Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5144

Server-side requests should not be vulnerable to forging attacks

    Details

    • Message:
      Refactor this code to not construct the URL from tainted, user-controlled data.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-918, CWE-641
    • OWASP:
      A5
    • SANS Top 25:
      Risky Resource Management

      Description

      User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. A remote server making requests to URLs based on tainted data could enable attackers to make arbitrary requests to the internal network or to the local file system.

      The problem could be mitigated in any of the following ways:

      • Validate the user provided data based on a whitelist and reject input not matching.
      • Redesign the application to not send requests based on user provided data.

      See

        Attachments

        1.
        Java RSPEC-5149 Language-Specification Active Unassigned
        2.
        C# RSPEC-5150 Language-Specification Active Unassigned
        3.
        PHP RSPEC-5151 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: