Daily flurry of errors

[Alex VanderWoude]

Recently I moved our Passwordstate system to a new server, and upgraded it to build 9360 at the same time.  Everything seems to be working well, but I have noticed that every evening at about 8:05PM a bunch of error messages are written to the Error Console.  Typically there are 16 or 17 of them, and they all occur within the span of one minute.

 

The messages themselves are not very helpful.  They all look like this:

2021-11-08 8:06:21 PM,General Error,"Build No '9360' - Error Code = Object reference not set to an instance of an object., StackTrace =    at ComponentSpace.SAML2.Data.SessionIDDelegates.BrowserSupportsSameSiteNone(String userAgent)
   at ComponentSpace.SAML2.Data.SessionIDDelegates.AddSAMLCookie(HttpCookie httpCookie)
   at ComponentSpace.SAML2.Data.SessionIDDelegates.GetSessionIDFromSAMLCookie()
   at ComponentSpace.SAML2.Data.AbstractSSOSessionStore.CreateSessionIDForType(Type type)
   at ComponentSpace.SAML2.Data.InMemorySSOSessionStore.Load(Type type)
   at ComponentSpace.SAML2.SAMLController.LoadSAMLConfigurationState()
   at ComponentSpace.SAML2.InternalSAMLServiceProvider..ctor()
   at ComponentSpace.SAML2.SAMLServiceProvider.InitiateSSO(HttpResponse httpResponse, String relayState, String partnerIdP)
   at uRM=.XSg=.YCg=()",Error,

 

When I exported the Error Console information to a CSV file, I noticed that there were additional items (two per day) that looked like the following:

2021-11-08 8:06:20 PM,Session Ended,"Build No '' - It appears the user's session in IIS has been prematurely ended, causing the following error - A potentially dangerous Request.Path value was detected from the client (&)., StackTrace =    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)",Session Ended,

Note that these did not show up on the Error Console itself, only in the exported file.

 

It seems like there is some kind of scheduled event occurring at 8:05PM, but for the life of me I cannot find anything in the Administration tab.  Our daily backups take place at 1:00AM (although now that we're on Daylight Savings Time that occurs at midnight).  The AD Security Group sync takes place at about 12:31AM.  I cannot find any other scheduled item, but perhaps that is my inexperience showing.

 

There doesn't seem to be any kind of bad result from the above errors, Passwordstate appears to work just fine.  But the Error Console list of errors keeps growing, and I'd like to resolve that.  Does anyone know what might be going on here?

 

[support]

Hi Alex,

 

The first errors relate to SAML authentication, and there is no scheduled events for authentication like this. Do you know why there would be authentication attempts at this time.

 

The second error is also when accessing the UI - the user's session ended on the web server. Maybe check the auditing in Passwordstate to look at activity at that time, or your IIS logs.

Regards

Click Studios

[Alex VanderWoude]

Here's an update on this issue.  It has not yet been resolved, but I have a better idea of what is going on.

 

Since we are using SQL Server Express, we do not have auditing data available to us.  But your tip about looking in the IIS logs was very helpful, I found some good stuff in there.

 

It turns out that the SAML authentication errors correspond exactly with login calls coming from one of our Rapid7 scan engines.  Clearly something needs to be updated in our Rapid7 configuration, and we're working on that.  This wasn't seen before because we have been using SAML2 authentication only as of last week Thursday, when we cut over to the new server.

 

Another thing I spotted while reading the IIS logs is that one of my colleagues' laptops was issuing POST calls to Passwordstate like these:

  /api/browserextension/GetPasswordGenerators/

  /api/browserextension/GetIgnoredURLs/

  /api/browserextension/getpasswordlists/

  /api/browserextension/getwebsites/

Every single second it would issue eight calls, and this went on from about 9:20AM to 00:46AM the next morning!  So it looks like there's some sort of script or something running on that laptop?  My colleague says he has no idea what it might be, he's not even using Passwordstate to his knowledge.  We're going to be looking in to that later today.  But if this sounds familiar to you, please let me know!

[support]

Hi Alex,

 

We're glad your found the initial issue.

 

For the second lot of calls, this is our Browser Extension making calls to the API in Passwordstate. This should not be doing this every second, but once a minute.

Regards

Click Studios

 

[Alex VanderWoude]

Well, I looked carefully in the IIS log files again, and now that I'm not hyperventilating I can see that the calls are indeed being done once per minute, not once per second.  I am rather shame-faced about my earlier assertion!  So it looks like the Browser Extension is doing a heartbeat/refresh sort of thing, and I suppose this is perfectly normal.  And since it is happening only once per minute (well, eight calls at the beginning of each minute), it's not exactly a DOS attack.

 

I will have to look into this browser extension and see what that's all about.  It makes me wonder why this is showing up on that one guy's machine, but nobody else's.  Presumably he's the only one who has it installed.

[support]

Hi Alex,

 

We can confirm that is expected behaviour, of checking for updated data once a minute.

Regards

Click Studios