csharp.lang.security.ssrf.web-client.ssrf
semgrep
Author
unknown
Download Count*
License
SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
Run Locally
Run in CI
Defintion
rules:
- id: ssrf
severity: ERROR
languages:
- csharp
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
message: SSRF is an attack vector that abuses an application to interact with
the internal/external network or the machine itself.
patterns:
- pattern-inside: |
using System.Net;
...
- pattern-either:
- pattern: |
$T $F(..., $X, ...)
{
...
WebClient $Y = new WebClient();
...
... $Y.OpenRead(<... $X ...>);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
WebClient $Y = new WebClient();
...
... $Y.OpenRead($B);
}
- pattern: |
$T $F(..., $X, ...)
{
...
WebClient $Y = new WebClient();
...
... $Y.OpenReadAsync(<... $X ...>, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
WebClient $Y = new WebClient();
...
... $Y.OpenReadAsync($B, ...);
}
- pattern: |
$T $F(..., $X, ...)
{
...
WebClient $Y = new WebClient();
...
... $Y.DownloadString(<... $X ...>);
}
- pattern: |
$T $F(..., $X, ...)
{
...
$A $B = <... $X ...>;
...
WebClient $Y = new WebClient();
...
... $Y.DownloadString($B);
}
Examples
web-client.cs
using System.Net;
namespace ServerSideRequestForgery
{
public class Ssrf
{
#region Pattern 1
// ruleid: ssrf
public string WebClient(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(host);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClient2(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(host + "constant");
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClient(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead("constant");
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
#region Pattern 2
// ruleid: ssrf
public string WebClientStringConcatenation(string host)
{
string result = "";
string uri = "constant" + host;
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientStringConcatenation(string host)
{
string result = "";
string uri = "constant";
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClientWithUri(string host)
{
string result = "";
Uri uri = new Uri(host);
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClientWithUri2(string host)
{
string result = "";
Uri uri = new Uri(host + "constant");
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientWithUri(string host)
{
string result = "";
Uri uri = new Uri("constant");
try
{
WebClient client = new WebClient();
Stream data = client.OpenRead(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
#region Pattern 3
// ruleid: ssrf
public string WebClientAsync(Uri host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenReadAsync(host);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClientAsync2(Uri host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenReadAsync(host + "constant");
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientAsync(Uri host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.OpenReadAsync("constant");
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
#region Pattern 4
// ruleid: ssrf
public string WebClientAsyncWithUri(string host)
{
string result = "";
Uri uri = new Uri(host + "constant");
try
{
WebClient client = new WebClient();
Stream data = client.OpenReadAsync(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientAsyncWithUri(string host)
{
string result = "";
Uri uri = new Uri("constant");
try
{
WebClient client = new WebClient();
Stream data = client.OpenReadAsync(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
#region Pattern 5
// ruleid: ssrf
public string WebClientDownloadString(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(host);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClientDownloadString2(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(host + "constant");
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientDownloadString(string host)
{
string result = "";
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString("constant");
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
#region Pattern 6
// ruleid: ssrf
public string WebClientDownloadStringStringConcatenation(string host)
{
string result = "";
string uri = "constant" + host;
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientDownloadStringStringConcatenation(string host)
{
string result = "";
string uri = "constant";
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ruleid: ssrf
public string WebClientDownloadStringWithUri(string host)
{
string result = "";
Uri uri = new Uri(host + "constant");
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
// ok: ssrf
public string WebClientDownloadStringWithUri(string host)
{
string result = "";
Uri uri = new Uri("constant");
try
{
WebClient client = new WebClient();
Stream data = client.DownloadString(uri);
StreamReader reader = new StreamReader(data);
result = reader.ReadToEnd();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
return result;
}
#endregion
}
}
Short Link: https://sg.run/JxqP