Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:

      HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).

      This rule flags code which creates HTTP endpoint via .Net Framework MVC Controllers. It guides security code reviews to security-sensitive code.

      Questionable Code Example

      Public Class Foo
          Inherits System.Web.Mvc.Controller
      
          Public Property MyProperty As String
              Get
                  Return "test"
              End Get
              Set(ByVal value As String)
              End Set
          End Property
      
          Public Sub New()
          End Sub
      
          Public Sub PublicFoo() ' Questionable. Public Controller methods are exposed as HTTP endpoints.
          End Sub
      
          <System.Web.Mvc.NonAction>
          Public Sub NotAnEndpoint() ' This is not an endpoint because of the NonAction attribute.
          End Sub
      
          Protected Sub ProtectedFoo()
          End Sub
      
          Friend Sub InternalFoo()
          End Sub
      
          Private Sub PrivateFoo()
          End Sub
      
          Private Class Bar
              Inherits System.Web.Mvc.Controller
      
              Public Sub InnerFoo()
              End Sub
          End Class
      End Class
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              valeri.hristov Valeri Hristov (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: