I am wondering if there are any security risks associated with downloading content of a URL from within my web-application. I’m using WebClient.DownloadString() to parse thru the returned data.
The URL is provided by users and I have no control as to what is returned by it and what it looks like. I am guessing that WebClient does not execute any scripts? But is there anything else I need to worry about?
User would ultimately be able to see the output of the WebClient’s download action that has occurred on my servers. I am somewhat concerned that the URL that they may chose to provide is going to be a “file://c//inetpub/website/web.config” or some such…
Would appreciate any advice on how to protect myself here?
Thanks
On a technical level, you should implement a validator that makes sure, the provided URL follows certain strict rules, e.g. starts with “http” and so on. That way no local ressources can be targeted.
But I would be more concerned about the legal issues. Your users could use your server to access illegal content from other servers. You don’t want to serve such content.
Even worse, someone can attack other servers and it will look like you are the source of the attacks. You are basically providing a proxy for attackers. I guess consulting a lawyer specialized on internet law would be a good idea before going live with such a service.