-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintedWebClient.qhelp
More file actions
58 lines (48 loc) · 2.11 KB
/
TaintedWebClient.qhelp
File metadata and controls
58 lines (48 loc) · 2.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The WebClient class provides a variety of methods for data transmission and
communication with a particular URI. Despite of the class' naming convention,
the URI scheme can also identify local resources, not only remote ones. Tainted
by user-supplied input, the URI can be leveraged to access resources available
on the local file system, therefore leading to the disclosure of sensitive
information. This can be trivially achieved by supplying path traversal
sequences (../) followed by an existing directory or file path.</p>
<p>Sanitization of user-supplied URI values using the
<code>StartsWith("https://")</code> method is deemed insufficient in preventing
arbitrary file reads. This is due to the fact that .NET ignores the protocol
handler (https in this case) in URIs like the following:
"https://../../../../etc/passwd".</p>
</overview>
<recommendation>
<p>Validate user input before using it to ensure that is a URI of an external
resource and not a local one.
Potential solutions:</p>
<ul>
<li>Sanitize potentially tainted paths using
<code>System.Uri.IsWellFormedUriString</code>.</li>
</ul>
</recommendation>
<example>
<p>In the first example, a domain name is read from a <code>HttpRequest</code>
and then this domain is requested using the method <code>DownloadString</code>.
However, a malicious user could enter a local path - for example,
"../../../etc/passwd" instead of a domain.
In the second example, it appears that the user is restricted to the HTTPS
protocol handler. However, a malicious user could still enter a local path,
since as explained above the protocol handler will be ignored by .net. For
example, the string "https://../../../etc/passwd" will result in the code
reading the file located at "/etc/passwd", which is the system's password file.
This file would then be sent back to the user, giving them access to all the
system's passwords.</p>
<sample src="TaintedWebClient.cs" />
</example>
<references>
<li>
OWASP:
<a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.
</li>
</references>
</qhelp>