csharp.lang.security.ssrf.http-client.ssrf
semgrep
Author
unknown
Download Count*
License
SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
Run Locally
Run in CI
Defintion
rules:
- id: ssrf
severity: ERROR
languages:
- csharp
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
message: SSRF is an attack vector that abuses an application to interact with
the internal/external network or the machine itself.
patterns:
- pattern-inside: |
using System.Net.Http;
...
- pattern-either:
- pattern: |
$T $F(..., $X, ...)
{
...
HttpClient $Y = new HttpClient();
...
... $Y.GetAsync(<... $X ...>, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
HttpClient $Y = new HttpClient();
...
... $Y.GetAsync($B, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
HttpClient $Y = new HttpClient();
...
... $Y.GetStringAsync(<... $X ...>);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
HttpClient $Y = new HttpClient();
...
... $Y.GetStringAsync($B);
}
Examples
http-client.cs
using System.Net.Http;
namespace ServerSideRequestForgery
{
public class Ssrf
{
#region Pattern 1
// ruleid: ssrf
public void HttpClientAsync(string host)
{
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(host).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ruleid: ssrf
public void HttpClientAsync2(string host)
{
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(host + "constant").Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientAsync(string host)
{
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync("constant").Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
#region Pattern 2
// ruleid: ssrf
public void HttpClientAsyncWithStringConcatenation(string host)
{
string uri = host + "constant";
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientAsyncWithStringConcatenation(string host)
{
string uri = "constant";
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ruleid: ssrf
public void HttpClientAsyncWithUri(string host)
{
Uri uri = new Uri(host);
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientAsyncWithUri(string host)
{
Uri uri = new Uri("constant");
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
#region Pattern 3
// ruleid: ssrf
public void HttpClientStringAsync(string host)
{
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync(host).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientStringAsync(string host)
{
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync("constant").Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
#region Pattern 4
// ruleid: ssrf
public void HttpClientStringAsyncWithStringConcatenation(string host)
{
string uri = host + "constant";
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientStringAsyncWithStringConcatenation(string host)
{
string uri = "constant";
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ruleid: ssrf
public void HttpClientStringAsyncWithUri(string host)
{
Uri uri = new Uri(host);
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void HttpClientStringAsyncWithUri(string host)
{
Uri uri = new Uri("constant");
HttpClient client = new HttpClient();
try
{
HttpResponseMessage response = client.GetStringAsync(uri).Result;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
}
}
Short Link: https://sg.run/4eB9