44 lines
1.5 KiB
Plaintext
44 lines
1.5 KiB
Plaintext
Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]
|
|
|
|
HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).
|
|
|
|
This rule flags code which creates HTTP endpoint via .Net Framework MVC Controllers. It guides security code reviews to security-sensitive code.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public class Foo : System.Web.Mvc.Controller
|
|
{
|
|
public string MyProperty
|
|
{
|
|
get { return "test"; }
|
|
set { }
|
|
}
|
|
public Foo() { }
|
|
|
|
public void PublicFoo() // Sensitive. Public Controller methods are exposed as HTTP endpoints.
|
|
{
|
|
// ...
|
|
}
|
|
[System.Web.Mvc.NonAction]
|
|
public void NotAnEndpoint() // This is not an endpoint because of the NonAction attribute.
|
|
{ }
|
|
protected void ProtectedFoo() { }
|
|
internal void InternalFoo() { }
|
|
private void PrivateFoo() { }
|
|
private class Bar : System.Web.Mvc.Controller
|
|
{
|
|
public void InnerFoo() { }
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|