Ashish Shukla
Reputation: 1294
Signalr poll request manipulated from POST to GET vulnerability
In my web application i am using signalR. SignalR connection is using the longpolling transport, which is making the POST request to the server and passing parameters in the query string.
Now i scanned my application using the IBM app scan tool. The test manipulated /signalr/poll request's Method from POST to GET and executed the manipulated required on the server. Server responded same in case of both GET and POST verbs for same request. So tool reported this request vulnerable because responses are identical.
So how can i restrict on the signalR HUB server to accept this request only using POST method?
Below is the requets:
Original Request
Manipulated request
Upvotes: 3
Views: 710
Answers (0)
Related Questions
- SignalR Client returns HTTP error 400 Bad request when websocket is used
- SignalR version compatability (StatusCode: 405 'Method Not Allowed')
- Signalr hosted on Azure gives 405 Method Not Allowed
- SignalR Core: invalid negotiation response received in a .Net app
- signalr client 400 bad request
- SignalR Core 1.0 intermittently changes the case of http method for non signalR POST, need fix (AKA Random 404 Errors)
- Signalr - Can't read query strings on server
- Where are these poll requests from SignalR coming from?
- SignalR causing bad request 400 seen on the server
- SignalR Issues with multiple requests