csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use "*.asdf.gov" if you own all of "asdf.gov".

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: http-listener-wildcard-bindings
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-706: Use of Incorrectly-Resolved Name or Reference"
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0
      category: security
      technology:
        - .net
      confidence: MEDIUM
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    message: The top level wildcard bindings $PREFIX leaves your application open to
      security vulnerabilities and give attackers more control over where
      traffic is routed. If you must use wildcards, consider using subdomain
      wildcard binding. For example, you can use "*.asdf.gov" if you own all of
      "asdf.gov".
    patterns:
      - pattern-inside: |
          using System.Net;
          ...
      - pattern: $LISTENER.Prefixes.Add("$PREFIX")
      - metavariable-regex:
          metavariable: $PREFIX
          regex: (http|https)://(\*|\+)(.[a-zA-Z]{2,})?:[0-9]+

Examples

http-listener-wildcard-bindings.cs

using System;
using System.Net;

namespace HttpListenerWildcard {
    class MyBadHttpListener {
        public static void HttpListenerWildcard() {
            HttpListener listener = new HttpListener();

            // ruleid: http-listener-wildcard-bindings
            listener.Prefixes.Add("http://*:8080");

            // ruleid: http-listener-wildcard-bindings
            listener.Prefixes.Add("http://+:8080");

            // ruleid: http-listener-wildcard-bindings
            listener.Prefixes.Add("https://*:8080");

            // ruleid: http-listener-wildcard-bindings
            listener.Prefixes.Add("https://+:8080");

            // ruleid: http-listener-wildcard-bindings
            listener.Prefixes.Add("https://*.com:8080");

            // ok
            listener.Prefixes.Add("https://0.0.0.0:8080");

            // ok
            listener.Prefixes.Add("http://www.contoso.com:8080/");

            // ok
            listener.Prefixes.Add("http://*.test.com:8080");

            listener.Start();
        }
    }
}