csharp.lang.security.ssrf.rest-client.ssrf
semgrep
Author
unknown
Download Count*
License
SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
Run Locally
Run in CI
Defintion
rules:
- id: ssrf
severity: ERROR
languages:
- csharp
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
message: SSRF is an attack vector that abuses an application to interact with
the internal/external network or the machine itself.
patterns:
- pattern-inside: |
using RestSharp;
...
- pattern-either:
- pattern: |
$T $F(..., $X, ...)
{
...
... new RestClient(<... $X ...>);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
... new RestClient($B);
}
Examples
rest-client.cs
using RestSharp;
namespace ServerSideRequestForgery
{
public class Ssrf
{
#region Pattern 1
// ruleid: ssrf
public void RestClientGet(string host)
{
try
{
RestClient client = new RestClient(host);
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void RestClientGet(string host)
{
try
{
RestClient client = new RestClient("constant");
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
#region Pattern 2
// ruleid: ssrf
public void RestClientGetWithStringConcatenation(string host)
{
string uri = host + "constant";
try
{
RestClient client = new RestClient(uri);
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void RestClientGetWithStringConcatenation(string host)
{
string uri = "constant";
try
{
RestClient client = new RestClient(uri);
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ruleid: ssrf
public void RestClientGetWithUri(string host)
{
Uri uri = new Uri(host + "constant");
try
{
RestClient client = new RestClient(uri);
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void RestClientGetWithUri(string host)
{
Uri uri = new Uri("constant");
try
{
RestClient client = new RestClient(uri);
var request = new RestRequest("/");
var response = client.Get(request);
result = response.Content;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
}
}
Short Link: https://sg.run/Pb9v