csharp.lang.security.ssrf.http-client.ssrf

profile photo of semgrepsemgrep
Author
unknown
Download Count*

SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.

Run Locally

Run in CI

Defintion

rules:
  - id: ssrf
    severity: ERROR
    languages:
      - csharp
    metadata:
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Server-Side Request Forgery (SSRF)
    message: SSRF is an attack vector that abuses an application to interact with
      the internal/external network or the machine itself.
    patterns:
      - pattern-inside: |
          using System.Net.Http;
          ...
      - pattern-either:
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              HttpClient $Y = new HttpClient();
              ...
              ... $Y.GetAsync(<... $X ...>, ...);
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              HttpClient $Y = new HttpClient();
              ...
              ... $Y.GetAsync($B, ...);
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              HttpClient $Y = new HttpClient();
              ...
              ... $Y.GetStringAsync(<... $X ...>);
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              HttpClient $Y = new HttpClient();
              ...
              ... $Y.GetStringAsync($B);
              }

Examples

http-client.cs

using System.Net.Http;

namespace ServerSideRequestForgery
{
    public class Ssrf
    {
        #region Pattern 1
        // ruleid: ssrf
        public void HttpClientAsync(string host)
        {
            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(host).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ruleid: ssrf
        public void HttpClientAsync2(string host)
        {
            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(host + "constant").Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientAsync(string host)
        {
            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync("constant").Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion

        #region Pattern 2
        // ruleid: ssrf
        public void HttpClientAsyncWithStringConcatenation(string host)
        {
            string uri = host + "constant";

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientAsyncWithStringConcatenation(string host)
        {
            string uri = "constant";

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ruleid: ssrf
        public void HttpClientAsyncWithUri(string host)
        {
            Uri uri = new Uri(host);

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientAsyncWithUri(string host)
        {
            Uri uri = new Uri("constant");

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion

        #region Pattern 3
        // ruleid: ssrf
        public void HttpClientStringAsync(string host)
        {
            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync(host).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientStringAsync(string host)
        {
            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync("constant").Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion

        #region Pattern 4
        // ruleid: ssrf
        public void HttpClientStringAsyncWithStringConcatenation(string host)
        {
            string uri = host + "constant";

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientStringAsyncWithStringConcatenation(string host)
        {
            string uri = "constant";

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ruleid: ssrf
        public void HttpClientStringAsyncWithUri(string host)
        {
            Uri uri = new Uri(host);

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void HttpClientStringAsyncWithUri(string host)
        {
            Uri uri = new Uri("constant");

            HttpClient client = new HttpClient();

            try
            {
                HttpResponseMessage response = client.GetStringAsync(uri).Result;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion
    }
}