Deserialization Vulnerability with connectionData querystring RRS feed

  • Question

  • User-42310511 posted


    Modifying the connectionData parameter of the HTTP request to Dash as shown in the following URL: http://ourdomain.com/signalr/connect?transport=webSockets&connectionToken= QTljTm4xMC9Ia2thRUdOeTdPdXRhMkppMnZvVldL&connectionData=%20999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999%20 causes the server to return an error message which includes the following statement, “System.ArgumentException: Could not cast or convert from System.Numerics.BigInteger to System.Collections.Generic.IEnumerable”

    This is because the server deserialized the object before validating it.

    Is there any fix for this?



    Wednesday, September 14, 2016 7:00 AM

All replies

  • User36583972 posted

    Hi harinadhch,

    As far as I know, we can call the .start method using JS in client, It will send a  request url like this: http://ourdomain.com/signalr/connect?transport=webSockets&connectionToken= QTljTm4xMC9Ia2thRUdOeTdPdXRhMkppMnZvVldL. I did not find the connectionData parameter.

    So, can you explain a few questions in the below. This will help us better understand Analysis.

    1: When and where you send the HTTP request.

    2: Why you modify the connectionData parameter. What you want to achieve?

    Best Regards,

    Yohann Lu

    Friday, September 16, 2016 9:43 AM
  • User-42310511 posted

    HI Yohann Lu,

    Thank you for the reply. I have found the connectionData parameter in addConnectionData() of jquery.signalR-2.1.0.min.js file.

    This is an issue raised by security audit team who did security audit of our app.



    Friday, September 16, 2016 10:34 AM