C#-CWE-918¶

Server-Side Request Forgery (SSRF): application issues HTTP requests to attacker-controlled URLs

Required inputs: CSharpAST

This rule detects **Server-Side Request Forgery (CWE-918)** where a user-controlled string is used in outbound requests (e.g. `HttpClient.GetStringAsync(url)`). Example:


public async Task Get(string url)
{
    var client = new HttpClient();
    var data = await client.GetStringAsync(url); // user input → SSRF
    return Content(data);
}

And fix:


if (AllowedHosts.Contains(new Uri(url).Host))
{
    var data = await client.GetStringAsync(url);
}

Validate the host or map user input to predefined safe URLs.

Possible Messages

Key	Text	Severity	Disabled
tainted_call	Outbound HTTP request URL is not validated.	None	False

Options

This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.

Axivion Suite 7.12.0

Navigation

C#-CWE-918¶