25191f2751
You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6173/csharp) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
16 lines
733 B
Plaintext
16 lines
733 B
Plaintext
Reflection injections occur in a web application when it retrieves data from a
|
|
user or a third-party service and fully or partially uses it to inspect, load
|
|
or invoke a component by name.
|
|
|
|
If an application uses a reflection method in a way that is vulnerable to
|
|
injections, it is exposed to attacks that aim to achieve remote code execution
|
|
on the server's website.
|
|
|
|
A user with malicious intent exploits this by carefully crafting a string
|
|
involving symbols such as class methods, that will help them change the
|
|
initial reflection logic to an impactful malicious one.
|
|
|
|
After creating the malicious request and triggering it, the attacker can attack
|
|
the servers affected by this vulnerability without relying on any
|
|
pre-requisites.
|