DllSpy 0.2.7
dotnet tool install --global DllSpy --version 0.2.7
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest
dotnet tool install --local DllSpy --version 0.2.7
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=DllSpy&version=0.2.7
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
nuke :add-package DllSpy --version 0.2.7
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
DllSpy
Scans compiled .NET assemblies to discover input surfaces (HTTP endpoints, SignalR hubs, WCF services, gRPC services, Razor Pages, Blazor components, Azure Functions, OData endpoints), check authorization configuration, and flag security issues — all without running the application.
Available as a CLI tool and a PowerShell module.
Installation
CLI
dotnet tool install -g DllSpy
PowerShell
Install-Module -Name DllSpy
Usage
CLI
# List all surfaces
dllspy ./MyApi.dll
# Scan for security vulnerabilities
dllspy ./MyApi.dll -s
# Filter by surface type (HttpEndpoint, SignalRMethod, WcfOperation, GrpcOperation, RazorPage, BlazorComponent, AzureFunction, ODataEndpoint)
dllspy ./MyApi.dll -t HttpEndpoint
# Filter by HTTP method and class name
dllspy ./MyApi.dll -m DELETE -c User*
# Only authenticated / anonymous surfaces
dllspy ./MyApi.dll --auth
dllspy ./MyApi.dll --anon
# Scan with minimum severity
dllspy ./MyApi.dll -s --min-severity High
# Output format: table (default), tsv, json
dllspy ./MyApi.dll -o json
dllspy ./MyApi.dll -o tsv
JSON + jq
# List all unprotected routes
dllspy ./MyApi.dll -o json | jq '[.[] | select(.requiresAuthorization == false) | .displayRoute]'
# Count surfaces by type
dllspy ./MyApi.dll -o json | jq 'group_by(.surfaceType) | map({type: .[0].surfaceType, count: length})'
# Security issues as compact table
dllspy ./MyApi.dll -s -o json | jq -r '.[] | [.severity, .surfaceRoute, .title] | @tsv'
PowerShell
# All surfaces
Search-DllSpy -Path .\MyApi.dll
# Filter by surface type
Search-DllSpy -Path .\MyApi.dll -Type HttpEndpoint
Search-DllSpy -Path .\MyApi.dll -Type SignalRMethod
Search-DllSpy -Path .\MyApi.dll -Type WcfOperation
Search-DllSpy -Path .\MyApi.dll -Type GrpcOperation
Search-DllSpy -Path .\MyApi.dll -Type RazorPage
Search-DllSpy -Path .\MyApi.dll -Type BlazorComponent
Search-DllSpy -Path .\MyApi.dll -Type AzureFunction
Search-DllSpy -Path .\MyApi.dll -Type ODataEndpoint
# Filter by HTTP method
Search-DllSpy -Path .\MyApi.dll -HttpMethod DELETE
# Filter by class name (supports wildcards)
Search-DllSpy -Path .\MyApi.dll -Class User*
# Only authenticated / anonymous surfaces
Search-DllSpy -Path .\MyApi.dll -RequiresAuth
Search-DllSpy -Path .\MyApi.dll -AllowAnonymous
# Find security issues
Test-DllSpy -Path .\MyApi.dll
# Only high-severity issues
Test-DllSpy -Path .\MyApi.dll -MinimumSeverity High
# Detailed view
Test-DllSpy -Path .\MyApi.dll | Format-List
Supported Frameworks
| Framework | Detection Method | Surface Type |
|---|---|---|
| ASP.NET Core / Web API | Controller base class, [ApiController], naming convention |
HttpEndpoint |
| SignalR | Hub / Hub<T> inheritance |
SignalRMethod |
| WCF | [ServiceContract] interfaces + [OperationContract] methods |
WcfOperation |
| gRPC | Generated base class with BindService |
GrpcOperation |
| Razor Pages | PageModel inheritance, On{Verb}[Handler][Async] methods |
RazorPage |
| Blazor | ComponentBase inheritance + [Route] attribute |
BlazorComponent |
| Azure Functions | [FunctionName] / [Function] + [HttpTrigger] parameter |
AzureFunction |
| OData | ODataController inheritance |
ODataEndpoint |
Security Rules
HTTP Endpoints
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated state-changing endpoint | DELETE, POST, PUT, or PATCH without [Authorize] |
| Medium | Missing authorization declaration | Endpoint has neither [Authorize] nor [AllowAnonymous] |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
SignalR Hub Methods
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated hub method | Hub method without [Authorize] (directly invocable by clients) |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
WCF Operations
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated WCF operation | Operation without [PrincipalPermission] or [Authorize] |
| Low | Authorize without role | [PrincipalPermission] present but no Role specified |
gRPC Operations
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated gRPC operation | Service method without [Authorize] |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
Razor Page Handlers
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated state-changing handler | POST, PUT, DELETE, or PATCH handler without [Authorize] |
| Medium | Missing authorization declaration | Handler has neither [Authorize] nor [AllowAnonymous] |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
Blazor Routable Components
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated routable component | Component with [Route] but without [Authorize] |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
Azure Functions
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated Azure Function | AuthorizationLevel.Anonymous and no [Authorize] attribute |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
OData Endpoints
| Severity | Rule | Description |
|---|---|---|
| High | Unauthenticated state-changing endpoint | DELETE, POST, PUT, or PATCH without [Authorize] |
| Medium | Missing authorization declaration | Endpoint has neither [Authorize] nor [AllowAnonymous] |
| Low | Authorize without role/policy | [Authorize] present but no Roles or Policy specified |
License
See LICENSE.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
This package has no dependencies.