C Sharp Http Listener Wildcard
Description
Detects insecure HTTP listener configurations in C# applications where wildcards are used in prefix settings. This vulnerability could allow an attacker to access the HTTP listener on unintended network interfaces or ports, potentially exposing sensitive functionality to unauthorized users.
Detection Strategy
• Check if the System.Net library is imported in the C# code
• Look for method calls ending with '.Prefixes.Add'
• Verify if the prefix value contains unsafe patterns (like wildcards)
• Confirm the prefix is being added to an HttpListener object
• Report a vulnerability when all these conditions are met in the code
Vulnerable code example
using System.Net;
public class VulnerableListener {
public void StartListener() {
HttpListener listener = new HttpListener();
// Vulnerable: Using wildcard (*) allows binding to all interfaces, potentially exposing to unauthorized networks
listener.Prefixes.Add("http://*:8080");...✅ Secure code example
using System.Net;
public class SecureListener {
public void StartListener() {
HttpListener listener = new HttpListener();
// Secure: Bind to specific localhost interface to prevent external access
listener.Prefixes.Add("http://localhost:8080/");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.