csharp.lang.security.ssrf.web-request.ssrf
semgrep
Author
unknown
Download Count*
License
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).
Run Locally
Run in CI
Defintion
rules:
- id: ssrf
severity: ERROR
languages:
- csharp
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://cwe.mitre.org/data/definitions/918.html
- https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Server-Side Request Forgery (SSRF)
message: The web server receives a URL or similar request from an upstream
component and retrieves the contents of this URL, but it does not
sufficiently ensure that the request is being sent to the expected
destination. Many different options exist to fix this issue depending the
use case (Application can send request only to identified and trusted
applications, Application can send requests to ANY external IP address or
domain name).
patterns:
- pattern-inside: |
using System.Net;
...
- pattern-either:
- pattern: |
$T $F(..., $X, ...)
{
...
... WebRequest.Create(<... $X ...>);
}
- pattern: |
$T $F($X)
{
...
$A $B = <... $X ...>;
...
... WebRequest.Create($B);
}
- pattern: |
$T $F($X)
{
...
$A $B = <... $X ...>;
...
$C $D = <... $B ...>;
...
... WebRequest.Create($D);
}
Examples
web-request.cs
using System.Net.WebRequest;
using System.Uri;
namespace Ssrf
{
public class Ssrf
{
#region Pattern 1
// ruleid: ssrf
public void WebRequest(string host)
{
try
{
WebRequest webRequest = WebRequest.Create(host);;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
// ok: ssrf
public void WebRequest(string host)
{
try
{
WebRequest webRequest = WebRequest.Create("constant");;
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e);
}
}
#endregion
#region Pattern 2
// ruleid: ssrf
public void WebRequestWithStringConcatenation(string host)
{
String baseUrl = "constant" + host;
WebRequest webRequest = WebRequest.Create(baseUrl);
}
// ok: ssrf
public void WebRequestWithStringConcatenation(string host)
{
String baseUrl = "constant";
WebRequest webRequest = WebRequest.Create(baseUrl);
}
// ruleid: ssrf
public void WebRequestWithUri(string host)
{
Uri uri = new Uri(host);
WebRequest webRequest = WebRequest.Create(uri);
}
// ok: ssrf
public void ssrf5(string host)
{
Uri uri = new Uri("constant");
WebRequest webRequest = WebRequest.Create(uri);
}
#endregion
#region Pattern 3
// ruleid: ssrf
public void WebRequestStringToUri(string host)
{
String baseUrl = "constant" + host;
Uri uri = new Uri(baseUrl);
WebRequest webRequest = WebRequest.Create(uri);
}
// ok: ssrf
public void WebRequestStringToUri(string host)
{
String baseUrl = "constant" + "constant";
Uri uri = new Uri(baseUrl);
WebRequest webRequest = WebRequest.Create(baseUrl);
}
#endregion
}
}
Short Link: https://sg.run/5DWj