From 8dac0cf2e6f5c4497c61b3885f00d22cf0b12487 Mon Sep 17 00:00:00 2001 From: Vasiliy Khatuntsev Date: Tue, 16 Feb 2016 23:12:00 +0300 Subject: [PATCH] Update HMACAuthenticationAttribute.cs var serverClock = TimeSpan.FromTicks(DateTime.UtcNow.Ticks); var requestClock = TimeSpan.FromTicks(DateTime.UtcNow.AddSeconds(1).Ticks); var serverTime = Convert.ToUInt64(serverClock.TotalSeconds); var requestTime = Convert.ToUInt64(requestClock.TotalSeconds); Console.WriteLine(serverTime - requestTime); --- .../Filters/HMACAuthenticationAttribute.cs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/HMACAuthentication.WebApi/Filters/HMACAuthenticationAttribute.cs b/HMACAuthentication.WebApi/Filters/HMACAuthenticationAttribute.cs index 18c6da3..272c054 100644 --- a/HMACAuthentication.WebApi/Filters/HMACAuthenticationAttribute.cs +++ b/HMACAuthentication.WebApi/Filters/HMACAuthenticationAttribute.cs @@ -151,7 +151,14 @@ private bool isReplayRequest(string nonce, string requestTimeStamp) var serverTotalSeconds = Convert.ToUInt64(currentTs.TotalSeconds); var requestTotalSeconds = Convert.ToUInt64(requestTimeStamp); - + + //here need additional check for requestTotalSeconds variable + //for example if requestTotalSeconds more on one second(because request host has different time), + //result of statement serverTotalSeconds - requestTotalSeconds + //will be very big value and not negative as expected so all request will treated as reply attack and rejected + //check code in comment for this file. + //suggestion is - convert to signed integer, so even if request local time will be far away from server time it will be + //still processed if ((serverTotalSeconds - requestTotalSeconds) > requestMaxAgeInSeconds) { return true; @@ -199,4 +206,4 @@ public async Task ExecuteAsync(CancellationToken cancellati return response; } } -} \ No newline at end of file +}