Home
%3CLINGO-SUB%20id%3D%22lingo-sub-821538%22%20slang%3D%22en-US%22%3E400%20Error%20in%20ASP.NET%20Core%20Project%20because%20of%208%20KB%20cookie%20limit%20in%20Angular%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821538%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%2C%20I%20came%20across%20an%20interesting%20problem.%20Whenever%20we%20run%20my%20ASP.NET%20Core%20application%20in%20Development%20environment%2C%20I%20get%20the%20below%20exception.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDetails%20about%20the%20setup%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20below%20template%20was%20used%3A%3C%2FP%3E%0A%3CP%3EAngular%20project%20template%20with%20ASP.NET%20core%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fclient-side%2Fspa%2Fangular%3Fview%3Daspnetcore-2.2%26amp%3Btabs%3Dvisual-studio%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fclient-side%2Fspa%2Fangular%3Fview%3Daspnetcore-2.2%26amp%3Btabs%3Dvisual-studio%3C%2FA%3Ealong%20with%20AAD%20integration.%3C%2FP%3E%0A%3CP%3EWhen%20we%20publish%20this%20application%20in%20Azure%20App%20Service%2C%20it%20works%20fine.%20%3CSTRONG%3EBut%20when%20we%20run%20the%20same%20application%20in%20Visual%20Studio%2C%20it%20fails%20with%20the%20below%20error%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128364iC6303F7C8A05A569%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22CaptureError.JPG%22%20title%3D%22CaptureError.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CTABLE%20style%3D%22width%3A%2099.91%25%3B%20border-collapse%3A%20collapse%3B%22%20border%3D%221%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22623%22%20style%3D%22width%3A%2099.91%25%3B%22%3E%3CPRE%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3E%3CSTRONG%3EAn%20unhandled%20exception%20occurred%20while%20processing%20the%20request.%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EIOException%3A%20The%20server%20returned%20an%20invalid%20or%20unrecognized%20response.%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpConnection.FillAsync()%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHttpRequestException%3A%20An%20error%20occurred%20while%20sending%20the%20request.%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage%20request%2C%20CancellationToken%20cancellationToken)%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHttpRequestException%3A%20Failed%20to%20proxy%20the%20request%20to%20http%3A%2F%2Flocalhost%3A54232%2F%2C%20because%20the%20request%20to%20the%20proxy%20target%20failed.%20Check%20that%20the%20proxy%20target%20server%20is%20running%20and%20accepting%20requests%20to%20http%3A%2F%2Flocalhost%3A54232%2F.%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EThe%20underlying%20exception%20message%20was%20'An%20error%20occurred%20while%20sending%20the%20request.'.Check%20the%20InnerException%20for%20more%20details.%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext%20context%2C%20HttpClient%20httpClient%2C%20Task%3CURI%3E%20baseUriTask%2C%20CancellationToken%20applicationStoppingToken%2C%20bool%20proxy404s)%3C%2FURI%3E%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Stack%26nbsp%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Query%26nbsp%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Cookies%26nbsp%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3E%C2%B7%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Headers%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EIOException%3A%20The%20server%20returned%20an%20invalid%20or%20unrecognized%20response.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23000000%22%3E%20%20%20%20%3CFONT%20size%3D%222%22%3ESystem.Net.Http.HttpConnection.FillAsync()%3C%2FFONT%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23000000%22%3E%20%20%20%20%3CFONT%20size%3D%222%22%3ESystem.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(bool%20foldedHeadersAllowed)%3C%2FFONT%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20color%3D%22%23000000%22%3E%20%20%20%20%3CFONT%20size%3D%222%22%3ESystem.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage%20request%2C%20CancellationToken%20cancellationToken)%3C%2FFONT%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EShow%20raw%20exception%20details%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHttpRequestException%3A%20An%20error%20occurred%20while%20sending%20the%20request.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage%20request%2C%20CancellationToken%20cancellationToken)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection%20connection%2C%20HttpRequestMessage%20request%2C%20bool%20doRequestAuth%2C%20CancellationToken%20cancellationToken)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage%20request%2C%20bool%20doRequestAuth%2C%20CancellationToken%20cancellationToken)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ESystem.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task%3CHTTPRESPONSEMESSAGE%3E%20sendTask%2C%20HttpRequestMessage%20request%2C%20CancellationTokenSource%20cts%2C%20bool%20disposeCts)%3C%2FHTTPRESPONSEMESSAGE%3E%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext%20context%2C%20HttpClient%20httpClient%2C%20Task%3CURI%3E%20baseUriTask%2C%20CancellationToken%20applicationStoppingToken%2C%20bool%20proxy404s)%3C%2FURI%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EShow%20raw%20exception%20details%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHttpRequestException%3A%20Failed%20to%20proxy%20the%20request%20to%20http%3A%2F%2Flocalhost%3A54232%2F%2C%20because%20the%20request%20to%20the%20proxy%20target%20failed.%20Check%20that%20the%20proxy%20target%20server%20is%20running%20and%20accepting%20requests%20to%20http%3A%2F%2Flocalhost%3A54232%2F.%20The%20underlying%20exception%20message%20was%20'An%20error%20occurred%20while%20sending%20the%20request.'.Check%20the%20InnerException%20for%20more%20details.%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext%20context%2C%20HttpClient%20httpClient%2C%20Task%3CURI%3E%20baseUriTask%2C%20CancellationToken%20applicationStoppingToken%2C%20bool%20proxy404s)%3C%2FURI%3E%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Builder.SpaProxyingExtensions%2B%26lt%3B%26gt%3Bc__DisplayClass2_0%2B%26lt%3B%3CUSEPROXYTOSPADEVELOPMENTSERVER%3Eb__0%26gt%3Bd.MoveNext()%3C%2FUSEPROXYTOSPADEVELOPMENTSERVER%3E%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext%20httpContext)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext%20context)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext%20context)%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext%20context)%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EShow%20raw%20exception%20details%3C%2FFONT%3E%3C%2FPRE%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20took%20almost%20a%20whole%20day%20for%20me%20to%20narrow%20down%20the%20problem%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20AAD%20auth%20settings%20and%20configurations%20both%20in%20the%20azure%20portal%20as%20well%20as%20the%20app%20is%20correct.%3C%2FLI%3E%0A%3CLI%3EThe%20auth%20flow%20is%20same%20between%20the%20working%20and%20non-working%20scenarios.%3C%2FLI%3E%0A%3CLI%3EWe%20compared%20the%20headers%2C%20cookies%2C%20tokens%20etc.%20very%20closely%20between%20working%20and%20non-working%20cases%20and%20nothing%20is%20different.%3C%2FLI%3E%0A%3CLI%3EWe%20captured%20the%20log%20statement%20from%20the%20.net%20core%20and%20har%20file%20and%20cookie%20sent%20and%20received%20are%20all%20the%20same.%3C%2FLI%3E%0A%3CLI%3EThe%20concerning%20error%20was%20misleading%20%E2%80%9CThe%20server%20returned%20an%20invalid%20or%20unrecognized%20response.%E2%80%9D%2C%20digging%20further%20we%20identified%20it%20was%20actually%20a%20HTTP%20400%20error%20underneath.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ESample%20log%20file%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CPRE%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHost%3A%20localhost%3A44341%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F72.0.3626.121%20Safari%2F537.36%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3Eupgrade-insecure-requests%3A%201%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMS-ASPNETCORE-TOKEN%3A%20c34057dc-48b2-408b-ab2d-c4c768ebecc7%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EX-Forwarded-For%3A%20%5B%3A%3A1%5D%3A54863%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EX-Forwarded-Proto%3A%20https%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EX-P2P-PeerDist%3A%20Version%3D1.1%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EX-P2P-PeerDistEx%3A%20MinContentInformation%3D1.0%2C%20MaxContentInformation%3D2.0%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Hosting.Internal.WebHost%3AInformation%3A%20Request%20starting%20HTTP%2F1.1%20GET%20%3CA%20href%3D%22http%3A%2F%2Flocalhost%3A44341%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Flocalhost%3A44341%2F%3C%2FA%3E%26nbsp%3B%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3ELoggingConnectionAdapter%3ADebug%3A%20WriteAsync%5B101%5D%2048%2054%2054%2050%202F%2031%202E%2031%2020%2034%2030%2030%2020%2042%2061%2064%2020%2052%2065%2071%2075%2065%2073%2074%200D%200A%2044%2061%2074%2065%203A%2020%2057%2065%2064%202C%2020%2030%2033%2020%2041%2070%2072%2020%2032%2030%2031%2039%2020%2031%2039%203A%2035%2030%203A%2032%2037%2020%2047%204D%2054%200D%200A%2053%2065%2072%2076%2065%2072%203A%2020%204B%2065%2073%2074%2072%2065%206C%200D%200A%2043%206F%206E%2074%2065%206E%2074%202D%204C%2065%206E%2067%2074%2068%203A%2020%2030%200D%200A%200D%200A%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EHTTP%2F1.1%20400%20Bad%20Request%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EDate%3A%20Wed%2C%2003%20Apr%202019%2019%3A50%3A27%20GMT%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EServer%3A%20Kestrel%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EContent-Length%3A%200%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%23000000%22%3EMicrosoft.AspNetCore.Hosting.Internal.WebHost%3AInformation%3A%20Request%20finished%20in%201046.4958ms%20400%3C%2FFONT%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20actual%20issue%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20identified%20that%2C%20in%20development%2C%20requests%20are%20proxied%20to%20the%20Angular%20development%20server%20that%20gets%20started%20as%20a%20background%20process%20which%20is%20a%20Node.JS%20server%20which%20has%20a%20header%20limit%20of%20~8kb.%20Hence%2C%20it%20is%20failing%20with%20400%20error.%3C%2FP%3E%0A%3CP%3ERefer%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fnodejs.org%252Fen%252Fblog%252Fvulnerability%252Fnovember-2018-security-releases%252F%2523denial-of-service-with-large-http-headers-cve-2018-12121%26amp%3Bdata%3D02%257C01%257CPraveen.Manoharan%2540microsoft.com%257C8147c3964cac424bffb208d6bde05436%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636905168554064322%26amp%3Bsdata%3DQUrc%252Beyy92%252FHxO898omar5ZzIeKpcjKHbufcDIT9mWg%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fnodejs.org%2Fen%2Fblog%2Fvulnerability%2Fnovember-2018-security-releases%2F%23denial-of-service-with-large-http-headers-cve-2018-12121%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERecommendation%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESo%2C%20if%20you%20want%20to%20use%20AAD%20auth%20in%20development%20environment%20you%E2%80%99re%20going%20to%20need%20to%20slim%20down%20the%20cookie%2C%20likely%20by%20filtering%20out%20unneeded%20claims.%20There%E2%80%99re%20some%20related%20docs%20here%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20Refer%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fsecurity%2Fauthentication%2Fsocial%2Fadditional-claims%3Fview%3Daspnetcore-2.2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fsecurity%2Fauthentication%2Fsocial%2Fadditional-claims%3Fview%3Daspnetcore-2.2%3C%2FA%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAlso%2C%20we%20can%20install%20latest%20Nodejs%20that%20supports%20increasing%20the%20header%20size.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%20Refer%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2Fmaster%2Fdoc%2Fchangelogs%2FCHANGELOG_V10.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2Fmaster%2Fdoc%2Fchangelogs%2FCHANGELOG_V10.md%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3EThis%20issue%20impacts%20any%20project%20template%20that%20uses%20the%20following.%3C%2FP%3E%0A%3CP%3EASP.NET%20core%20%2B%20Angular%20%2B%20AAD%20(OAuth)%3C%2FP%3E%0A%3CP%3EASP.NET%20core%20%2B%20React%20%2B%20AAD%20(OAuth)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Recently, I came across an interesting problem. Whenever we run my ASP.NET Core application in Development environment, I get the below exception.

 

Details about the setup:

The below template was used:

Angular project template with ASP.NET core - https://docs.microsoft.com/en-us/aspnet/core/client-side/spa/angular?view=aspnetcore-2.2&tabs=visual... along with AAD integration.

When we publish this application in Azure App Service, it works fine. But when we run the same application in Visual Studio, it fails with the below error.

 

CaptureError.JPG

An unhandled exception occurred while processing the request.

IOException: The server returned an invalid or unrecognized response.
System.Net.Http.HttpConnection.FillAsync()

HttpRequestException: An error occurred while sending the request.
System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)

HttpRequestException: Failed to proxy the request to http://localhost:54232/, because the request to the proxy target failed. Check that the proxy target server is running and accepting requests to http://localhost:54232/.

The underlying exception message was 'An error occurred while sending the request.'.Check the InnerException for more details.
Microsoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext context, HttpClient httpClient, Task<Uri> baseUriTask, CancellationToken applicationStoppingToken, bool proxy404s)

·      Stack 
·      Query 
·      Cookies 
·      Headers

IOException: The server returned an invalid or unrecognized response.
System.Net.Http.HttpConnection.FillAsync()
System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(bool foldedHeadersAllowed)
System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)

Show raw exception details

HttpRequestException: An error occurred while sending the request.
System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)
System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, bool doRequestAuth, CancellationToken cancellationToken)
System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, bool doRequestAuth, CancellationToken cancellationToken)
System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)
Microsoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext context, HttpClient httpClient, Task<Uri> baseUriTask, CancellationToken applicationStoppingToken, bool proxy404s)

Show raw exception details

HttpRequestException: Failed to proxy the request to http://localhost:54232/, because the request to the proxy target failed. Check that the proxy target server is running and accepting requests to http://localhost:54232/. The underlying exception message was 'An error occurred while sending the request.'.Check the InnerException for more details.
Microsoft.AspNetCore.SpaServices.Extensions.Proxy.SpaProxy.PerformProxyRequest(HttpContext context, HttpClient httpClient, Task<Uri> baseUriTask, CancellationToken applicationStoppingToken, bool proxy404s)
Microsoft.AspNetCore.Builder.SpaProxyingExtensions+<>c__DisplayClass2_0+<<UseProxyToSpaDevelopmentServer>b__0>d.MoveNext()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Show raw exception details

 

It took almost a whole day for me to narrow down the problem:

  • The AAD auth settings and configurations both in the azure portal as well as the app is correct.
  • The auth flow is same between the working and non-working scenarios.
  • We compared the headers, cookies, tokens etc. very closely between working and non-working cases and nothing is different.
  • We captured the log statement from the .net core and har file and cookie sent and received are all the same.
  • The concerning error was misleading “The server returned an invalid or unrecognized response.”, digging further we identified it was actually a HTTP 400 error underneath.

Sample log file:

Host: localhost:44341
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
upgrade-insecure-requests: 1
MS-ASPNETCORE-TOKEN: c34057dc-48b2-408b-ab2d-c4c768ebecc7
X-Forwarded-For: [::1]:54863
X-Forwarded-Proto: https
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:44341/ 
LoggingConnectionAdapter:Debug: WriteAsync[101] 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 0D 0A 44 61 74 65 3A 20 57 65 64 2C 20 30 33 20 41 70 72 20 32 30 31 39 20 31 39 3A 35 30 3A 32 37 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 4B 65 73 74 72 65 6C 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 0D 0A
HTTP/1.1 400 Bad Request
Date: Wed, 03 Apr 2019 19:50:27 GMT
Server: Kestrel
Content-Length: 0

Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 1046.4958ms 400

 

The actual issue:

We identified that, in development, requests are proxied to the Angular development server that gets started as a background process which is a Node.JS server which has a header limit of ~8kb. Hence, it is failing with 400 error.

Refer: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-lar...

 

Recommendation:

  • So, if you want to use AAD auth in development environment you’re going to need to slim down the cookie, likely by filtering out unneeded claims. There’re some related docs here:

         Refer: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=a...

  • Also, we can install latest Nodejs that supports increasing the header size.

         Refer: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md

 

Note: This issue impacts any project template that uses the following.

ASP.NET core + Angular + AAD (OAuth)

ASP.NET core + React + AAD (OAuth)