csharp.lang.security.ssrf.web-client.ssrf

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.

Run Locally

Run in CI

Defintion

rules:
  - id: ssrf
    severity: ERROR
    languages:
      - csharp
    metadata:
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: SSRF is an attack vector that abuses an application to interact with
      the internal/external network or the machine itself.
    patterns:
      - pattern-inside: |
          using System.Net;
          ...
      - pattern-either:
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.OpenRead(<... $X ...>)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.OpenRead($B)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.OpenReadAsync(<... $X ...>, ...)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.OpenReadAsync($B, ...)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.DownloadString(<... $X ...>)
              }
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              $A $B = <... $X ...>;
              ...
              WebClient $Y = new WebClient();
              ...
              ... $Y.DownloadString($B)
              }

Examples

web-client.cs

using System.Net;

namespace ServerSideRequestForgery
{
    public class Ssrf
    {
        #region Pattern 1
        // ruleid: ssrf
        public string WebClient(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(host);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClient2(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(host + "constant");
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClient(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead("constant");
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion

        #region Pattern 2
        // ruleid: ssrf
        public string WebClientStringConcatenation(string host)
        {
            string result = "";

            string uri = "constant" + host;

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientStringConcatenation(string host)
        {
            string result = "";
            string uri = "constant";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClientWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri(host);

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClientWithUri2(string host)
        {
            string result = "";

            Uri uri = new Uri(host + "constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri("constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenRead(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion

        #region Pattern 3

        // ruleid: ssrf
        public string WebClientAsync(Uri host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenReadAsync(host);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClientAsync2(Uri host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenReadAsync(host + "constant");
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientAsync(Uri host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenReadAsync("constant");
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion

        #region Pattern 4

        // ruleid: ssrf
        public string WebClientAsyncWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri(host + "constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenReadAsync(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientAsyncWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri("constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.OpenReadAsync(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion

        #region Pattern 5
        // ruleid: ssrf
        public string WebClientDownloadString(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(host);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClientDownloadString2(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(host + "constant");
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientDownloadString(string host)
        {
            string result = "";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString("constant");
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion

        #region Pattern 6
        // ruleid: ssrf
        public string WebClientDownloadStringStringConcatenation(string host)
        {
            string result = "";

            string uri = "constant" + host;

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientDownloadStringStringConcatenation(string host)
        {
            string result = "";
            string uri = "constant";

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ruleid: ssrf
        public string WebClientDownloadStringWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri(host + "constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        // ok: ssrf
        public string WebClientDownloadStringWithUri(string host)
        {
            string result = "";

            Uri uri = new Uri("constant");

            try
            {
                WebClient client = new WebClient();

                Stream data = client.DownloadString(uri);
                StreamReader reader = new StreamReader(data);
                result = reader.ReadToEnd();
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }

            return result;
        }

        #endregion
    }
}