[owasp-antisamy] Guidance on setting the maxInputSize

Jacob Coulter jacob.coulter at gmail.com
Thu Apr 19 16:52:54 UTC 2012


I'm using it to scan outgoing html to prevent attacks from in house and
also to catch a compromised database/server if bad data made it through our
request checks, etc.

This means that I'm scanning every page I send out so the maxInputLength is
limiting the total size of the page I can serve up.  In this scenario, what
is the risk I'm assuming by making this number large enough to effectively
disable?

Performance concerns?  Resource Concerns?  Some other attack?

I'm not trying to prevent an internal DoS so if that is the only purpose, I
might be safe with a higher value.

I just want to make an informed decision rather than guesswork.

Thanks,

  Jacob


On Thu, Apr 19, 2012 at 7:34 AM, Jason Li <jason.li at owasp.org> wrote:

> AntiSamy was originally intended to validate rich-text from untrusted
> users (think MySpace profiles or eBay auction pages) so the limit is
> intended to prevent such users from DoS-ing your application by sending
> huge amounts of HTML.
>
> -Jason
>
> On Apr 18, 2012, at 4:52 PM, Jacob Coulter <jacob.coulter at gmail.com>
> wrote:
>
> > Hi,
> >
> >   I'm new to the list and attempted to search the archives but I've not
> had much luck.
> >
> >   We have a site that renders back a large html page and it's failing
> because it exceeds the maxInputSize.  Before just changing this value, I
> thought I'd ask for guidance on the purpose of this value.
> >
> > Specifically, is there some type of known attack that results in an html
> string with an exceedingly large number of bytes that this is intended to
> prevent?
> >
> > If it's not intended to prevent an attack, is this limit due to concerns
> for resource utilization and performance?
> >
> > If neither, what is the intended purpose of this value?
> >
> > I'm trying to understand its original intent so I can understand what
> risks I'm taking when I make that value larger.
> >
> > Thanks,
> >
> >   ~ Jacob Coulter
> > _______________________________________________
> > Owasp-antisamy mailing list
> > Owasp-antisamy at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120419/4cbb5d36/attachment.html>


More information about the Owasp-antisamy mailing list