-
Notifications
You must be signed in to change notification settings - Fork 0
C# Dangerous Function
<———————Acquire User-Supplied Data————→
QueryString
Ex: string studentName = HttpContext.Current.Request.QueryString[“studentName”];
Params
Item
Form
ServerVariables //
Headers //
Files // Returns a collection of fi les uploaded by the user.
Cookies //
HttpMethod // Returns the method used in the HTTP request.
InputStream //
BinaryRead //
Ex: string lastname = Request.QueryString[“lastname”];
<——————RFI & LFI—————>
- Server.Execute(path) //executes an ASP file from inside another ASP file
<————Directory Traversal———>
- Open a file
FileStream fs = File.Open(“C:\\temp\\” + userinput,FileMode.OpenOrCreate); - Some constructor method is used to read a file.
1. System.IO.FileStream
2. System.IO.StreamReader
3. System.IO.StreamWriter
Ex: FileStream fs = new FileStream(“F:\\tmp\\” + userinput,FileMode.OpenOrCreate);
<—————OS Command Injection—→
- string cmd= @"/C ping" + Request.QueryString[“hostname”]; /* @ means do not interpret control character inside string */
ProcessStartInfo info = new ProcessStartInfo(“cmd.exe”, cmd);
Process.Start(info);
<——————-SQL Injection———→
- Following classes that can be used to create and execute a SQL statement. If these are not used with parameterized value and user input is not properly sanitize/filter SQL injection might be possible.
1. System.Data.SqlClient.SqlCommand
2. System.Data.SqlClient.SqlDataAdapter
3. System.Data.Oledb.OleDbCommand
4. System.Data.Odbc.OdbcCommand
5. System.Data.SqlServerCe.SqlCeCommand
Ex 1:
string query = “select username, password from user where username=’” + username + “’ & password=’” + password + ""’;
OdbcCommand command = new OdbcCommand(query, connection);
comand.ExecuteNonQuery();
Ex 2:
var query = “SELECT * FROM User WHERE Username = ’” + username “’”;
SqlCommand command = new SqlCommand(query , connection);
SqlDataReader reader = command.ExecuteReader();
<——————-XSS————————→
- Response.Write()
- <%= searchTermFromUser %>
<——————-XXE————————→
Default Vulnerable Parser
- XmlDocument < v4.5.2+
- XPathNavigator < v4.5.2+
- XmlTextReader < v4.5.2+
<——————Serialization————>
- Deserialize Binary to Object
BinaryFormatter bf = new BinaryFormatter();
FileStream fsin = new FileStream(“xyz.binary”, FileMode.Open, FileAccess.Read);
obj = (class) bf.Deserialize(fsin);
- Deserialize XML to Object
XmlSerializer xs = new XmlSerializer(typeof(class));
FileStream fsin = new FileStream(“xyz.xml”, FileMode.Open, FileAccess.Read);
obj=(class)xs.Deserialize(fsin);
- Deserialize Json to Object
// Deserializing json data to object using JavaScriptJsonSerializer
string jsonData =@’{"Name":“C-sharpcorner”,“Description”:“Share Knowledge”}’;
JavaScriptSerializer js = new JavaScriptSerializer();
class object = js.Deserialize(jsonData);
string json =@’{"Name":“C-sharpcorner”,“Description”:“Share Knowledge”}’;
class Obj = JsonConvert.DeserializeObject(json);
string json = “{\”Username\“:\”raj\“,\”Password\“:\”insecure\“}”;
var ms = new MemoryStream(Encoding.Unicode.GetBytes(json))
DataContractJsonSerializer deserializer = new DataContractJsonSerializer(typeof(class));
class Obj = (class)deserializer.ReadObject(ms);
<——————SSRF————>
- Code Snippet Type 1
var uri = Request.QueryString[“url”];
var psi = new System.Diagnostics.ProcessStartInfo();
psi.UseShellExecute = true;
psi.FileName = uri;
System.Diagnostics.Process.Start(psi);
- Code Snippet Type 2
var url = Request.QueryString[“url”];
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
- Code Snippet Type 3
var url = Request.QueryString[“url”];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);
<——————Unvalidated-Redirects and Forwards———→
- HttpResponse.Redirect(Request.QueryString[“Url”]);
- Controller.Redirect%(Request.QueryString[“Url”]); //MVC
- HttpResponse.AddHeader(“Location”,Request.QueryString[“Url”])
- HttpResponse.AppendHeader(“Location”,Request.QueryString[“Url”])
- HttpServerUtility.Transfer(Request.QueryString[“path”]);
<——————XML Injection———→
string studentName = HttpContext.Current.Request.QueryString[“studentName”];
XmlWriter writer = XmlWriter.Create(“student.xml”);
writer.WriteStartDocument();
writer.WriteRaw(“” + studentName + “”); // Insert user input directly into XML
writer.WriteEndElement();
writer.WriteEndDocument();
<——————XPath Injection———→
string userName = HttpContext.Current.Request.QueryString[“userName”];
string password = HttpContext.Current.Request.QueryString[“password”];
var xquery = “//users/user[login/text()=’” + userName + “’ and password/text() = ’” + password + “’]/home_dir/text()”;
XPathExpression.Compile(xquery);