I use SignalR for my ASP.Net Application with longPolling protocol. I see that the client send the \signalr\pool request to server with the messageId form data: d-B1017AFE-SC,B8|bW,0|bs,1|bx,2.
I'm looking for the documents which describe the d-B1017AFE-SC,B8|bW,0|bs,1|bx,2 format but not yet. Please help me to understand it. Below image was captured from Chrome Dev Toll which explains what I said.
My customer uses Azure WAF to protect the site. The Azure WAF report show that above request belong to the Command Injection risk because the messageId contain |bw,|bs, |bx that match the |ps rule in Azure WAF. So I need to understand the messageId content to explain for my customer and ask them customize the rule to ignore the request.
Below is the WAF description in the report:
[{'riskGroup':'','match':'Vector Score: 5, Group Threshold: 4, Triggered Rules: 950006, Mitigated Rules: , Last Matched Message: System Command Injection','threshold':'4','type':'riskscore','version':'1','score':0,'atomics':[{'score':5,'riskGroup':'CMD-INJECTION-ANOMALY','match':'|ps','ruleName':'System Command Injection','selector':'ARGS:messageId','ruleId':'950006','version':'7'}],'actionId':'alert','ruleName':'CMD-INJECTION-ANOMALY','action':'Alert','selector':'','ruleId':'CMD-INJECTION-ANOMALY','category':'Command Injection'}]
This looks right. The
messageIdtells the server what was the last message the client received. It looks something like thisd-3104A0A8-H,0%7CL,0%7CM,2%7CK,0and Chrome is translating%7Cto|.This document explains the SignalR protocol very well.
Internally, it looks to be based on the deserialized response.