Potential Denial of Service Attack WebMethod EnableSession=true
From: Ash (N_teract_at_hotmail.com)
Date: 09/11/03
- Next message: Jeff Cochran: "Re: Hey windows lusers, if M$ is so secure, why does it hide behind LINUX?"
- Previous message: Ohaya: "[Cross-posted]: Problem with Active Directory Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Sep 2003 14:27:47 +0200
Hi all,
I would really appreciate some help with this one. I think
I may have found quite a major bug in the way ASP.net sessions and
webservices work together.
I have created a simple webservice:
[WebMethod (EnableSession=true)]
public string HelloWorld(string test)
{
return test + " HALLO";
}
and am testing it using a HTTP post
<html>
<form target="_blank"
action='http://localhost/testit/(zssdm245ejxorw55pf0pxhjk)/test.asmx/HelloWo
rld' method="POST">
<input class="frmInput" type="text" size="50" name="test">
<input type="submit" value="Invoke" class="button">
</form>
</html>
doing so I get a fatal Internal Server Error 500... completely dead :(
Setting:
EnableSession=False
everything works fine...
removing the parameter to the webmethod again everything works fine...
in my web.config file I have sessions setup to use cookieless methodolgy
if I change it to use cookies then everything works fine...
Seems like a major bug to me has anyone got any suggestions or come across a
fix for this?? My guess is that the sessions filter is doing some kind of
server.transfer or response.redirect and losing its state and not failing
gracefully.
Many thanks in advance
Best Regards
Ashley Rajaratnam
- Next message: Jeff Cochran: "Re: Hey windows lusers, if M$ is so secure, why does it hide behind LINUX?"
- Previous message: Ohaya: "[Cross-posted]: Problem with Active Directory Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
