[owasp-antisamy] Guidance on setting the maxInputSize

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Apr 19 16:57:18 UTC 2012


Yes, resource exhaustion was our concern. I would recommend maxing out
the value (2^31).

 

Arshan

 

From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Jacob
Coulter
Sent: Thursday, April 19, 2012 12:53 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Guidance on setting the maxInputSize

 

I'm using it to scan outgoing html to prevent attacks from in house and
also to catch a compromised database/server if bad data made it through
our request checks, etc.

 

This means that I'm scanning every page I send out so the maxInputLength
is limiting the total size of the page I can serve up.  In this
scenario, what is the risk I'm assuming by making this number large
enough to effectively disable?

 

Performance concerns?  Resource Concerns?  Some other attack?  

 

I'm not trying to prevent an internal DoS so if that is the only
purpose, I might be safe with a higher value. 

 

I just want to make an informed decision rather than guesswork.

 

Thanks,

 

  Jacob

 

 

On Thu, Apr 19, 2012 at 7:34 AM, Jason Li <jason.li at owasp.org> wrote:

AntiSamy was originally intended to validate rich-text from untrusted
users (think MySpace profiles or eBay auction pages) so the limit is
intended to prevent such users from DoS-ing your application by sending
huge amounts of HTML.

-Jason


On Apr 18, 2012, at 4:52 PM, Jacob Coulter <jacob.coulter at gmail.com>
wrote:

> Hi,
>
>   I'm new to the list and attempted to search the archives but I've
not had much luck.
>
>   We have a site that renders back a large html page and it's failing
because it exceeds the maxInputSize.  Before just changing this value, I
thought I'd ask for guidance on the purpose of this value.
>
> Specifically, is there some type of known attack that results in an
html string with an exceedingly large number of bytes that this is
intended to prevent?
>
> If it's not intended to prevent an attack, is this limit due to
concerns for resource utilization and performance?
>
> If neither, what is the intended purpose of this value?
>
> I'm trying to understand its original intent so I can understand what
risks I'm taking when I make that value larger.
>
> Thanks,
>
>   ~ Jacob Coulter

> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120419/5cd377ae/attachment.html>


More information about the Owasp-antisamy mailing list