Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Probable DDoS vulnerability #199

Open
AlbertoLeon opened this issue Apr 2, 2021 · 1 comment
Open

Probable DDoS vulnerability #199

AlbertoLeon opened this issue Apr 2, 2021 · 1 comment

Comments

@AlbertoLeon
Copy link

When a negotiate end point expects UserId binding in headers for example {headers.x-ms-signalr-userid} but it is not present, the end point responds a 500 InvalidOperationException instead of a BadRequest.

This could overload the server handling the error and logging the strack trace and all that stuff.
Apart of taking so mutch time to respond, what impacts negatively in performance.

A proposed solution could be to respond BadRequest with the message "A required header is missing for binding purposes".
Then log in appropiately on Application Insights with the message:
An attemp missed the header x-ms-signalr-userid required in Binding UserId.
@Y-Sindo
Copy link
Member

Y-Sindo commented Apr 14, 2021

The resolution of {x-ms-signalr-userid} utilizes some codes provided by https://github.com/Azure/azure-webjobs-sdk. Could you please open an issue in the project?

@Y-Sindo Y-Sindo mentioned this issue May 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlbertoLeon @Y-Sindo