csharp.lang.security.ssrf.rest-client.ssrf

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.

Run Locally

Run in CI

Defintion

rules:
  - id: ssrf
    severity: ERROR
    languages:
      - csharp
    metadata:
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: SSRF is an attack vector that abuses an application to interact with
      the internal/external network or the machine itself.
    patterns:
      - pattern-inside: |
          using RestSharp;
          ...
      - pattern-either:
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              ... new RestClient(<... $X ...>)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              ... new RestClient($B)
              }

Examples

rest-client.cs

using RestSharp;

namespace ServerSideRequestForgery
{
    public class Ssrf
    {
        #region Pattern 1
        // ruleid: ssrf
        public void RestClientGet(string host)
        {
            try
            {
                RestClient client = new RestClient(host);

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void RestClientGet(string host)
        {
            try
            {
                RestClient client = new RestClient("constant");

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion

        #region Pattern 2
        // ruleid: ssrf
        public void RestClientGetWithStringConcatenation(string host)
        {
            string uri = host + "constant";

            try
            {
                RestClient client = new RestClient(uri);

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void RestClientGetWithStringConcatenation(string host)
        {
            string uri = "constant";

            try
            {
                RestClient client = new RestClient(uri);

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ruleid: ssrf
        public void RestClientGetWithUri(string host)
        {
            Uri uri = new Uri(host + "constant");

            try
            {
                RestClient client = new RestClient(uri);

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void RestClientGetWithUri(string host)
        {
            Uri uri = new Uri("constant");

            try
            {
                RestClient client = new RestClient(uri);

                var request = new RestRequest("/");
                var response = client.Get(request);

                result = response.Content;

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion
    }
}