A hidden behavior within .NET’s HTTP proxy mechanism can introduce Remote Code Execution (RCE) flaws in applications. This security issue, despite being reported, will not be addressed by Microsoft, as the company views it as a ‘by design’ feature rather than a vulnerability.

Understanding the .NET Proxy Vulnerability

The behavior involves the automatic utilization of `DefaultProxy` settings by .NET’s `HttpClient` and `WebRequest` classes. Researcher Sjoerd Langkemper from Fox-IT highlighted that this default behavior, if not explicitly managed, can be exploited. Applications that perform HTTP requests, especially those acting as web proxies or consuming external content, are particularly susceptible. The issue can lead to Server-Side Request Forgery (SSRF) and, when combined with other weaknesses, potentially result in Remote Code Execution.

Developer Responsibility for Mitigation

Since Microsoft considers this functionality an intended behavior, the responsibility for mitigation falls on developers. To prevent potential RCE flaws, developers must explicitly disable `DefaultProxy` or configure proxy settings securely within their applications. This proactive measure is essential for safeguarding applications against exploits stemming from this .NET framework characteristic.

Source: https://www.csoonline.com/article/4104460/hidden-net-http-proxy-behavior-can-open-rce-flaws-in-apps-a-security-issue-microsoft-wont-fix.html