0

Point 18.4 of the OWASP ASVS says

Verify that all input is limited to an appropriate size limit.

Currently i have an input limit of 50MB on all web services. (And it seems like this is the default in Microsoft Windows.) I imagine that such a high limit allows an easy denial-of-service attack, especially if multiple services can be attacked at the same time. Is this limit set too high? And how should one deal with services that require bigger requests?

floworbit
  • 316
  • 1
  • 11
  • 4
    What is appropriate depends on your application - if you're allowing upload of large files for later access, 50MB might be too small. If you're only intending for data a user types in to be sent to the server, 50MB is probably too large. Depends on the application. – Matthew Jun 27 '17 at 09:24

1 Answers1

1

This depends on what the webservice is doing.

I'd re-write this OWASP line to: "Verify that all input is limited to a size appropriate for the service".

So if you control the input you can set the size based on that, if the service is accepting something varying size for example images or files, then you'll have to pick a limit which you are happy with and makes sense for the application. There's no point setting it at 1gb if the service is expecting images taken with a smartphone for example.

GreatSeaSpider
  • 2,054
  • 16
  • 14