Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in
order to prevents DoS attacks.
Ask Yourself Whether
- size limits are not defined for the different resources of the web application.
- the web application is not protected by rate limiting features.
- the web application infrastructure has limited resources.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- For most of the features of an application, it is recommended to limit the size of requests to:
- lower or equal to 8mb for file uploads.
- lower or equal to 2mb for other requests.
It is recommended to customize the rule with the limit values that correspond to the web application.
Sensitive Code Example
using Microsoft.AspNetCore.Mvc;
public class MyController : Controller
{
[HttpPost]
[DisableRequestSizeLimit] // Sensitive: No size limit
[RequestSizeLimit(10000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
public IActionResult PostRequest(Model model)
{
// ...
}
[HttpPost]
[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
public IActionResult MultipartFormRequest(Model model)
{
// ...
}
}
In Web.config:
<configuration>
<system.web>
<httpRuntime maxRequestLength="81920" executionTimeout="3600" />
<!-- Sensitive: maxRequestLength is exprimed in KB, so 81920KB = 80MB -->
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="83886080" />
<!-- Sensitive: maxAllowedContentLength is exprimed in bytes, so 83886080B = 80MB -->
</requestFiltering>
</security>
</system.webServer>
</configuration>
Compliant Solution
using Microsoft.AspNetCore.Mvc;
public class MyController : Controller
{
[HttpPost]
[RequestSizeLimit(8000000)] // Compliant: 8MB
public IActionResult PostRequest(Model model)
{
// ...
}
[HttpPost]
[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Compliant: 8MB
public IActionResult MultipartFormRequest(Model model)
{
// ...
}
}
In Web.config:
<configuration>
<system.web>
<httpRuntime maxRequestLength="8192" executionTimeout="3600" />
<!-- Compliant: maxRequestLength is exprimed in KB, so 8192KB = 8MB -->
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="8388608" />
<!-- Comliant: maxAllowedContentLength is exprimed in bytes, so 8388608B = 8MB -->
</requestFiltering>
</security>
</system.webServer>
</configuration>
See