Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in order to prevents DoS attacks.

Ask Yourself Whether

• size limits are not defined for the different resources of the web application.
• the web application is not protected by rate limiting features.
• the web application infrastructure has limited resources.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

• For most of the features of an application, it is recommended to limit the size of requests to:
  • lower or equal to 8mb for file uploads.
  • lower or equal to 2mb for other requests.

It is recommended to customize the rule with the limit values that correspond to the web application.

Sensitive Code Example

Imports Microsoft.AspNetCore.Mvc

Public Class MyController
    Inherits Controller

    <HttpPost>
    <DisableRequestSizeLimit> ' Sensitive: No size  limit
    <RequestSizeLimit(10000000)> ' Sensitive: 10MB is more than the recommended limit of 8MB
    Public Function PostRequest(Model model) As IActionResult
    ' ...
    End Function

    <HttpPost>
    <RequestFormLimits(MultipartBodyLengthLimit = 8000000)> ' Sensitive: 10MB is more than the recommended limit of 8MB
    Public Function MultipartFormRequest(Model model) As IActionResult
    ' ...
    End Function

End Class

Compliant Solution

Imports Microsoft.AspNetCore.Mvc

Public Class MyController
    Inherits Controller

    <HttpPost>
    <RequestSizeLimit(8000000)> ' Compliant: 8MB
    Public Function PostRequest(Model model) As IActionResult
    ' ...
    End Function

    <HttpPost>
    <RequestFormLimits(MultipartBodyLengthLimit = 8000000)> ' Compliant: 8MB
    Public Function MultipartFormRequest(Model model) AS IActionResult
    ' ...
    End Function

End Class

See

• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• Owasp Cheat Sheet - Owasp Denial of Service Cheat Sheet
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-770 - Allocation of Resources Without Limits or Throttling
• MITRE, CWE-400 - Uncontrolled Resource Consumption