Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4825

Sending HTTP requests is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Deprecated
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Make sure that this http request is sent safely.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Covered Languages:
      C#, Java, JavaScript, PHP, VB.Net
    • Irrelevant for Languages:
      CSS, HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes

      Description

      Sending HTTP requests is security-sensitive. It has led in the past to the following vulnerabilities:

      An HTTP request has different kinds of vulnerabilities:

      • it sends data which might be intercepted or dangerous.
      • it receives a response which might have been crafted by an attacker.
      • as each request opens a socket and triggers some processing for the sender and the recipient, it is possible to exhaust resources on both sides by sending too many requests.

      This rule flags code that initiates an HTTP request. The goal is to guide security code reviews.

      Ask Yourself Whether

      • the http connection is encrypted or not.
      • the recipient is not allowed to receive some of the data you send.
      • the data sent might be dangerous (example: it contains unvalidated user input).
      • an uncontrolled number of requests might be sent. For example, a request might be sent every time a user performs an action, and this action is not limited.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • First, it is important to encrypt all HTTP connection if there is any chance for them to be eavesdropped. Use HTTPS whenever possible.
      • Ensure that you control the URIs you send requests to and the number or requests you send. Your software could otherwise be used to attack other services.
      • Avoid sending sensitive information, be it in the URL, header or body. If part of the data comes from an untrusted source, such as a user input, sanitize it beforehand.
      • Validate and sanitize the response before using it in any way.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4849 Language-Specification Active Unassigned
          2.
          C# RSPEC-4890 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-5036 Language-Specification Active Unassigned
          4.
          JavaScript RSPEC-5089 Language-Specification Active Unassigned
          5.
          PHP RSPEC-5097 Language-Specification Active Unassigned
          6.
          Python RSPEC-5229 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: