Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
V5618. OWASP. Possible server-side requ…
menu mobile close menu
Analyzer diagnostics
General Analysis (C++)
General Analysis (C#)
General Analysis (Java)
Micro-Optimizations (C++)
Diagnosis of 64-bit errors (Viva64, C++)
Customer specific requests (C++)
MISRA errors
AUTOSAR errors
OWASP errors (C#)
Problems related to code analyzer
Additional information
toggle menu Contents

V5618. OWASP. Possible server-side request forgery. Potentially tainted data is used in the URL.

Feb 07 2022

The analyzer detected an attempt to access a remote resource without checking URL provided by the user. The use of unverified external data to generate an address can cause Server-Side Request Forgery.

Vulnerabilities of the Server-Side Request Forgery type are allocated to a separate risk category in the OWASP Top 10 Application Security Risks 2021: A10:2021-Server-Side Request Forgery.

Look at the example:

void ServerSideRequestForgery() 
{ 
  var url = Request.QueryString["url"];
  WebRequest request = WebRequest.Create(url); 
  WebResponse response = request.GetResponse(); 
  using (Stream stream = response.GetResponseStream()) 
  { 
    using (StreamReader reader = new StreamReader(stream)) 
    { 
      .... 
    } 
  } 
  response.Close(); 
} 

In this example, 'url' may contain tainted data since it comes from an external source. A request is generated from this address, and it's executed server-side. The request can be sent to any web resource or the server itself.

Thus, attackers can perform malicious actions by sending requests to resources that they don't have direct access to.

An example of compromised data:

http://localhost/admin/delete?username=testSSRF

An attacker can delete the user with the help of such a request.

When fighting SSRF, don't use a prohibited list or regular expressions. An attacker can easily evade these restrictions by:

  • Redirection — an attacker can create an external resource that redirects to another URL as a response.
  • Alternate representations:  
http://2130706433/ = http://127.0.0.1 
http://0x7f000001/ = http://127.0.0.1 

An example of fighting SSRF by using verification of the external data: 

string ServerSideRequestForgery() 
{ 
  var url = Request.QueryString["url"];
  if (!whiteList.Contains(url)) 
    return "Forbidden URL"; 
 
  WebRequest request = WebRequest.Create(url); 
  .... 
} 

This diagnostic is classified as: