csharp.lang.security.ssrf.web-request.ssrf

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).

Run Locally

Run in CI

Defintion

rules:
  - id: ssrf
    severity: ERROR
    languages:
      - csharp
    metadata:
      cwe:
        - "CWE-918: Server-Side Request Forgery (SSRF)"
      owasp:
        - A10:2021 - Server-Side Request Forgery (SSRF)
      references:
        - https://cwe.mitre.org/data/definitions/918.html
        - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The web server receives a URL or similar request from an upstream
      component and retrieves the contents of this URL, but it does not
      sufficiently ensure that the request is being sent to the expected
      destination. Many different options exist to fix this issue depending the
      use case (Application can send request only to identified and trusted
      applications, Application can send requests to ANY external IP address or
      domain name).
    patterns:
      - pattern-inside: |
          using System.Net;
          ...
      - pattern-either:
          - pattern: |
              $T $F(..., $X, ...)
              {
              ...
              ... WebRequest.Create(<... $X ...>);
              }
          - pattern: |
              $T $F($X)
              {
              ...
              $A $B = <... $X ...>;
              ...
              ... WebRequest.Create($B);
              }
          - pattern: |
              $T $F($X)
              {
              ...
              $A $B = <... $X ...>;
              ...
              $C $D = <... $B ...>;
              ...
              ... WebRequest.Create($D);
              }

Examples

web-request.cs

using System.Net.WebRequest;
using System.Uri;

namespace Ssrf
{
    public class Ssrf
    {
        #region Pattern 1
        // ruleid: ssrf
        public void WebRequest(string host)
        {
            try
            {
                WebRequest webRequest = WebRequest.Create(host);;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        // ok: ssrf
        public void WebRequest(string host)
        {
            try
            {
                WebRequest webRequest = WebRequest.Create("constant");;
            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e);
            }
        }

        #endregion

        #region Pattern 2

        // ruleid: ssrf
        public void WebRequestWithStringConcatenation(string host)
        {

            String baseUrl = "constant" + host;

            WebRequest webRequest = WebRequest.Create(baseUrl);
        }

        // ok: ssrf
        public void WebRequestWithStringConcatenation(string host)
        {
            String baseUrl = "constant";
            WebRequest webRequest = WebRequest.Create(baseUrl);
        }

        // ruleid: ssrf
        public void WebRequestWithUri(string host)
        {
            Uri uri = new Uri(host);
            WebRequest webRequest = WebRequest.Create(uri);
        }

        // ok: ssrf
        public void ssrf5(string host)
        {
            Uri uri = new Uri("constant");
            WebRequest webRequest = WebRequest.Create(uri);
        }

        #endregion

        #region Pattern 3

        // ruleid: ssrf
        public void WebRequestStringToUri(string host)
        {

            String baseUrl = "constant" + host;
            Uri uri = new Uri(baseUrl);

            WebRequest webRequest = WebRequest.Create(uri);
        }

        // ok: ssrf
        public void WebRequestStringToUri(string host)
        {
            String baseUrl = "constant" + "constant";
            Uri uri = new Uri(baseUrl);
            WebRequest webRequest = WebRequest.Create(baseUrl);
        }

        #endregion
    }
}