Security of a SignalR hub method.

Question

A client can interact with a server using hub methods in SignalR.

Hub methods have their own specifications: the name of the method and the arguments for the method.

At a glance, that means an abusive client can do nothing to the server if it does not know the specification of hub methods.

Q1. Is my argument correct?

Let's assume an abusive client has figured out the name of a hub method. Then it can attempt to call an existing hub method even though the arguments aren't correct.

Q2. What is the response at the server-side when the name of the hub method is correct but the arguments do not follow the specification?

Q3. I wanted to monitor such potentially abusive access to enhance security. Is there a way that I can detect such access?

My idea, to enhance security by monitoring the access modality of hub methods, assumes that the name of a hub method (the string that the client called) and the arguments (fed invoking the method) can never be corrupted during transmission.

Q4. Can there be a case where a hub method is actually invoked at the server-side but the delivered arguments unintentionally mismatch the specification of the method due to a packet loss, etc?

Q5. Is there a generally suggested way to deal with a potential security breach using SignalR?

Thanks a lot.

Answer 1

Hi @fordicuso ,

Q1. Let's assume an abusive client has figured out the name of a hub method. Then it can attempt to call an existing hub method even though the arguments aren't correct.

It will check if it have the same method name and the arguments for the method.

Q2. What is the response at the server-side when the name of the hub method is correct but the arguments do not follow the specification?

It will have error message: Microsoft.AspNetCore.SignalR.HubException: Failed to invoke 'SendMessage' due to an error on the server.

Q3. I wanted to monitor such potentially abusive access to enhance security. Is there a way that I can detect such access?

Each client connecting to the hub is passed a unique connection ID.You can use the OnConnected, OnDisconnected and OnReconnected methods of the Hub class to track user connection status.

Q4. Can there be a case where a hub method is actually invoked at the server-side but the delivered arguments unintentionally mismatch the specification of the method due to a packet loss, etc?

It's impossible.

Q5. Is there a generally suggested way to deal with a potential security breach using SignalR?

If you want to restrict access to it you need to authenticate users and authorize their actions. You authenticate using standard web auth methods (forms auth, cookies, Windows auth, etc.) and you can authorize in code using SignalR constructs (like the Authorize attribute you point out) or with your own code.

Best regards,
Yijing Sun

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

just like any web protocol, signal/r is an open api to your application. Any diligent user could reverse engineer the api, via client code, network sniffer, etc.

Your application code should verify that the user calling the api, has permission to perform the actions they are requesting, and have access to read/write any data they send. The is, like any website, you should assume a program other than yours is calling the api. Don't count on client validation, and don't send any data to the client the user is not allowed to view. Don't let the user change any data they are not allowed to change.

Also be sure to use a secure transport (ssl).