locked
SignarR negotiate 500 error when connectionData querystring value is modified RRS feed

  • Question

  • User2075880553 posted

    Hello,

    we are using AppScan to test the vulnerability of our application to any type of malicious attacks. Since we are using SignarR, AppScan has been targeting the 

    https://ourdomain.com/signalr/negotiate?clientProtocol=1.5&connectionData=%5B%7B%22name%22%3A%22homepagehub%22%7D%5D&_=1450307725286

    and modifying the connectionData value (for example setting it to %27). This is causing the server to throw the following 500 error:

    Exception Source Newtonsoft.Json Message Error converting value " {"name":"homepagehub"}>"'> " to type 'Microsoft.AspNet.SignalR.Hubs.HubDispatcher+ClientHubInfo'. Path '[0]', line 1, position 121.

    Stack Trace at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EnsureType(JsonReader reader, Object value, CultureInfo culture, JsonContract contract, Type targetType)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList(IList list, JsonReader reader, JsonArrayContract contract, JsonProperty containerProperty, String id)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, Object existingValue, String id)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
    at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
    at Microsoft.AspNet.SignalR.Json.JsonSerializerExtensions.Parse[T](JsonSerializer serializer, String json)
    at Microsoft.AspNet.SignalR.Hubs.HubDispatcher.AuthorizeRequest(IRequest request)
    at Microsoft.AspNet.SignalR.PersistentConnection.ProcessRequest(IDictionary`2 environment)
    at Microsoft.Owin.Mapping.MapMiddleware.d__0.MoveNext()
    — End of stack trace from previous location where exception was thrown —
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
    at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar)
    at System.Web.HttpApplication.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    Base Exception
    Source Newtonsoft.Json
    Message Could not cast or convert from System.String to Microsoft.AspNet.SignalR.Hubs.HubDispatcher+ClientHubInfo.
    Stack Trace at Newtonsoft.Json.Utilities.ConvertUtils.EnsureTypeAssignable(Object value, Type initialType, Type targetType)
    at Newtonsoft.Json.Utilities.ConvertUtils.ConvertOrCast(Object initialValue, CultureInfo culture, Type targetType)
    at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EnsureType(JsonReader reader, Object value, CultureInfo culture, JsonContract contract, Type targetType)
    Querystring Values
    -clientProtocol 1.5
    -connectionData ["

    {\"name\":\"homepagehub\"}

    >\"'> "]
    -_ 1450307725286


    Now I understand what's going on but my question is what is the best way to handle this error? How and where can I try, catch and handle these errors? Seems to me that signalR should be handling invalid json request data in some graceful way but maybe I'm wrong on this? Does anyone have any advise how to resolve this issue?

    Wednesday, December 30, 2015 4:04 PM

All replies

  • User1950336107 posted

    HI ,

    May be this help

    I had an issue where my webserver policy bouncing back the negotiate request because of some characters in connectionData param.

    Here is what I did to fix this.

    I change my client code to remove the problem characters from connectionData param while sending the negotiate request. At server side I added HttpModule and handled BeginRequest where I rewritten the URL and added the required character to connectionData param.

    Wednesday, December 30, 2015 7:51 PM