Sonar ResearchDec 3, 2022

Can you spot the vulnerability? #codeadvent2022 #csharp #appsec

Something was forgotten in this API handler, but what?

https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/?day=3

the home of clean code

Sonar’s industry leading solution enables developers and development teams to write clean code and remediate existing code organically.

Show threadrealansgar

@SonarResearch The other commenters here have very creative solutions. But there is a simpler way if github.computer isn't available anymore because @becojo already bought it:

Regex.IsMatch() does not perform a global regex match, it just searches for a match somewhere in the string. Also, the regex does not use $ to match for the end of the line. This leads to an empty string matching the regex (remember that * matches 0-inf chars). So the regex does not do anything and we can send an arbitrary path. (https://replit.com/@realansgar/BlueInfatuatedConnection#main.cs)

https://api.github.com" does not end with a slash. So we can append a path like .attacker.com and register api.github.com.attacker.com and capture the authHeader.

BlueInfatuatedConnection

Run C# code live in your browser. Write and run code in 50+ languages online with Replit, a powerful IDE, compiler, & interpreter.

replit
Dec 3, 2022 at 10:25pmWeb