Recently we deployed a Blazor application to one of our clients. When their internal team did a WARP test, we got a finding "ClearText transmission of Sensitive Information". When we analyzed it we found that the Blazor heartbeat is sending values typed in every input field to the server via "DispatchBrowserEvent". Given below is a screenshot of the same.
DispatchBrowserEvent
I need a solution to either
Encrypt the value being sent in the DispatchBrowserEvent or
To Stop the transmission of the values until its manually posted.
Blazor Server uses SignalR as the communication mechanism so data is sent back and forth to the server. It should be on an encrypted channel using SSL/TLS, so I assume your site has SSL enabled?
Login credentials have to be sent from the browser to the server in a POST to validate them. This is the same for all web applications. You just have to ensure that the requests are done over SSL so that only the client and the server can read them. This is not a security issue if this the case.
Secondly, the preferred mechanism SignalR/Blazor-Server uses is WebSockets. If your app was using a WebSocket connection you would not see the traffic you are seeing - this is because SignalR will fall back down to alternative methods if WebSockets are not available.
You should check your server to see if WebSockets is enabled - I suspect that is the cause.
Related
I'm using SignalR and a web farm in IIS, currently with 3 servers and requests are load balanced via ARR.
There are certain external events that happen which I want to be processed by the server to which the client is connected. So I want to track which of the 3 servers the client is currently connected.
I thought that I could do this using OnConnected and within that method store the MachineName against the ConnectionID in redis.
The problem is that OnConnected seems to get called an a different server to the one that the client is connected to.
Upon investigating, it seems that there are three calls, one to /negiotate one to /connect and one to /start. The /connect seems to be the websocket connection that is kept up for the duration, the others are just transient.
These three connections can happen on different servers, and it seems that the websocket connection can be to server A (so that's the server that the client's SignalR connection is going to), but the OnConnected gets fired on server B.
I was wondering if I'm overlooking something that will let me see which server the SignalR connection is actually connected to?
Thanks,
Will
If you are going to use a web farm, then you need to implement a backplane to track all of the messaging.
https://learn.microsoft.com/en-us/aspnet/signalr/overview/performance/scaleout-in-signalr
Without a proper backplane implementation its impossible to do what you want to do.
I believe that is something you would have to save. Assuming you are using a database for mapping users, you could have an additional field such as "LoggedInOn" and store the server host name or other identifier.
However, other than some aspect of troubleshooting your are looking to do, proper send/receive of messages should cross the backplane to all servers. This way no matter which server they are connected to, messages are received.
If you have external events as you say, once they complete and a message is ready to be sent back to a client, the backplane should push that to all servers.
If that's not happening I would review the docs as Kelso Sharp stated.
short question : How can I host an MQTT server on my remote Ubuntu 16 server while at the same time hosting an HTTP server that will be using the MQTT data ?
true question : I want to build an IoT system that will be MONITORED and CONTROLLED by ESP32, which will SEND FEEDBACK and ACCEPT COMMANDS respectively from a remote server (maybe LAMP ?). I also want the user to log-in in a website hosted on this remote server, where s/he can monitor any sensor values or send commands (e.g. turning a led on or off).
So what's the way to go here?
I was adviced to go with MQTT but then the above problem arised.
what I've found : I 've found that using Mosquitto MQTT, I may be able to serve a website using websockets. But I prefer a more scalable HTTPS approach. That is, I intend to have a database linked with my site and running my PHP scripts.
I'm not that experienced, so please don't take anything for granted :)
MQTT uses TCP connection and follows publish/subscribe API model where as the web(http) follows Restful API model(Create,read,update,delete). If you want to stick with MQTT then you should use SAAS service like enterprise MQTT from HIVE which provide this integrability but will charge some fees and in return, they will provide you with an account and a dashboard for all your devices. Otherwise, you can try to make your own middleware which can integrate MQTT with web services .
Another thing I would recommend is CoAP which is also an M2M protocol but follows Restful API model and UDP connection. It has direct forward proxy to convert coap packets to https packets and vice versa.
In MQTT you have a central server(Broker) to which the nodes send their data and fetch their required data through topic filters.
In CoAP each device having some data to share becomes a server and the other device interested in it's data becomes a client and sends a GET request to the respective server to get its data. Similarly a PUT request along with a payload from a client would update the value at the server.
You really should not be looking to combine the MQTT broker with a HTTP server, especially if you intent the HTTP Server to actually be an application server (Running back end logic e.g. PHP). These are 2 totally separate systems. There is nothing to stop your application logic connecting to the broker as a client.
If you intend to use MQTT over WebSockets you can use something link nginx to proxy the WebSockets connection to the broker so it can sit behind the same logical HTTP/HTTPS address.
Help needed please
What's is the best WebSocket client library for a .net 4.5 on windows web application hosted on windows 2008 servers to connect to a remote server web socket.
The scenario is: our web application will use a web socket to connect to a server WebSocket on a third party infrastructure. Our client WebSocket will connect and send some commands and read the responses where we can identify the information needed. So there is no interaction from the user or browser its just in the code. e.g. user clicks a button and we go and get some data, and give a message dependant on the response.
so for example our client will connect to the third party socket and pass the users car registration number and send a tell me the car details and the server socket will return the data like: make, model, year etc... so we can then display that to the user.
Has anyone used this library with some good success? http://www.nuget.org/packages/WebSocket4Net
I'm hoping someone here can provide the best approach for doing this with some tried and tested solutions. I have been thinking about a web API that handles all the socket stuff in our client so i can call it and let it handle the close connection etc.
I am fairly new to signalr concepts. I have a scenario where load balancing is in place with two servers. The situation is that client request is taken by the load balancer and redirects it to a one of the server based on the load. After redirection the connection from client to the server is lost. Important thing here is that client request is for different purposes i.e they call different methods on the hub. The server continues processing the request further and during this time if it detects any status change, it has to push the notification back to the clients. However at this point, server won't be knowing to which client it has to respond back as the load balancer doesn't store any information about the same once the connection is lost from client to server. How to handle this kind of scenario?. Should I be manually storing session id and other details in a table?
I have gone through the scaleout options suggested for load balancing using backplane by the signalr team(Azure service bus, Redis and SQL Server). However my scenario is little different. Any help will be appreciated.
I've to write an Ajax chat web application in ASP.NET for a friend, and I've a question: if client1 sends a message to client2, how should the application send the message to client2? Is there a better way than sending requests to the server, "asking" if there are new messages? Is it possible to directly send the message to the client?
Best thing you can do is use a Persistent HTTP Connection. The way google does with Google Talk on their GMAIL website.
Remember that HTTP is a stateless protocol and that each transaction is made from the client to the server.
The server can use sessions to determine if this client is "known" but as for sending information back to the client using plain old HTTP I think that is impossible (I mean from a server initiated connection, not a response to the client)
You would need to use Javascript to poll the server for information.
If you want it the other way around, you could possibly use Java or Flash but then you also need to think about NAT tunneling, proxy servers and any other weird setups that the clients could be using.
No. I don't think the server can send message to client's browser.
Here is how I implement chat application:
client1 post message via Ajax to server
server save it to repository (I'm using singleton object for this case)
client2 get the message from repository
mark the message as read
I will save chat logs to database once the chat session closed or expired.