locked
Deserialization Vulnerability with connectionData querystring RRS feed

  • Question

  • User-42310511 posted

    Hi,

    Modifying the connectionData parameter of the HTTP request to Dash as shown in the following URL: http://ourdomain.com/signalr/connect?transport=webSockets&connectionToken= QTljTm4xMC9Ia2thRUdOeTdPdXRhMkppMnZvVldL&connectionData=%20999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999%20 causes the server to return an error message which includes the following statement, “System.ArgumentException: Could not cast or convert from System.Numerics.BigInteger to System.Collections.Generic.IEnumerable”

    This is because the server deserialized the object before validating it.

    Is there any fix for this?

    Thanks

    Hari

    Wednesday, September 14, 2016 7:00 AM

All replies

  • User36583972 posted

    Hi harinadhch,

    As far as I know, we can call the .start method using JS in client, It will send a  request url like this: http://ourdomain.com/signalr/connect?transport=webSockets&connectionToken= QTljTm4xMC9Ia2thRUdOeTdPdXRhMkppMnZvVldL. I did not find the connectionData parameter.

    So, can you explain a few questions in the below. This will help us better understand Analysis.

    1: When and where you send the HTTP request.

    2: Why you modify the connectionData parameter. What you want to achieve?

    Best Regards,

    Yohann Lu

    Friday, September 16, 2016 9:43 AM
  • User-42310511 posted

    HI Yohann Lu,

    Thank you for the reply. I have found the connectionData parameter in addConnectionData() of jquery.signalR-2.1.0.min.js file.

    This is an issue raised by security audit team who did security audit of our app.

    Thanks

    Hari

    Friday, September 16, 2016 10:34 AM