateQuery(String.Format("FROM Student WHERE FirstName = '{0}';", hqlText)); // unsafe! 24 | IList students = query.List(); 25 | 26 | // testing the result 27 | TestResults(students, hqlText, expectedSafe); 28 | 29 | session.Close(); 30 | sessionFactory.Close(); 31 | } 32 | } 33 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeHQLStringPlace.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class UnsafeHQLStringPlace { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQL.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="UnsafeSQL.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.UnsafeSQL" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQL.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class UnsafeSQL : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Unsafe when Using String Concatenation on Custom SQL Queries (CreateSQLQuery) Example 12 | * By doing string concatenation in the CreateSQLQuery method, the SQL query is vulnerable to injection. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom SQL query 23 | ISQLQuery query = session.CreateSQLQuery("SELECT * FROM Student WHERE FirstName = '" + hqlText + "';"); // unsafe! 24 | query.AddEntity(typeof(Student)); 25 | 26 | IList students = query.List(); 27 | 28 | // testing the result 29 | TestResults(students, hqlText, expectedSafe); 30 | 31 | session.Close(); 32 | sessionFactory.Close(); 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQL.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class UnsafeSQL { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQLStringPlace.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="UnsafeSQLStringPlace.aspx.cs" Inherits="DotNetUnitTests.TestCases.HQLTestCases.UnsafeSQLStringPlace" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 26 | 27 | 28 |

<<< back to tests 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQLStringPlace.aspx.cs: -------------------------------------------------------------------------------- 1 | using NHibernate; 2 | using NHibernate.Cfg; 3 | using System; 4 | using System.Collections.Generic; 5 | 6 | namespace DotNetUnitTests.TestCases.HQLTestCases 7 | { 8 | public partial class UnsafeSQLStringPlace : HQLTestCasePage 9 | { 10 | /** 11 | * SELECT: Unsafe when Using String Placeholders on Custom SQL Queries (CreateSQLQuery) Example 12 | * By using string placeholders in the CreateSQLQuery method, the SQL query is vulnerable to injection. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | // creating the database session 19 | ISessionFactory sessionFactory = new Configuration().Configure().BuildSessionFactory(); 20 | ISession session = sessionFactory.OpenSession(); 21 | 22 | // creating and receiving the results of the custom SQL query 23 | ISQLQuery query = session.CreateSQLQuery(String.Format("SELECT * FROM Student WHERE FirstName = '{0}';", hqlText)); // unsafe! 24 | query.AddEntity(typeof(Student)); 25 | 26 | IList students = query.List(); 27 | 28 | // testing the result 29 | TestResults(students, hqlText, expectedSafe); 30 | 31 | session.Close(); 32 | sessionFactory.Close(); 33 | } 34 | } 35 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/HQLTestCases/UnsafeSQLStringPlace.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.HQLTestCases { 11 | 12 | 13 | public partial class UnsafeSQLStringPlace { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/InvalidParameterException.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests.TestCases 4 | { 5 | /** 6 | * Exception for whitelisting XPath and XQuery query parameters 7 | */ 8 | public class InvalidParameterException : Exception 9 | { 10 | public InvalidParameterException(string message) : base(message) { } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathSafeList.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathSafeList.aspx.cs" Inherits="DotNetUnitTests.TestCases.XPathTestCases.XPathSafeList" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathSafeList.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Xml.XPath; 4 | 5 | namespace DotNetUnitTests.TestCases.XPathTestCases 6 | { 7 | public partial class XPathSafeList : XPathTestCasePage 8 | { 9 | /** 10 | * XPath: Safe when Whitelisting on XPath Expression Example 11 | * Proves that XPath is safe from injection when whitelisting the XPath expression 12 | */ 13 | protected void Page_Load(object sender, EventArgs e) 14 | { 15 | bool expectedSafe = true; 16 | 17 | try 18 | { 19 | // parse the XML 20 | XPathDocument doc = new XPathDocument(appPath + "resources/students.xml"); 21 | XPathNavigator nav = doc.CreateNavigator(); 22 | 23 | // query the XML 24 | string query; 25 | if (Request.QueryString["payload"].Contains("'")) 26 | { 27 | PrintResults(expectedSafe, new List()); 28 | throw new InvalidParameterException("First Name parameter must not contain apostrophes"); 29 | } 30 | else 31 | { 32 | query = String.Format("/Students/Student[FirstName/text()='{0}']", Request.QueryString["payload"]); // safe in here! 33 | } 34 | XPathNodeIterator iter = nav.Select(query).Current.SelectDescendants(XPathNodeType.Text, true); 35 | 36 | // interpret the result of the query 37 | List resultList = new List(); 38 | while (iter.MoveNext()) 39 | { 40 | string student = ""; 41 | student += "Last Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // last name 42 | student += "First Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // first name 43 | student += "Username:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // username 44 | student += "Password:\t" + iter.Current.Value + "\n"; // password 45 | resultList.Add(student); 46 | } 47 | 48 | // print the results on the query 49 | PrintResults(expectedSafe, resultList); 50 | 51 | } 52 | catch (Exception ex) 53 | { 54 | Response.Write(ex.ToString()); 55 | } 56 | } 57 | } 58 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathSafeList.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XPathTestCases { 11 | 12 | 13 | public partial class XPathSafeList { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathTestCasePage.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Web; 4 | 5 | namespace DotNetUnitTests.TestCases.XPathTestCases 6 | { 7 | public class XPathTestCasePage : System.Web.UI.Page 8 | { 9 | private string _xPathText = HttpContext.Current.Request.QueryString["payload"]; 10 | 11 | /** 12 | * The vulnerable XPath query 13 | */ 14 | protected string xPathText { get { return _xPathText; } set { _xPathText = value; } } 15 | 16 | /** 17 | * The path of the project files 18 | */ 19 | protected string appPath { get { return HttpContext.Current.Request.PhysicalApplicationPath; } } 20 | 21 | /** 22 | * Prints the results 23 | */ 24 | protected void PrintResults(bool expectedSafe, List resultList) 25 | { 26 | bool actuallySafe = true; 27 | if (resultList.Count > 1) 28 | { 29 | actuallySafe = false; 30 | } 31 | 32 | Response.Write("

"); 33 | Response.Write("Expected result: " + (expectedSafe ? "Safe" : "Unsafe") + "
"); 34 | Response.Write("Actual result: " + (actuallySafe ? "XPath query is safe! 😊" : "Unsafe query was injected! 😭") + "
"); 35 | Response.Write("

"); 36 | Response.Write(" Results of Query (" + (actuallySafe ? "Should be a thrown exception" : "Should be all Students") + "):
");
37 | 
38 |             // print Students
39 |             foreach (String student in resultList)
40 |             {
41 |                 Response.Write(student + "
");
42 |             }
43 |             Response.Write("
"); 44 | } 45 | } 46 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeConcat.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathUnsafeConcat.aspx.cs" Inherits="DotNetUnitTests.TestCases.XPathTestCases.XPathUnsafeConcat" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeConcat.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Xml.XPath; 4 | 5 | namespace DotNetUnitTests.TestCases.XPathTestCases 6 | { 7 | public partial class XPathUnsafeConcat : XPathTestCasePage 8 | { 9 | /** 10 | * XPath: Unsafe when Using String Concatenation on XPath Expression Example 11 | * Proves that XPath is vulnerable to injection when using string concatenation on the XPath expression 12 | */ 13 | protected void Page_Load(object sender, EventArgs e) 14 | { 15 | bool expectedSafe = false; 16 | 17 | try 18 | { 19 | // parse the XML 20 | XPathDocument doc = new XPathDocument(appPath + "resources/students.xml"); 21 | XPathNavigator nav = doc.CreateNavigator(); 22 | 23 | // query the XML 24 | string query = "/Students/Student[FirstName/text()='" + Request.QueryString["payload"] + "']"; // unsafe! 25 | XPathNodeIterator iter = nav.Select(query).Current.SelectDescendants(XPathNodeType.Text, true); 26 | 27 | // interpret the result of the query 28 | List resultList = new List(); 29 | while (iter.MoveNext()) 30 | { 31 | string student = ""; 32 | student += "Last Name: " + iter.Current.Value + "\n"; iter.MoveNext(); // last name 33 | student += "First Name: " + iter.Current.Value + "\n"; iter.MoveNext(); // first name 34 | student += "Username: " + iter.Current.Value + "\n"; iter.MoveNext(); // username 35 | student += "Password: " + iter.Current.Value + "\n"; // password 36 | resultList.Add(student); 37 | } 38 | 39 | // print the results on the query 40 | PrintResults(expectedSafe, resultList); 41 | 42 | } 43 | catch (Exception ex) 44 | { 45 | Response.Write(ex.ToString()); 46 | } 47 | } 48 | } 49 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeConcat.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XPathTestCases { 11 | 12 | 13 | public partial class XPathUnsafeConcat { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeEscape.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathUnsafeEscape.aspx.cs" Inherits="DotNetUnitTests.TestCases.XPathTestCases.XPathUnsafeEscape" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeEscape.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Xml.XPath; 4 | 5 | namespace DotNetUnitTests.TestCases.XPathTestCases 6 | { 7 | public partial class XPathUnsafeEscape : XPathTestCasePage 8 | { 9 | /** 10 | * XPath: Unsafe when Escaping Apostrophes on XPath Expression Example 11 | * Proves that XPath is unsafe from injection when using string concatenation while escaping apostrophes on 12 | * the XPath expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | try 19 | { 20 | // parse the XML 21 | XPathDocument doc = new XPathDocument(appPath + "resources/students.xml"); 22 | XPathNavigator nav = doc.CreateNavigator(); 23 | 24 | // query the XML 25 | string userInputFixed = Request.QueryString["payload"].Replace("'", "'"); 26 | string query = "/Students/Student[FirstName/text()='" + userInputFixed + "']"; // unsafe! 27 | XPathNodeIterator iter = nav.Select(query).Current.SelectDescendants(XPathNodeType.Text, true); 28 | 29 | // interpret the result of the query 30 | List resultList = new List(); 31 | while (iter.MoveNext()) 32 | { 33 | string student = ""; 34 | student += "Last Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // last name 35 | student += "First Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // first name 36 | student += "Username:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // username 37 | student += "Password:\t" + iter.Current.Value + "\n"; // password 38 | resultList.Add(student); 39 | } 40 | 41 | // print the results on the query 42 | PrintResults(expectedSafe, resultList); 43 | 44 | } 45 | catch (Exception ex) 46 | { 47 | Response.Write(ex.ToString()); 48 | } 49 | } 50 | } 51 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafeEscape.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XPathTestCases { 11 | 12 | 13 | public partial class XPathUnsafeEscape { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafePlaceholder.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathUnsafePlaceholder.aspx.cs" Inherits="DotNetUnitTests.TestCases.XPathTestCases.XPathUnsafePlaceholder" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafePlaceholder.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Xml.XPath; 4 | 5 | namespace DotNetUnitTests.TestCases.XPathTestCases 6 | { 7 | public partial class XPathUnsafePlaceholder : XPathTestCasePage 8 | { 9 | /** 10 | * XPath: Unsafe when Using String Placeholders on XPath Expression Example 11 | * Proves that XPath is vulnerable to injection when using string placeholders on the XPath expression 12 | */ 13 | protected void Page_Load(object sender, EventArgs e) 14 | { 15 | bool expectedSafe = false; 16 | 17 | try 18 | { 19 | // parse the XML 20 | XPathDocument doc = new XPathDocument(appPath + "resources/students.xml"); 21 | XPathNavigator nav = doc.CreateNavigator(); 22 | 23 | // query the XML 24 | string query = String.Format("/Students/Student[FirstName/text()='{0}']", Request.QueryString["payload"]); // unsafe! 25 | XPathNodeIterator iter = nav.Select(query).Current.SelectDescendants(XPathNodeType.Text, true); 26 | 27 | // interpret the result of the query 28 | List resultList = new List(); 29 | while (iter.MoveNext()) 30 | { 31 | string student = ""; 32 | student += "Last Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // last name 33 | student += "First Name:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // first name 34 | student += "Username:\t" + iter.Current.Value + "\n"; iter.MoveNext(); // username 35 | student += "Password:\t" + iter.Current.Value + "\n"; // password 36 | resultList.Add(student); 37 | } 38 | 39 | // print the results on the query 40 | PrintResults(expectedSafe, resultList); 41 | 42 | } 43 | catch (Exception ex) 44 | { 45 | Response.Write(ex.ToString()); 46 | } 47 | } 48 | } 49 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XPathTestCases/XPathUnsafePlaceholder.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XPathTestCases { 11 | 12 | 13 | public partial class XPathUnsafePlaceholder { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeBind.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XQuerySafeBind.aspx.cs" Inherits="DotNetUnitTests.TestCases.XQueryTestCases.XQuerySafeBind" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeBind.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using net.sf.saxon.s9api; 4 | using javax.xml.transform.stream; 5 | 6 | namespace DotNetUnitTests.TestCases.XQueryTestCases 7 | { 8 | public partial class XQuerySafeBind : XQueryTestCasePage 9 | { 10 | /** 11 | * Saxon: Safe when Using Bind Variables on XQuery Expression Example 12 | * Proves that Saxon is safe from injection when using bind variables on the XQuery expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | try 19 | { 20 | // parse the XML 21 | Processor processor = new Processor(false); 22 | DocumentBuilder doc = processor.newDocumentBuilder(); 23 | XdmNode node = doc.build(new StreamSource(appPath + "/resources/students.xml")); 24 | 25 | // query the XML 26 | string query = "declare variable $name as xs:string external; " + 27 | "for $s in //Students/Student " + 28 | "where $s/FirstName = $name " + 29 | "return $s"; // safe! 30 | XQueryCompiler xqComp = processor.newXQueryCompiler(); 31 | XQueryExecutable xqExec = xqComp.compile(query); 32 | XQueryEvaluator xqEval = xqExec.load(); 33 | xqEval.setContextItem(node); 34 | xqEval.setExternalVariable(new QName("name"), new XdmAtomicValue(Request.QueryString["payload"])); 35 | xqEval.evaluate(); 36 | 37 | // interpret the result of the query 38 | List resultList = new List(); 39 | foreach (XdmValue value in xqEval) 40 | { 41 | resultList.Add(value.ToString()); 42 | } 43 | 44 | // print the results on the query 45 | PrintResults(expectedSafe, resultList); 46 | 47 | } 48 | catch (Exception ex) 49 | { 50 | Response.Write(ex.ToString()); 51 | } 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeBind.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XQueryTestCases { 11 | 12 | 13 | public partial class XQuerySafeBind { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeEscape.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XQuerySafeEscape.aspx.cs" Inherits="DotNetUnitTests.TestCases.XQueryTestCases.XQuerySafeEscape" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeEscape.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using net.sf.saxon.s9api; 4 | using javax.xml.transform.stream; 5 | 6 | namespace DotNetUnitTests.TestCases.XQueryTestCases 7 | { 8 | public partial class XQuerySafeEscape : XQueryTestCasePage 9 | { 10 | /** 11 | * Saxon: Safe when Escaping Quotation Marks and Semicolons on XQuery Expression Example 12 | * Proves that Saxon is safe from injection when using character escaping on the XQuery expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | try 19 | { 20 | // parse the XML 21 | Processor processor = new Processor(false); 22 | DocumentBuilder doc = processor.newDocumentBuilder(); 23 | XdmNode node = doc.build(new StreamSource(appPath + "/resources/students.xml")); 24 | 25 | // query the XML 26 | string newPayload = (Request.QueryString["payload"].Replace(";", ";")).Replace("\"", """); 27 | string query = "for $s in //Students/Student " + 28 | "where $s/FirstName = \"" + newPayload + "\" " + 29 | "return $s"; // safe! 30 | XQueryCompiler xqComp = processor.newXQueryCompiler(); 31 | XQueryExecutable xqExec = xqComp.compile(query); 32 | XQueryEvaluator xqEval = xqExec.load(); 33 | xqEval.setContextItem(node); 34 | xqEval.evaluate(); 35 | 36 | // interpret the result of the query 37 | List resultList = new List(); 38 | foreach (XdmValue value in xqEval) 39 | { 40 | resultList.Add(value.ToString()); 41 | } 42 | 43 | // print the results on the query 44 | PrintResults(expectedSafe, resultList); 45 | 46 | } 47 | catch (Exception ex) 48 | { 49 | Response.Write(ex.ToString()); 50 | } 51 | } 52 | } 53 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeEscape.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XQueryTestCases { 11 | 12 | 13 | public partial class XQuerySafeEscape { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeList.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XQuerySafeList.aspx.cs" Inherits="DotNetUnitTests.TestCases.XQueryTestCases.XQuerySafeList" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeList.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using net.sf.saxon.s9api; 4 | using javax.xml.transform.stream; 5 | 6 | namespace DotNetUnitTests.TestCases.XQueryTestCases 7 | { 8 | public partial class XQuerySafeList : XQueryTestCasePage 9 | { 10 | /** 11 | * Saxon: Safe when Whitelisting on XQuery Expression Example 12 | * Proves that Saxon is safe from injection when whitelisting the XQuery expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | try 19 | { 20 | // parse the XML 21 | Processor processor = new Processor(false); 22 | DocumentBuilder doc = processor.newDocumentBuilder(); 23 | XdmNode node = doc.build(new StreamSource(appPath + "/resources/students.xml")); 24 | 25 | // query the XML 26 | string query; 27 | if (Request.QueryString["payload"].Contains("\"") || Request.QueryString["payload"].Contains(";")) 28 | { 29 | PrintResults(expectedSafe, new List()); 30 | throw new InvalidParameterException("First Name parameter must not contain quotes or semicolons"); 31 | } 32 | else 33 | { 34 | query = "for $s in //Students/Student " + 35 | "where $s/FirstName = \"" + Request.QueryString["payload"] + "\" " + 36 | "return $s"; // safe in here! 37 | } 38 | XQueryCompiler xqComp = processor.newXQueryCompiler(); 39 | XQueryExecutable xqExec = xqComp.compile(query); 40 | XQueryEvaluator xqEval = xqExec.load(); 41 | xqEval.setContextItem(node); 42 | xqEval.evaluate(); 43 | 44 | // interpret the result of the query 45 | List resultList = new List(); 46 | foreach (XdmValue value in xqEval) 47 | { 48 | resultList.Add(value.ToString()); 49 | } 50 | 51 | // print the results on the query 52 | PrintResults(expectedSafe, resultList); 53 | 54 | } 55 | catch (Exception ex) 56 | { 57 | Response.Write(ex.ToString()); 58 | } 59 | } 60 | } 61 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQuerySafeList.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XQueryTestCases { 11 | 12 | 13 | public partial class XQuerySafeList { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryTestCasePage.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Web; 4 | 5 | namespace DotNetUnitTests.TestCases.XQueryTestCases 6 | { 7 | public class XQueryTestCasePage : System.Web.UI.Page 8 | { 9 | private string _xQueryText = HttpContext.Current.Request.QueryString["payload"]; 10 | 11 | /** 12 | * The vulnerable XPath query 13 | */ 14 | protected string xQueryText { get { return _xQueryText; } set { _xQueryText = value; } } 15 | 16 | /** 17 | * The path of the project files 18 | */ 19 | protected string appPath { get { return HttpContext.Current.Request.PhysicalApplicationPath; } } 20 | 21 | /** 22 | * Prints the results 23 | */ 24 | protected void PrintResults(bool expectedSafe, List resultList) 25 | { 26 | bool actuallySafe = true; 27 | if (resultList.Count > 1) 28 | { 29 | actuallySafe = false; 30 | } 31 | 32 | Response.Write("

"); 33 | Response.Write("Expected result: " + (expectedSafe ? "Safe" : "Unsafe") + "
"); 34 | Response.Write("Actual result: " + (actuallySafe ? "XQuery query is safe! 😊" : "Unsafe query was injected! 😭") + "
"); 35 | Response.Write("

"); 36 | Response.Write(" Results of Query (" + (actuallySafe ? "Should be a thrown exception, one Student, or empty result" : "Should be all Students") + "):
");
37 | 
38 |             // print Students
39 |             foreach (String student in resultList)
40 |             {
41 |                 Response.Write(student + "
");
42 |             }
43 |             Response.Write("
"); 44 | } 45 | } 46 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafeConcat.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XQueryUnsafeConcat.aspx.cs" Inherits="DotNetUnitTests.TestCases.XQueryTestCases.XQueryUnsafeConcat" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafeConcat.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using net.sf.saxon.s9api; 4 | using javax.xml.transform.stream; 5 | 6 | namespace DotNetUnitTests.TestCases.XQueryTestCases 7 | { 8 | public partial class XQueryUnsafeConcat : XQueryTestCasePage 9 | { 10 | /** 11 | * Saxon: Unsafe when Using String Concatenation on XQuery Expression Example 12 | * Proves that Saxon is vulnerable to injection when using string concatenation on the XQuery expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | try 19 | { 20 | // parse the XML 21 | Processor processor = new Processor(false); 22 | DocumentBuilder doc = processor.newDocumentBuilder(); 23 | XdmNode node = doc.build(new StreamSource(appPath + "/resources/students.xml")); 24 | 25 | // query the XML 26 | string query = "for $s in //Students/Student " + 27 | "where $s/FirstName = \"" + Request.QueryString["payload"] + "\" " + 28 | "return $s"; // unsafe! 29 | XQueryCompiler xqComp = processor.newXQueryCompiler(); 30 | XQueryExecutable xqExec = xqComp.compile(query); 31 | XQueryEvaluator xqEval = xqExec.load(); 32 | xqEval.setContextItem(node); 33 | xqEval.evaluate(); 34 | 35 | // interpret the result of the query 36 | List resultList = new List(); 37 | foreach (XdmValue value in xqEval) 38 | { 39 | resultList.Add(value.ToString()); 40 | } 41 | 42 | // print the results on the query 43 | PrintResults(expectedSafe, resultList); 44 | 45 | } 46 | catch (Exception ex) 47 | { 48 | Response.Write(ex.ToString()); 49 | } 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafeConcat.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XQueryTestCases { 11 | 12 | 13 | public partial class XQueryUnsafeConcat { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafePlaceholder.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XQueryUnsafePlaceholder.aspx.cs" Inherits="DotNetUnitTests.TestCases.XQueryTestCases.XQueryUnsafePlaceholder" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafePlaceholder.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using net.sf.saxon.s9api; 4 | using javax.xml.transform.stream; 5 | 6 | namespace DotNetUnitTests.TestCases.XQueryTestCases 7 | { 8 | public partial class XQueryUnsafePlaceholder : XQueryTestCasePage 9 | { 10 | /** 11 | * Saxon: Unsafe when Using String Placeholders on XQuery Expression Example 12 | * Proves that Saxon is vulnerable to injection when using string placeholders on the XQuery expression 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | try 19 | { 20 | // parse the XML 21 | Processor processor = new Processor(false); 22 | DocumentBuilder doc = processor.newDocumentBuilder(); 23 | XdmNode node = doc.build(new StreamSource(appPath + "/resources/students.xml")); 24 | 25 | // query the XML 26 | string query = String.Format("for $s in //Students/Student " + 27 | "where $s/FirstName = \"{0}\" " + 28 | "return $s", Request.QueryString["payload"]); // unsafe! 29 | XQueryCompiler xqComp = processor.newXQueryCompiler(); 30 | XQueryExecutable xqExec = xqComp.compile(query); 31 | XQueryEvaluator xqEval = xqExec.load(); 32 | xqEval.setContextItem(node); 33 | xqEval.evaluate(); 34 | 35 | // interpret the result of the query 36 | List resultList = new List(); 37 | foreach (XdmValue value in xqEval) 38 | { 39 | resultList.Add(value.ToString()); 40 | } 41 | 42 | // print the results on the query 43 | PrintResults(expectedSafe, resultList); 44 | 45 | } 46 | catch (Exception ex) 47 | { 48 | Response.Write(ex.ToString()); 49 | } 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XQueryTestCases/XQueryUnsafePlaceholder.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XQueryTestCases { 11 | 12 | 13 | public partial class XQueryUnsafePlaceholder { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="LINQXDocumentSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.LINQXDocumentSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml.Linq; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class LINQXDocumentSafe : XXETestCasePage 9 | { 10 | /** 11 | * LINQ: XDocument: Safe by Default Example 12 | * XDocument has DTDs disabled by default, making it not parse entities by default. 13 | * (Source: https://github.com/dotnet/docs/blob/master/docs/visual-basic/programming-guide/concepts/linq/linq-to-xml-security.md) 14 | */ 15 | protected void Page_Load(object sender, EventArgs e) 16 | { 17 | bool expectedSafe = true; 18 | 19 | XDocument xdocument = XDocument.Load(new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); 20 | //XDocument xdocument = XDocument.Load(appPath + "resources/xxetestuser.xml"); 21 | 22 | try 23 | { 24 | // parsing the XML 25 | StringBuilder sb = new StringBuilder(); 26 | foreach (var element in xdocument.Elements()) 27 | { 28 | sb.Append(element.ToString()); 29 | } 30 | 31 | // testing the result 32 | if (sb.ToString().Contains("SUCCESSFUL")) 33 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 34 | else 35 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 36 | } 37 | catch (Exception ex) 38 | { 39 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 40 | } 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class LINQXDocumentSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="LINQXDocumentUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.LINQXDocumentUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | using System.Xml.Linq; 7 | 8 | namespace DotNetUnitTests.TestCases.XXETestCases 9 | { 10 | public partial class LINQXDocumentUnsafe : XXETestCasePage 11 | { 12 | /** 13 | * LINQ: XDocument: Unsafe when Providing an Unsafe XML Parser Example 14 | * If you create your XDocument with an unsafe XML parser, it makes the XDocument unsafe as well. 15 | */ 16 | protected void Page_Load(object sender, EventArgs e) 17 | { 18 | bool expectedSafe = false; 19 | 20 | XmlReaderSettings settings = new XmlReaderSettings(); 21 | settings.DtdProcessing = DtdProcessing.Parse; // unsafe! 22 | 23 | // forcing unsafe in .NET versions 4.5.2+ 24 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 25 | { 26 | XmlUrlResolver res = new XmlUrlResolver(); 27 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 28 | settings.XmlResolver = res; 29 | } 30 | XmlReader reader = XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), settings, appPath + "resources/"); 31 | //XmlReader reader = XmlReader.Create(appPath + "resources/xxetestuser.xml", settings); 32 | XDocument xdocument = XDocument.Load(reader); // unsafe! 33 | 34 | try 35 | { 36 | // parsing the XML 37 | StringBuilder sb = new StringBuilder(); 38 | foreach (var element in xdocument.Elements()) 39 | { 40 | sb.Append(element.ToString()); 41 | } 42 | 43 | // testing the result 44 | if (sb.ToString().Contains("SUCCESSFUL")) 45 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 46 | else 47 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 48 | } 49 | catch (Exception ex) 50 | { 51 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 52 | } 53 | finally 54 | { 55 | reader.Close(); 56 | } 57 | } 58 | } 59 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXDocumentUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class LINQXDocumentUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXElementSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="LINQXElementSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.LINQXElementSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXElementSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml.Linq; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class LINQXElementSafe : XXETestCasePage 9 | { 10 | /** 11 | * LINQ: XElement: Safe by Default Example 12 | * XElement is always safe due to the fact that it ignores anything in the XML that isn't an element. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | XElement xelement = XElement.Load(new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); 19 | //XElement xelement = XElement.Load(appPath + "resources/xxetestuser.xml"); 20 | 21 | try 22 | { 23 | // parsing the XML 24 | StringBuilder sb = new StringBuilder(); 25 | foreach (var element in xelement.Elements()) 26 | { 27 | sb.Append(element.ToString()); 28 | } 29 | 30 | // testing the result 31 | if (sb.ToString().Contains("SUCCESSFUL")) 32 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 33 | else 34 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 35 | } 36 | catch (Exception ex) 37 | { 38 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 39 | } 40 | } 41 | } 42 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/LINQXElementSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class LINQXElementSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathNavigatorSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XPathNavigatorSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml; 5 | using System.Xml.XPath; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XPathNavigatorSafe : XXETestCasePage 10 | { 11 | /** 12 | * XPathNavigator: Safe when Providing a Safe XML Parser Example 13 | * By creating a XPathDocument from a safe XML parser, it makes the XPathNavigator safe as well. 14 | */ 15 | protected void Page_Load(object sender, EventArgs e) 16 | { 17 | bool expectedSafe = true; 18 | 19 | XmlReader reader = XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), new XmlReaderSettings(), appPath + "resources/"); 20 | 21 | try 22 | { 23 | // parsing the XML 24 | XPathDocument doc = new XPathDocument(reader); 25 | XPathNavigator nav = doc.CreateNavigator(); 26 | string xml = nav.InnerXml.ToString(); 27 | 28 | // testing the result 29 | if (xml.Contains("SUCCESSFUL")) 30 | PrintResults(expectedSafe, false, xml); // unsafe: successful XXE injection 31 | else 32 | PrintResults(expectedSafe, true, xml); // safe: empty or unparsed XML 33 | 34 | } 35 | catch (Exception ex) 36 | { 37 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 38 | } 39 | finally 40 | { 41 | reader.Close(); 42 | } 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XPathNavigatorSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe452.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XPathNavigatorSafe452.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XPathNavigatorSafe452" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe452.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml.XPath; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XPathNavigatorSafe452 : XXETestCasePage 10 | { 11 | /** 12 | * XPathNavigator: Safe by Default in Current.NET Version (4.5.2 and above) Example / XPathNavigator: Unsafe by Default in Current.NET Version (4.5.1 and lower) Example 13 | * XPathNavigator is safe in .NET versions 4.5.2 and up, and unsafe in versions 4.5.1 and under, because it implements IXPathNavigable objects (such as XmlDocument). 14 | * This causes XPathNavigator to be just as safe as they are: parsing entities in any version before 4.5.2 only. 15 | * These objects are private to the class however, so XPathNavigator can not be forced to be unsafe in .NET versions 4.5.2 and later. 16 | */ 17 | protected void Page_Load(object sender, EventArgs e) 18 | { 19 | bool expectedSafe = false; 20 | 21 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 22 | expectedSafe = true; 23 | 24 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 25 | 26 | XPathDocument doc = new XPathDocument(new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); 27 | //XPathDocument doc = new XPathDocument(appPath + "resources/xxetestuser.xml"); 28 | XPathNavigator nav = doc.CreateNavigator(); // unsafe! 29 | 30 | try 31 | { 32 | // parsing the XML 33 | string xml = nav.InnerXml.ToString(); 34 | 35 | // testing the result 36 | if (xml.Contains("SUCCESSFUL")) 37 | PrintResults(expectedSafe, false, xml); // unsafe: successful XXE injection 38 | else 39 | PrintResults(expectedSafe, true, xml); // safe: empty or unparsed XML 40 | 41 | } 42 | catch (Exception ex) 43 | { 44 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 45 | } 46 | } 47 | } 48 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XPathNavigatorSafe452.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XPathNavigatorSafe452 { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XXETestCasePage.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Web; 3 | 4 | namespace DotNetUnitTests.TestCases.XXETestCases 5 | { 6 | public class XXETestCasePage : System.Web.UI.Page 7 | { 8 | private string _xmlText = HttpContext.Current.Request.QueryString["payload"]; 9 | 10 | /** 11 | * The vulnerable XML payload 12 | */ 13 | protected string xmlText { get { return _xmlText; } set { _xmlText = value; } } 14 | 15 | /** 16 | * The path of the project files 17 | */ 18 | protected string appPath { get { return HttpContext.Current.Request.PhysicalApplicationPath; } } 19 | 20 | /** 21 | * Prints the results 22 | */ 23 | protected void PrintResults(bool expectedSafe, bool actuallySafe, string xmlContent) 24 | { 25 | Response.Write("

"); 26 | Response.Write("Expected result: " + (expectedSafe ? "Safe" : "Unsafe") + "
"); 27 | Response.Write("Actual result: " + (actuallySafe ? "XML Parser is safe! 😊" : "Unsafe! XXE was injected! 😭") + "
"); 28 | Response.Write("

"); 29 | if (!actuallySafe) 30 | Response.Write("" + "XML Content (Should contain \"INJECTION SUCCESSFUL\" or your custom XML Entity):" + "" + "
" + ""); 31 | else 32 | { 33 | if (xmlContent.Equals("") || String.IsNullOrWhiteSpace(xmlContent)) 34 | Response.Write("" + "XML Content:" + "" + "
" + "The XML file is blank" + "

"); 35 | else 36 | Response.Write("" + "XML Content:" + "" + "
" + "

"); 37 | } 38 | } 39 | 40 | /** 41 | * Prints the results if there is an exception 42 | */ 43 | protected void PrintResults(bool expectedSafe, bool actuallySafe, Exception ex) 44 | { 45 | PrintResults(expectedSafe, actuallySafe, "XML was not parsed due to a thrown exception"); 46 | Response.Write("" + "Stack Trace: " + "" + "
" + ex.ToString()); 47 | } 48 | 49 | /** 50 | * Makes sure that the base URI of the external entity file is correct so that it is referenced correctly 51 | */ 52 | protected string FixXMLBaseURI(string xmlText, string appPath) 53 | { 54 | int index = xmlText.IndexOf("SYSTEM \"") + "SYSTEM \"".Length; 55 | xmlText = xmlText.Insert(index, appPath + "resources/"); 56 | return xmlText; 57 | } 58 | } 59 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlDictionaryReaderSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlDictionaryReaderSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Xml; 4 | 5 | namespace DotNetUnitTests.TestCases.XXETestCases 6 | { 7 | public partial class XmlDictionaryReaderSafe : XXETestCasePage 8 | { 9 | /** 10 | * XmlDictionaryReader: Safe by Default Example 11 | * When using a default XmlDictionaryReader, upon attempting to read the XML file it will throw an exception when it sees the DTD. 12 | */ 13 | protected void Page_Load(object sender, EventArgs e) 14 | { 15 | bool expectedSafe = true; 16 | 17 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 18 | XmlDictionaryReader dict = XmlDictionaryReader.CreateTextReader(Encoding.ASCII.GetBytes(xmlText), XmlDictionaryReaderQuotas.Max); 19 | 20 | try 21 | { 22 | // parsing the XML 23 | StringBuilder sb = new StringBuilder(); 24 | while (dict.Read()) 25 | { 26 | sb.Append(dict.Value); 27 | } 28 | 29 | // testing the result 30 | if (sb.ToString().Contains("SUCCESSFUL")) 31 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 32 | else 33 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 34 | } 35 | catch (Exception ex) 36 | { 37 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 38 | } 39 | finally 40 | { 41 | dict.Close(); 42 | } 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlDictionaryReaderSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlDictionaryReaderUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlDictionaryReaderUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XmlDictionaryReaderUnsafe : XXETestCasePage 10 | { 11 | /** 12 | * XmlDictionaryReader: Unsafe when Providing an Unsafe XML Parser Example 13 | * If you create your XmlDictionaryReader with an unsafe XML parser, it makes the XmlDictionaryReader unsafe as well. 14 | */ 15 | protected void Page_Load(object sender, EventArgs e) 16 | { 17 | bool expectedSafe = false; 18 | 19 | XmlReaderSettings settings = new XmlReaderSettings(); 20 | settings.DtdProcessing = DtdProcessing.Parse; // unsafe! 21 | 22 | // forcing unsafe in .NET versions 4.5.2+ 23 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 24 | { 25 | XmlUrlResolver res = new XmlUrlResolver(); 26 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 27 | settings.XmlResolver = res; 28 | } 29 | 30 | XmlReader reader = XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), settings, appPath + "resources/"); 31 | XmlDictionaryReader dict = XmlDictionaryReader.CreateDictionaryReader(reader); 32 | 33 | try 34 | { 35 | // parsing the XML 36 | StringBuilder sb = new StringBuilder(); 37 | while (dict.Read()) 38 | { 39 | sb.Append(dict.Value); 40 | } 41 | 42 | // testing the result 43 | if (sb.ToString().Contains("SUCCESSFUL")) 44 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 45 | else 46 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 47 | } 48 | catch (Exception ex) 49 | { 50 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 51 | } 52 | finally 53 | { 54 | dict.Close(); 55 | reader.Close(); 56 | } 57 | } 58 | } 59 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDictionaryReaderUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlDictionaryReaderUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlDocumentSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlDocumentSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Xml; 3 | 4 | namespace DotNetUnitTests.TestCases.XXETestCases 5 | { 6 | public partial class XmlDocumentSafe : XXETestCasePage 7 | { 8 | /** 9 | * XmlDocument: Safe when Setting the XmlResolver to null Example 10 | * By setting the XmlDocument's XmlResolver to null, it makes the XmlDoucment not parse entities in all .NET versions. 11 | */ 12 | protected void Page_Load(object sender, EventArgs e) 13 | { 14 | bool expectedSafe = true; 15 | 16 | try 17 | { 18 | // parsing the XML 19 | XmlDocument doc = new XmlDocument(); 20 | doc.XmlResolver = null; // safety measure 21 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 22 | doc.LoadXml(xmlText); 23 | string innerText = doc.InnerText; 24 | 25 | // testing the result 26 | if (innerText.Contains("SUCCESSFUL")) 27 | PrintResults(expectedSafe, false, innerText); // unsafe: successful XXE injection 28 | else 29 | PrintResults(expectedSafe, true, innerText); // safe: empty or unparsed XML 30 | } 31 | catch (Exception ex) 32 | { 33 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 34 | } 35 | } 36 | } 37 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlDocumentSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe452.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlDocumentSafe452.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlDocumentSafe452" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe452.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Web; 3 | using System.Xml; 4 | 5 | namespace DotNetUnitTests.TestCases.XXETestCases 6 | { 7 | public partial class XmlDocumentSafe452 : XXETestCasePage 8 | { 9 | /** 10 | * XmlDocument: Safe by Default in Current .NET Version (4.5.2 and above) Example / XmlDocument: Unsafe by Default in Current .NET Version (4.5.1 and lower) Example 11 | * In .NET version 4.5.2, Microsoft made a change to parsers that implement an XmlResolver object that makes it null by default, making the parser ignore DTDs by default. 12 | * However, in all previous versions, these parsers are unsafe by default. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = false; 17 | 18 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 19 | expectedSafe = true; 20 | 21 | try 22 | { 23 | // parsing the XML 24 | XmlDocument doc = new XmlDocument(); 25 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 26 | doc.LoadXml(xmlText); // unsafe! (safe in .NET versions 4.5.2+) 27 | string innerText = doc.InnerText; 28 | 29 | // testing the result 30 | if (innerText.Contains("SUCCESSFUL")) 31 | PrintResults(expectedSafe, false, innerText); // unsafe: successful XXE injection 32 | else 33 | PrintResults(expectedSafe, true, innerText); // safe: empty or unparsed XML 34 | } 35 | catch (Exception ex) 36 | { 37 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 38 | } 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentSafe452.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlDocumentSafe452 { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlDocumentUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlDocumentUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Web; 3 | using System.Xml; 4 | 5 | namespace DotNetUnitTests.TestCases.XXETestCases 6 | { 7 | public partial class XmlDocumentUnsafe : XXETestCasePage 8 | { 9 | /** 10 | * XmlDocument: Unsafe when Resolving Entities Manually Example 11 | * By creating your own nonnull XmlResolver object (in this case, an XmlUrlResolver) and giving it to the XmlDocument, the XmlDocument will parse the entities. 12 | */ 13 | protected void Page_Load(object sender, EventArgs e) 14 | { 15 | bool expectedSafe = false; 16 | 17 | try 18 | { 19 | // parsing the XML 20 | XmlDocument doc = new XmlDocument(); 21 | 22 | // forcing unsafe in .NET versions 4.5.2+ 23 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 24 | { 25 | XmlUrlResolver res = new XmlUrlResolver(); 26 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 27 | doc.XmlResolver = res; 28 | } 29 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 30 | doc.LoadXml(xmlText); 31 | string innerText = doc.InnerText; 32 | 33 | // testing the result 34 | if (innerText.Contains("SUCCESSFUL")) 35 | PrintResults(expectedSafe, false, innerText); // unsafe: successful XXE injection 36 | else 37 | PrintResults(expectedSafe, true, innerText); // safe: empty or unparsed XML 38 | } 39 | catch (Exception ex) 40 | { 41 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 42 | } 43 | } 44 | } 45 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlDocumentUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlDocumentUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlNodeReaderSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlNodeReaderSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Web; 4 | using System.Xml; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class XmlNodeReaderSafe : XXETestCasePage 9 | { 10 | /** 11 | * XmlNodeReader: Safe by Default Example 12 | * XmlNodeReader will ignore DTDs by default, even when created with an unsafe XmlDocument. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | XmlDocument doc = new XmlDocument(); 19 | 20 | // forcing unsafe in .NET versions 4.5.2+ 21 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 22 | { 23 | XmlUrlResolver res = new XmlUrlResolver(); 24 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 25 | doc.XmlResolver = res; 26 | } 27 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 28 | doc.LoadXml(xmlText); // unsafe! (safe in .NET versions 4.5.2+) 29 | 30 | XmlNodeReader reader = new XmlNodeReader(doc); // safe even though the XmlDocument is not! 31 | 32 | try 33 | { 34 | // parsing the XML 35 | StringBuilder sb = new StringBuilder(); 36 | while (reader.Read()) 37 | { 38 | sb.Append(reader.Value); 39 | } 40 | 41 | // testing the result 42 | if (sb.ToString().Contains("SUCCESSFUL")) 43 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 44 | else 45 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 46 | } 47 | catch (Exception ex) 48 | { 49 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 50 | } 51 | finally 52 | { 53 | reader.Close(); 54 | } 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlNodeReaderSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafeXmlReader.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlNodeReaderSafeXmlReader.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlNodeReaderSafeXmlReader" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafeXmlReader.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Web; 4 | using System.Xml; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class XmlNodeReaderSafeXmlReader : XXETestCasePage 9 | { 10 | /** 11 | * XmlNodeReader: Safe when Wrapping in an Unsafe XmlReader Example 12 | * XmlNodeReader will ignore DTDs even when created with an unsafe XmlDocument and wrapped in an unsafe XmlReader. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | XmlDocument doc = new XmlDocument(); 19 | 20 | // forcing unsafe in .NET versions 4.5.2+ 21 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 22 | { 23 | XmlUrlResolver res = new XmlUrlResolver(); 24 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 25 | doc.XmlResolver = res; 26 | } 27 | xmlText = FixXMLBaseURI(xmlText, appPath); // makes sure that the external entity gets referenced at the correct base URI 28 | doc.LoadXml(xmlText); // unsafe! (safe in .NET versions 4.5.2+) 29 | 30 | XmlNodeReader reader = new XmlNodeReader(doc); // safe even though the XmlDocument is not! 31 | 32 | XmlReaderSettings settings = new XmlReaderSettings(); 33 | settings.DtdProcessing = DtdProcessing.Parse; // unsafe! 34 | 35 | // forcing unsafe in .NET versions 4.5.2+ 36 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 37 | { 38 | XmlUrlResolver res = new XmlUrlResolver(); 39 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 40 | settings.XmlResolver = res; 41 | } 42 | 43 | XmlReader xmlReader = XmlReader.Create(reader, settings); // safe even though XmlReaderSettings unsafe! 44 | 45 | try 46 | { 47 | // parsing the XML 48 | StringBuilder sb = new StringBuilder(); 49 | while (xmlReader.Read()) 50 | { 51 | sb.Append(xmlReader.Value); 52 | } 53 | 54 | // testing the result 55 | if (sb.ToString().Contains("SUCCESSFUL")) 56 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 57 | else 58 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 59 | } 60 | catch (Exception ex) 61 | { 62 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 63 | } 64 | finally 65 | { 66 | reader.Close(); 67 | xmlReader.Close(); 68 | } 69 | } 70 | } 71 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlNodeReaderSafeXmlReader.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlNodeReaderSafeXmlReader { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlReaderSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlReaderSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class XmlReaderSafe : XXETestCasePage 9 | { 10 | /** 11 | * XmlReader: Safe by Default Example 12 | * XmlReader has DtdProcessing set to Prohibit by default, throwing an exception when it reads a DTD. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | XmlReader reader = XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), new XmlReaderSettings(), appPath + "resources/"); 19 | //XmlReader reader = XmlReader.Create(appPath + "resources/xxetestuser.xml"); 20 | 21 | try 22 | { 23 | // parsing the XML 24 | StringBuilder sb = new StringBuilder(); 25 | while (reader.Read()) 26 | { 27 | sb.Append(reader.Value); 28 | } 29 | 30 | // testing the result 31 | if (sb.ToString().Contains("SUCCESSFUL")) 32 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 33 | else 34 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 35 | } 36 | catch (Exception ex) 37 | { 38 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 39 | } 40 | finally 41 | { 42 | reader.Close(); 43 | } 44 | } 45 | } 46 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlReaderSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlReaderUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlReaderUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XmlReaderUnsafe : XXETestCasePage 10 | { 11 | /** 12 | * XmlReader: Unsafe when Resolving Entities Manually Example 13 | * By giving the XmlReader a XmlReaderSettings object that has DtdProcessing set to Parse, the XmlReader will parse entities. 14 | * In .NET versions 4.5.2 and up, however, it is still safe because the XmlReaderSettings has a null XmlResolver object. 15 | * By creating your own nonnull XmlResolver object (in this case, an XmlUrlResolver) and giving it to the XmlReaderSettings that the XmlReader receives, 16 | * the XmlReader will parse the entities. 17 | */ 18 | protected void Page_Load(object sender, EventArgs e) 19 | { 20 | bool expectedSafe = false; 21 | 22 | XmlReaderSettings settings = new XmlReaderSettings(); 23 | settings.DtdProcessing = DtdProcessing.Parse; // unsafe! 24 | 25 | // forcing unsafe in .NET versions 4.5.2+ 26 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 27 | { 28 | XmlUrlResolver res = new XmlUrlResolver(); 29 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 30 | settings.XmlResolver = res; 31 | } 32 | XmlReader reader = XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), settings, appPath + "resources/"); 33 | //XmlReader reader = XmlReader.Create(appPath + "resources/xxetestuser.xml", settings); 34 | 35 | try 36 | { 37 | // parsing the XML 38 | StringBuilder sb = new StringBuilder(); 39 | while (reader.Read()) 40 | { 41 | sb.Append(reader.Value); 42 | } 43 | 44 | // testing the result 45 | if (sb.ToString().Contains("SUCCESSFUL")) 46 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 47 | else 48 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 49 | } 50 | catch (Exception ex) 51 | { 52 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 53 | } 54 | finally 55 | { 56 | reader.Close(); 57 | } 58 | } 59 | } 60 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlReaderUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlReaderUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlTextReaderSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlTextReaderSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml; 5 | 6 | namespace DotNetUnitTests.TestCases.XXETestCases 7 | { 8 | public partial class XmlTextReaderSafe : XXETestCasePage 9 | { 10 | /** 11 | * XmlTextReader: Safe when Prohibiting DTDs Example 12 | * By setting the XmlTextReader's DtdProcessing to Prohibit (not Prohibit by default like its parent XmlReader), it throws an excpetion when it reads the DTD in all .NET versions. 13 | */ 14 | protected void Page_Load(object sender, EventArgs e) 15 | { 16 | bool expectedSafe = true; 17 | 18 | XmlTextReader reader = new XmlTextReader(appPath + "resources/", new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); // unsafe! (safe in .NET version 4.5.2+) 19 | //XmlTextReader reader = new XmlTextReader(appPath + "resources/xxetestuser.xml"); 20 | 21 | try 22 | { 23 | // parsing the XML 24 | reader.DtdProcessing = DtdProcessing.Prohibit; // safety measure 25 | StringBuilder sb = new StringBuilder(); 26 | while (reader.Read()) 27 | { 28 | if (reader.NodeType == XmlNodeType.Element) 29 | { 30 | sb.Append(reader.ReadElementContentAsString()); 31 | } 32 | } 33 | 34 | // testing the result 35 | if (sb.ToString().Contains("SUCCESSFUL")) 36 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 37 | else 38 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 39 | } 40 | catch (Exception ex) 41 | { 42 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 43 | } 44 | finally 45 | { 46 | reader.Close(); 47 | } 48 | } 49 | } 50 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlTextReaderSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe452.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlTextReaderSafe452.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlTextReaderSafe452" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe452.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XmlTextReaderSafe452 : XXETestCasePage 10 | { 11 | /** 12 | * XmlTextReader: Safe by Default in Current .NET Version (4.5.2 and above) Example / XmlTextReader: Unsafe by Default in Current .NET Version (4.5.1 and lower) Example 13 | * In .NET version 4.5.2, Microsoft made a change to parsers that implement an XmlResolver object that makes it null by default, making the parser ignore DTDs by default. 14 | * However, in all previous versions, these parsers are unsafe by default. 15 | */ 16 | protected void Page_Load(object sender, EventArgs e) 17 | { 18 | bool expectedSafe = false; 19 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 20 | expectedSafe = true; 21 | 22 | XmlTextReader reader = new XmlTextReader(appPath + "resources/", new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); // unsafe! (safe in .NET version 4.5.2+) 23 | //XmlTextReader reader = new XmlTextReader(appPath + "resources/xxetestuser.xml"); // unsafe! (safe in .NET version 4.5.2+) 24 | 25 | try 26 | { 27 | // parsing the XML 28 | StringBuilder sb = new StringBuilder(); 29 | while (reader.Read()) 30 | { 31 | if (reader.NodeType == XmlNodeType.Element) 32 | { 33 | sb.Append(reader.ReadElementContentAsString()); 34 | } 35 | } 36 | 37 | // testing the result 38 | if (sb.ToString().Contains("SUCCESSFUL")) 39 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 40 | else 41 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 42 | 43 | } 44 | catch (Exception ex) 45 | { 46 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 47 | } 48 | finally 49 | { 50 | reader.Close(); 51 | } 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderSafe452.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlTextReaderSafe452 { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XmlTextReaderUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XmlTextReaderUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XmlTextReaderUnsafe : XXETestCasePage 10 | { 11 | /** 12 | * XmlTextReader: Unsafe when Resolving Entities Manually Example 13 | * By creating your own nonnull XmlResolver object (in this case, an XmlUrlResolver) and giving it to the XmlTextReader, the XmlTextReader will parse the entities. 14 | */ 15 | protected void Page_Load(object sender, EventArgs e) 16 | { 17 | bool expectedSafe = false; 18 | 19 | XmlTextReader reader = new XmlTextReader(appPath + "resources/", new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); // unsafe! (safe in .NET version 4.5.2+) 20 | //XmlTextReader reader = new XmlTextReader(appPath + "resources/xxetestuser.xml"); // unsafe! (safe in .NET versions 4.5.2+) 21 | 22 | // forcing unsafe in .NET versions 4.5.2+ 23 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 24 | { 25 | XmlUrlResolver res = new XmlUrlResolver(); 26 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 27 | reader.XmlResolver = res; 28 | } 29 | 30 | try 31 | { 32 | // parsing the XML 33 | StringBuilder sb = new StringBuilder(); 34 | while (reader.Read()) 35 | { 36 | if (reader.NodeType == XmlNodeType.Element) 37 | { 38 | sb.Append(reader.ReadElementContentAsString()); 39 | } 40 | } 41 | 42 | // testing the result 43 | if (sb.ToString().Contains("SUCCESSFUL")) 44 | PrintResults(expectedSafe, false, sb.ToString()); // unsafe: successful XXE injection 45 | else 46 | PrintResults(expectedSafe, true, sb.ToString()); // safe: empty or unparsed XML 47 | 48 | } 49 | catch (Exception ex) 50 | { 51 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 52 | } 53 | finally 54 | { 55 | reader.Close(); 56 | } 57 | } 58 | } 59 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XmlTextReaderUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XmlTextReaderUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformSafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XslCompiledTransformSafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XslCompiledTransformSafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformSafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Xml; 5 | using System.Xml.Xsl; 6 | 7 | namespace DotNetUnitTests.TestCases.XXETestCases 8 | { 9 | public partial class XslCompiledTransformSafe : XXETestCasePage 10 | { 11 | /** 12 | * XslCompiledTransform: Safe by Default Example 13 | * XslCompiledTransform is safe by default because it uses an XmlReader by default, which is safe by default. 14 | * (Source: http://www.dotnetframework.org/default.aspx/4@0/4@0/DEVDIV_TFS/Dev10/Releases/RTMRel/ndp/fx/src/Xml/System/Xml/Xslt/XslCompiledTransform@cs/1305376/XslCompiledTransform@cs) 15 | */ 16 | protected void Page_Load(object sender, EventArgs e) 17 | { 18 | bool expectedSafe = true; 19 | 20 | try 21 | { 22 | // parsing the XML 23 | XslCompiledTransform transformer = new XslCompiledTransform(); 24 | transformer.Load(appPath + "resources/test.xsl"); 25 | StringWriter output = new StringWriter(); 26 | transformer.Transform(XmlReader.Create(new MemoryStream(Encoding.ASCII.GetBytes(xmlText)), new XmlReaderSettings(), appPath + "resources/"), new XsltArgumentList(), output); 27 | //transformer.Transform(appPath + "resources/xxetestuser.xml", new XsltArgumentList(), output); 28 | 29 | // testing the result 30 | if (output.ToString().Contains("SUCCESSFUL")) 31 | PrintResults(expectedSafe, false, output.ToString()); // unsafe: successful XXE injection 32 | else 33 | PrintResults(expectedSafe, true, output.ToString()); // safe: empty or unparsed XML 34 | } 35 | catch (Exception ex) 36 | { 37 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 38 | } 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformSafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XslCompiledTransformSafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformUnsafe.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="XslCompiledTransformUnsafe.aspx.cs" Inherits="DotNetUnitTests.TestCases.XXETestCases.XslCompiledTransformUnsafe" validateRequest="false" %> 2 | 3 | 4 | 5 | 6 | 7 | Results 8 | 9 | 10 | 11 |

<<< back to tests 12 | 13 | 14 | -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformUnsafe.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Web; 5 | using System.Xml; 6 | using System.Xml.Xsl; 7 | 8 | namespace DotNetUnitTests.TestCases.XXETestCases 9 | { 10 | public partial class XslCompiledTransformUnsafe : XXETestCasePage 11 | { 12 | /** 13 | * XslCompiledTransform: Unsafe when Providing an Unsafe XML Parser Example 14 | * If you transform with an specified XML parser that is unsafe as input, it makes the output from the XslCompiledTransform parse the entities. 15 | */ 16 | protected void Page_Load(object sender, EventArgs e) 17 | { 18 | bool expectedSafe = false; 19 | 20 | XmlTextReader reader = new XmlTextReader(appPath + "resources/", new MemoryStream(Encoding.ASCII.GetBytes(xmlText))); // unsafe! (safe in .NET version 4.5.2+) 21 | 22 | // forcing unsafe in .NET versions 4.5.2+ 23 | if (HttpRuntime.TargetFramework.Minor >= 6 || HttpRuntime.TargetFramework.ToString().Equals("4.5.2")) 24 | { 25 | XmlUrlResolver res = new XmlUrlResolver(); 26 | //res.ResolveUri(new Uri(Environment.CurrentDirectory), "resources/xxetestuser.xml"); // works but not needed 27 | reader.XmlResolver = res; 28 | } 29 | 30 | try 31 | { 32 | // parsing the XML 33 | XslCompiledTransform transformer = new XslCompiledTransform(); 34 | transformer.Load(appPath + "resources/test.xsl"); 35 | 36 | StringWriter output = new StringWriter(); 37 | transformer.Transform(reader, new XsltArgumentList(), output); 38 | 39 | // testing the result 40 | if (output.ToString().Contains("SUCCESSFUL")) 41 | PrintResults(expectedSafe, false, output.ToString()); // unsafe: successful XXE injection 42 | else 43 | PrintResults(expectedSafe, true, output.ToString()); // safe: empty or unparsed XML 44 | } 45 | catch (Exception ex) 46 | { 47 | PrintResults(expectedSafe, true, ex); // safe: exception thrown when parsing XML 48 | } 49 | finally 50 | { 51 | reader.Close(); 52 | } 53 | } 54 | } 55 | } -------------------------------------------------------------------------------- /DotNetUnitTests/TestCases/XXETestCases/XslCompiledTransformUnsafe.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests.TestCases.XXETestCases { 11 | 12 | 13 | public partial class XslCompiledTransformUnsafe { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/codeview.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="codeview.aspx.cs" Inherits="DotNetUnitTests.codeview" %> 2 | 3 | 4 | 5 | 6 | 7 | Code View 8 | 9 | 10 | <% 11 | string appPath = Request.PhysicalApplicationPath; 12 | string[] code = null; 13 | if (Request.QueryString["type"].Equals("xml")) 14 | code = System.IO.File.ReadAllLines(appPath + "/TestCases/XXETestCases/" + Request.QueryString["var"] + ".aspx.cs"); 15 | else if (Request.QueryString["type"].Equals("hql")) 16 | code = System.IO.File.ReadAllLines(appPath + "/TestCases/HQLTestCases/" + Request.QueryString["var"] + ".aspx.cs"); 17 | else if (Request.QueryString["type"].Equals("xpath")) 18 | code = System.IO.File.ReadAllLines(appPath + "/TestCases/XPathTestCases/" + Request.QueryString["var"] + ".aspx.cs"); 19 | else if (Request.QueryString["type"].Equals("xquery")) 20 | code = System.IO.File.ReadAllLines(appPath + "/TestCases/XQueryTestCases/" + Request.QueryString["var"] + ".aspx.cs"); 21 | 22 | Response.Write("
");
23 |         foreach (string line in code)
24 |         {
25 |             Response.Write(line + "
");
26 |         }
27 |         Response.Write("
"); 28 | 29 | %> 30 | 31 |

32 | <<< back to test 33 | 34 | 35 | -------------------------------------------------------------------------------- /DotNetUnitTests/codeview.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Web; 5 | using System.Web.UI; 6 | using System.Web.UI.WebControls; 7 | 8 | namespace DotNetUnitTests 9 | { 10 | public partial class codeview : System.Web.UI.Page 11 | { 12 | protected void Page_Load(object sender, EventArgs e) 13 | { 14 | 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /DotNetUnitTests/codeview.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class codeview { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/hibernate.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | NHibernate.Connection.DriverConnectionProvider 5 | NHibernate.Dialect.MsSql2008Dialect 6 | NHibernate.Driver.SqlClientDriver 7 | Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Sample.mdf;Integrated Security=True 8 | 9 | false 10 | 11 | 12 | -------------------------------------------------------------------------------- /DotNetUnitTests/hqlview.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="hqlview.aspx.cs" Inherits="DotNetUnitTests.hqlview" %> 2 | 3 | 4 | 5 | 6 | 7 | <%= Request.QueryString["title"] %> 8 | 9 | 10 |

<%= Request.QueryString["test"] %>

11 | ">View code for this test 12 |

13 | <% 14 | // DELETE statements help text 15 | if (Request.QueryString["var"].Contains("Delete")) 16 | { 17 | Response.Write("

The Student table has the following rows: ID, LastName, FirstName, Username, and Password.

"); 18 | Response.Write("

This form performs a query that deletes a student named \"Test User\" that will be inserted beforehand.

"); 19 | Response.Write("

The injection given below will attempt to delete another user by adding ' OR 'FirstName'='Target to the end.

"); 20 | } 21 | 22 | // SELECT statements help text 23 | else 24 | { 25 | Response.Write("

The Student table has the following rows: ID, LastName, FirstName, Username, and Password.

"); 26 | Response.Write("

This form performs a HQL query that selects the row with the first name entered below.

"); 27 | Response.Write("

The injection given below will attempt to fetch all table rows instead of just the entered one by adding ' OR 'a'='a to the end.

"); 28 | } 29 | 30 | %> 31 | 32 | <% Response.Write("
"); %> 33 | " /> 34 | Enter first name: 35 | 36 |
37 |

<<< back to tests 38 | 39 | 40 | -------------------------------------------------------------------------------- /DotNetUnitTests/hqlview.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class hqlview : System.Web.UI.Page 6 | { 7 | protected string payloadValue; 8 | 9 | protected void Page_Load(object sender, EventArgs e) 10 | { 11 | if (Request.QueryString["var"].Contains("Delete")) 12 | this.payloadValue = "Test' OR FirstName='Target"; // DELETE payload 13 | else 14 | this.payloadValue = "Bobby' OR 'a'='a"; // SELECT payload 15 | } 16 | } 17 | } -------------------------------------------------------------------------------- /DotNetUnitTests/hqlview.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class hqlview { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/index.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class index : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/index.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class index { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/nhibernate.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="nhibernate.aspx.cs" Inherits="DotNetUnitTests.nhibernate" %> 2 | <%@ Import Namespace="Microsoft.Win32" %> 3 | 4 | 5 | 6 | 7 | 8 | .NET NHibernate Tests 9 | 10 | 11 | 12 |

NHibernate Injection Vulnerability Tests

13 | .NET XXE Injection Tests | NHibernate Injection Tests | XPath Injection Tests | XQuery Injection Tests 14 | <% Response.Write("

"); 15 | Response.Write("Current .NET Framework Version: " + HttpRuntime.TargetFramework.ToString()); 16 | Response.Write("
" + "Unsafe Tests: 6" + "
" + "Safe Tests: 4"); 17 | Response.Write("

"); 18 | %> 19 | 20 | <% int testCount = 20; %> 21 | 42 | 43 |

44 | References: 45 |
    46 |
  1. NHibernate Docs
    2. 47 |
  2. OWASP: Hibernate
    3. 48 |
  3. OWASP: SQL Injection
    4. 49 |
50 | 51 | 52 | -------------------------------------------------------------------------------- /DotNetUnitTests/nhibernate.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class nhibernate : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/nhibernate.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class nhibernate { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /DotNetUnitTests/resources/students.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Tables 5 | Bobby 6 | btables 7 | Tr0ub4dor&3 8 | 9 | 10 | Tables 11 | Bobby' or 'a'='a 12 | btables2 13 | correcthorsebatterystaple 14 | 15 | 16 | Tables 17 | Bobby" or "a"="a 18 | btables3 19 | correcthorsebatterystaple 20 | 21 | 22 | Skywalker 23 | Anakin 24 | sithlord 25 | ihatesand1234 26 | 27 | -------------------------------------------------------------------------------- /DotNetUnitTests/resources/test.xsd: -------------------------------------------------------------------------------- 1 |  2 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /DotNetUnitTests/resources/test.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DotNetUnitTests/resources/xxe_attack.txt: -------------------------------------------------------------------------------- 1 | INJECTION SUCCESSFUL -------------------------------------------------------------------------------- /DotNetUnitTests/resources/xxetest.xml: -------------------------------------------------------------------------------- 1 |  2 | 4 | ]> 5 | 6 | &xxetest; 7 | -------------------------------------------------------------------------------- /DotNetUnitTests/webconfigs/Web.451.config: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/webconfigs/Web.452.config: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/webconfigs/Web.46.config: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /DotNetUnitTests/xmlview.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="xmlview.aspx.cs" Inherits="DotNetUnitTests.xmlview" %> 2 | 3 | 4 | 5 | 6 | 7 | <%= Request.QueryString["title"] %> 8 | 9 | 10 |

<%= Request.QueryString["test"] %>

11 | ">View code for this test 12 |

13 |

Enter an XML file containing an entity:

14 | 19 | 20 | <% Response.Write("
"); %> 21 | " /> 22 | 23 |
24 |

<<< back to tests 25 | 26 | 27 | -------------------------------------------------------------------------------- /DotNetUnitTests/xmlview.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class xmlview : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/xmlview.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class xmlview { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/xpath.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="xpath.aspx.cs" Inherits="DotNetUnitTests.xpath" %> 2 | <%@ Import Namespace="Microsoft.Win32" %> 3 | 4 | 5 | 6 | 7 | 8 | .NET XPath Tests 9 | 10 | 11 | 12 |

XPath Injection Vulnerability Tests

13 | .NET XXE Injection Tests | NHibernate Injection Tests | XPath Injection Tests | XQuery Injection Tests 14 | <% Response.Write("

"); 15 | Response.Write("Current .NET Framework Version: " + HttpRuntime.TargetFramework.ToString()); 16 | Response.Write("
" + "Unsafe Tests: 3" + "
" + "Safe Tests: 1"); 17 | Response.Write("

"); 18 | %> 19 | 20 | <% int testCount = 30; %> 21 | 31 | 32 |

33 | References: 34 |
    35 |
  1. OWASP: XPath Injection
    2. 36 |
37 | 38 | 39 | -------------------------------------------------------------------------------- /DotNetUnitTests/xpath.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class xpath : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/xpath.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class xpath { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/xpathview.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="xpathview.aspx.cs" Inherits="DotNetUnitTests.xpathview" %> 2 | 3 | 4 | 5 | 6 | 7 | <%= Request.QueryString["title"] %> 8 | 9 | 10 |

<%= Request.QueryString["test"] %>

11 | ">View code for this test 12 |

13 |

The following is the XML file the query will be performed on:

14 | 19 | <% Response.Write("
"); %> 20 | " /> 21 |

The injection given below will attempt to fetch all <Student> nodes instead of just the entered one by adding ' or 'a'='a to the end.

22 | Enter first name: 23 | 24 |
25 |

<<< back to tests 26 | 27 | 28 | -------------------------------------------------------------------------------- /DotNetUnitTests/xpathview.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class xpathview : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/xpathview.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class xpathview { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/xquery.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="xquery.aspx.cs" Inherits="DotNetUnitTests.xquery" %> 2 | <%@ Import Namespace="Microsoft.Win32" %> 3 | 4 | 5 | 6 | 7 | 8 | .NET XQuery Tests 9 | 10 | 11 | 12 |

XQuery Injection Vulnerability Tests

13 | .NET XXE Injection Tests | NHibernate Injection Tests | XPath Injection Tests | XQuery Injection Tests 14 | <% Response.Write("

"); 15 | Response.Write("Current .NET Framework Version: " + HttpRuntime.TargetFramework.ToString()); 16 | Response.Write("
" + "Unsafe Tests: 2" + "
" + "Safe Tests: 3"); 17 | Response.Write("

"); 18 | %> 19 | 20 | <% int testCount = 34; %> 21 | 32 | 33 |

34 | References: 35 |
    36 |
  1. Saxon API for .NET Guide
    2. 37 |
38 | 39 | 40 | -------------------------------------------------------------------------------- /DotNetUnitTests/xquery.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class xquery : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/xquery.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class xquery { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /DotNetUnitTests/xqueryview.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="xqueryview.aspx.cs" Inherits="DotNetUnitTests.xqueryview" %> 2 | 3 | 4 | 5 | 6 | 7 | <%= Request.QueryString["title"] %> 8 | 9 | 10 |

<%= Request.QueryString["test"] %>

11 | ">View code for this test 12 |

13 |

The following is the XML file the query will be performed on:

14 | 19 | <% Response.Write("
"); %> 20 | " /> 21 |

The injection given below will attempt to fetch all <Student> nodes instead of just the entered one by adding " or "a"="a to the end.

22 | Enter first name: 23 | 24 |
25 |

<<< back to tests 26 | 27 | 28 | -------------------------------------------------------------------------------- /DotNetUnitTests/xqueryview.aspx.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace DotNetUnitTests 4 | { 5 | public partial class xqueryview : System.Web.UI.Page 6 | { 7 | protected void Page_Load(object sender, EventArgs e) 8 | { 9 | 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /DotNetUnitTests/xqueryview.aspx.designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // 5 | // Changes to this file may cause incorrect behavior and will be lost if 6 | // the code is regenerated. 7 | // 8 | //------------------------------------------------------------------------------ 9 | 10 | namespace DotNetUnitTests { 11 | 12 | 13 | public partial class xqueryview { 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /INSTRUCTIONS.txt: -------------------------------------------------------------------------------- 1 | To deploy the web application: 2 | 3 | - Run the Visual Studio Developer Command Prompt as administrator 4 | - Navigate to the project folder (where this file is located) 5 | - Run either DeployWebAppDotNet451.bat to run in .NET 4.5.1 , DeployWebAppDotNet452.bat to run in .NET 4.5.2, or DeployWebAppDotNet46.bat to run in .NET 4.6 6 | (Note: The major fixes happen in 4.5.2, and there is no discernable difference between running in 4.5.2 and 4.6) 7 | - Press 'q' to close the server when finished 8 | 9 | To run all tests programmatically: 10 | 11 | Make sure you have Python installed and in your path! 12 | 13 | - Download ChromeDriver at https://sites.google.com/a/chromium.org/chromedriver/downloads 14 | - Place the executable in the project base directory (or add it to your path manually) 15 | - Deploy the web app 16 | - Run RunAllTests.bat 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # .NET Security Unit Tests 2 | A web application that contains several unit tests for the purpose of .NET security 3 | 4 | (Based on the web application I added to [a Java console application with similar tests](https://github.com/aspectsecurity/security-unit-tests) by [Dave Wichers](https://github.com/davewichers)) 5 | 6 | ## Overview 7 | The purpose of this web app is to test the following vulnerabilities in .NET (click to view their respective code): 8 | - [XML External Enitity (XXE) Injection](./DotNetUnitTests/TestCases/XXETestCases) 9 | - A summary of these tests can be found in the [OWASP XXE Prevention Cheat Sheet](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET) 10 | - [NHibernate Query Language (HQL) Injection](./DotNetUnitTests/TestCases/HQLTestCases) 11 | - [XPath Query Language Injection](./DotNetUnitTests/TestCases/XPathTestCases) 12 | - [XQuery Query Language Injection](./DotNetUnitTests/TestCases/XQueryTestCases) 13 | 14 | The code can be analyzed by static code tools or deployed as a web application and analyzed via dynamic tools. The underlying C# code can also be used as examples for how to make .NET code safe/unsafe. You can also find detailed comments in the code with each test explaining why it is safe/unsafe. 15 | 16 | ## Installation 17 | Please see the [INSTRUCTIONS.txt](./INSTRUCTIONS.txt) file for information on deploying the web app, as well as instructions for running all the tests programmatically. 18 | 19 | (Note: you will need Visual Studio installed) 20 | 21 | ## License 22 | ``` 23 | This program is free software: you can redistribute it and/or modify 24 | it under the terms of the GNU General Public License as published by 25 | the Free Software Foundation, either version 3 of the License, or 26 | (at your option) any later version. 27 | 28 | This program is distributed in the hope that it will be useful, 29 | but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | GNU General Public License for more details. 32 | 33 | You should have received a copy of the GNU General Public License 34 | along with this program. If not, see . 35 | ``` 36 | -------------------------------------------------------------------------------- /RunAllTests.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | pip install -U selenium 4 | 5 | if exist .\chromedriver.exe ( 6 | set PATH=%PATH%;%cd%\chromedriver.exe 7 | ) 8 | 9 | python WebTestCrawler.py 10 | -------------------------------------------------------------------------------- /WebTestCrawler.py: -------------------------------------------------------------------------------- 1 | ''' 2 | 3 | WebTestCrawler 4 | Clicks every link on the web app in order to run all tests programatically 5 | 6 | NOTE: Requires Selenium and ChromeDriver 7 | 8 | ''' 9 | 10 | from selenium import webdriver 11 | from selenium.common.exceptions import TimeoutException 12 | from selenium.webdriver.common.by import By 13 | from selenium.webdriver.support import expected_conditions as EC 14 | from selenium.webdriver.support.ui import WebDriverWait 15 | 16 | # clicks all the test links for the given test category 17 | def clickLinks(driver, testCount): 18 | categories = 4 19 | for i in range(0, (testCount + categories)): 20 | links = driver.find_elements_by_xpath("//a[not(starts-with(@href, 'http'))]") 21 | 22 | # clicks all links except for the category links 23 | if (i > (categories - 1)): 24 | waitForLoad(driver) 25 | links[i].click() 26 | clickLinksTestView(driver) 27 | 28 | 29 | # clicks the links on the test view page 30 | def clickLinksTestView(driver): 31 | 32 | # go through code view page 33 | waitForLoad(driver) 34 | driver.find_element_by_css_selector("a[href]").click() 35 | clickLinkCodeView(driver) 36 | 37 | # run test and return 38 | waitForLoad(driver) 39 | driver.find_element_by_css_selector("#theform > input[type='submit']").click() 40 | clickLinksResults(driver) 41 | 42 | 43 | # clicks the back button on the code view page 44 | def clickLinkCodeView(driver): 45 | waitForLoad(driver) 46 | driver.find_element_by_css_selector("a[href]").click() 47 | 48 | 49 | # clicks the back button on the results page 50 | def clickLinksResults(driver): 51 | waitForLoad(driver) 52 | driver.find_element_by_css_selector("a[href]").click() 53 | 54 | 55 | # waits for the page loads before clicking 56 | def waitForLoad(driver): 57 | timeoutTime = 15 58 | try: 59 | WebDriverWait(driver, timeoutTime).until(EC.presence_of_element_located((By.TAG_NAME, "html"))) 60 | except TimeoutException: 61 | print("Page \"" + driver.current_url +"\" took too long to load!") 62 | 63 | 64 | # starts the crawler 65 | driver = webdriver.Chrome() 66 | driver.get("http://localhost:8080/index.aspx") 67 | clickLinks(driver, 19) 68 | driver.get("http://localhost:8080/nhibernate.aspx") 69 | clickLinks(driver, 10) 70 | driver.get("http://localhost:8080/xpath.aspx") 71 | clickLinks(driver, 4) 72 | driver.get("http://localhost:8080/xquery.aspx") 73 | clickLinks(driver, 5) 74 | print("All tests have completed running") -------------------------------------------------------------------------------- /packages/Iesi.Collections.4.0.0.4000/Iesi.Collections.4.0.0.4000.nupkg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/Iesi.Collections.4.0.0.4000/Iesi.Collections.4.0.0.4000.nupkg -------------------------------------------------------------------------------- /packages/Iesi.Collections.4.0.0.4000/lib/net40/Iesi.Collections.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/Iesi.Collections.4.0.0.4000/lib/net40/Iesi.Collections.dll -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/FireBird.cfg.xml: -------------------------------------------------------------------------------- 1 | 2 | 12 | 17 | 18 | 19 | NHibernate.Driver.FirebirdClientDriver 20 | 21 | Server=localhost; 22 | Database=C:\nhibernate.fdb; 23 | User=SYSDBA;Password=masterkey 24 | 25 | false 26 | NHibernate.Dialect.FirebirdDialect 27 | 60 28 | true 1, false 0, yes 1, no 0 29 | 30 | 31 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/MSSQL.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 7 | 8 | 9 | 10 | NHibernate.Driver.SqlClientDriver 11 | 12 | Server=(local);initial catalog=nhibernate;Integrated Security=SSPI 13 | 14 | NHibernate.Dialect.MsSql2008Dialect 15 | 16 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/MySql.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 7 | 8 | 9 | 10 | NHibernate.Driver.MySqlDataDriver 11 | 12 | Database=test;Data Source=someip;User Id=blah;Password=blah 13 | 14 | NHibernate.Dialect.MySQLDialect 15 | 16 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/Oracle.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 7 | 8 | 9 | 10 | NHibernate.Driver.OracleClientDriver 11 | 12 | User ID=nhibernate;Password=nhibernate;Data Source=localhost 13 | 14 | false 15 | NHibernate.Dialect.OracleDialect 16 | true 1, false 0, yes 'Y', no 'N' 17 | 18 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/PostgreSQL.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 7 | 8 | 9 | NHibernate.Driver.NpgsqlDriver 10 | 11 | Server=localhost;Database=nhibernate;User ID=nhibernate;Password=nhibernate; 12 | 13 | NHibernate.Dialect.PostgreSQL82Dialect 14 | 15 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/SQLite.cfg.xml: -------------------------------------------------------------------------------- 1 |  2 | 7 | 8 | 9 | NHibernate.Driver.SQLite20Driver 10 | 11 | Data Source=nhibernate.db 12 | 13 | NHibernate.Dialect.SQLiteDialect 14 | 15 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/SybaseASE.cfg.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | NHibernate.Driver.SybaseAseClientDriver 10 | 11 | Data Source=10.0.0.1;Port=5000;Database=nhibernate;User ID=nhibernate;Password=password 12 | 13 | NHibernate.Dialect.SybaseASE15Dialect 14 | true=1;false=0 15 | 16 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/ConfigurationTemplates/SybaseSQLAnywhere.cfg.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | NHibernate.Driver.SybaseSQLAnywhereDriver 10 | 11 | UID=DBA;PWD=sql;Server=localhost;DBN=nhibernate;DBF=c:\nhibernate.db;ASTOP=No 12 | 13 | NHibernate.Dialect.SybaseSQLAnywhere12Dialect 14 | true=1;false=0 15 | 16 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/NHibernate.4.1.1.4000.nupkg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/NHibernate.4.1.1.4000/NHibernate.4.1.1.4000.nupkg -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/NHibernate.readme.html: -------------------------------------------------------------------------------- 1 |

Welcome to NHibernate

2 | 3 |

NHibernate is a mature, open source object-relational mapper for the .NET framework. It is actively developed, 4 | fully featured and used in thousands of successful projects.

5 | 6 |

The NHibernate community website - http://nhibernate.info - has a range of resources to help you get started, 7 | including howtos, blogs and reference documentation.

8 | 9 |

Latest Version

10 | 11 |

The quickest way to get the latest release of NHibernate is to add it to your project using 12 | NuGet (http://nuget.org/List/Packages/NHibernate).

13 | 14 |

Alternatively binaries are available from SourceForge at http://sourceforge.net/projects/nhibernate.

15 | 16 |

You are encouraged to review the release notes (releasenotes.txt), particularly when upgrading to a 17 | later version. The release notes will generally document any breaking changes.

18 | 19 |

Community Forums

20 | 21 |

There are two official NHibernate community forums:

22 | 23 | 27 | 28 |

Bug Reports

29 | 30 |

If you find any bugs, please report them using the JIRA bug tracker. A 31 | test-case that demonstrates the issue is usually required. Instructions on providing a test-case 32 | can be found here.

33 | 34 |

Licenses

35 | 36 |

This software is distributed under the terms of the Free Software Foundation Lesser GNU Public License (LGPL), version 2.1 (see lgpl.txt).

37 | 38 |

Credits

39 | 40 |

Many thanks to the following individuals, organisations and projects whose work is so important to the success 41 | of NHibernate (in no particular order):

42 | 43 | -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/NHibernate.releasenotes.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/NHibernate.4.1.1.4000/NHibernate.releasenotes.txt -------------------------------------------------------------------------------- /packages/NHibernate.4.1.1.4000/lib/net40/NHibernate.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/NHibernate.4.1.1.4000/lib/net40/NHibernate.dll -------------------------------------------------------------------------------- /packages/SaxonPE9.8N/IKVM.OpenJDK.Core.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/SaxonPE9.8N/IKVM.OpenJDK.Core.dll -------------------------------------------------------------------------------- /packages/SaxonPE9.8N/IKVM.OpenJDK.XML.API.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/SaxonPE9.8N/IKVM.OpenJDK.XML.API.dll -------------------------------------------------------------------------------- /packages/SaxonPE9.8N/saxon9pe.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/deanf1/dotnet-security-unit-tests/de8a7ac439b88ae5a42ba762c34fab22893c200b/packages/SaxonPE9.8N/saxon9pe.dll --------------------------------------------------------------------------------