Best Windows Hosting

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 16 April 2012

Hash Collision Attacks in .NET

Posted on 08:53 by Unknown
Hash collision attacks attempt to populate a hash-table within a server application with large numbers of items whose keys resolve to the same hash code.  These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.  This can block a web server from processing requests from other users, and cause a denial of service (meaning the web site becomes unresponsive or slow).

How Microsoft cured this?

Microsoft launched an update patch (MS11-100) on Dec 29, 2011. This patch limits the number of individual form fields to be 1000 per HTTP post. Internet applications using ASP.NET had this update that set a limit of 1000 items to be accepted by a web form. While this is not the only limit imposed, it is the one that some applications are hitting.  If you exceed this value, an exception is thrown that looks like the one below:

System.Web.HttpException:
The URL-encoded form data is not valid. ---> System.InvalidOperationException: Operation is not valid due to the
current state of the object.
   at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
   at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
   at System.Web.HttpRequest.FillInFormCollection()
   --- End of inner exception stack trace ---
   at System.Web.HttpRequest.FillInFormCollection()
   at System.Web.HttpRequest.get_Form()

The key here is ThrowIfMaxHttpCollectionKeysExceeded.  If that is in your stack trace, you know that you have exceeded the value the patch imposes. To keep this exception from being thrown, you need to change the value of aspnet:MaxHttpCollectionKeys in the web.config of your application to a value that is as high as the highest allowed count of keys in your hash table. This limit is configurable, though, and so if you do have scenarios where you need to post more than 1000 fields you can increase it. 

<appSettings>
  <add key="aspnet:MaxHttpCollectionKeys" value="some number here"/>
</appSettings>
Email ThisBlogThis!Share to XShare to Facebook
Posted in DOTNET | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Protecting E-mail Addresses on Webpages: Beware of using mailto protocol
    Placing an e-mail address on a Web page is a dangerous prospect nowadays. If the document on which the address appears generates even a medi...
  • Frameset, Frame and IFrame Elements in HTML
    Frame Element With frames, you can display more than one HTML document in the same browser window. Each HTML document is called a frame, and...
  • Online Marketing Degrees
    Because global competition has become so intense, it should come as no surprise that companies invest heavily in their marketing and promoti...
  • Unix Commands which should be on tips of each developer
    General Commands: 1. date: shows date and time 2. history: lists the previously executed commands 3. man ls: shows online documentation by...
  • DOM Events: Mouse Events, Keyboard Events, Form Events, Frame Events and Touch Events
    Mouse Events 1. Click Event (onclick): The event occurs when the user clicks on an element. 2. Double Click Event ( ondblclick):  The event...
  • Online Music Degrees
    For those who want to pursue a music degree but find it difficult to do so because of time constraints, financial difficulties or physical l...
  • Never try to fake your Resume / CV
    It’s easy to dream up qualifications & work experience that you think will bolster your CV. But, the repercussions of faking facts can b...
  • Oracle Streams: An Overview
    Oracle Streams enables information sharing. Each unit of shared information is called a message. The stream can propagate information within...
  • What is DOM (Document Object Model): Tree and Node Structure of HTML Page
    The Document Object Model (DOM) defines a standard way for accessing and manipulating HTML documents. The DOM presents an HTML document as a...
  • How to grab the recruiter’s attention with your resume?
    Did you know that the average recruiter spends about 8 to 10 seconds glancing at your resume before s/he moves on to the next? So, whether y...

Categories

  • AJAX
  • C++
  • CSS
  • Delphi
  • DOTNET
  • HTML
  • Javascript
  • jQuery
  • Management
  • Online Degrees
  • Oracle
  • Others
  • Phonegap
  • PHP
  • Unix
  • XML

Blog Archive

  • ▼  2012 (155)
    • ►  September (64)
    • ►  August (11)
    • ►  July (4)
    • ►  June (3)
    • ►  May (25)
    • ▼  April (48)
      • DOM Events: Mouse Events, Keyboard Events, Form Ev...
      • What is DOM (Document Object Model): Tree and Node...
      • DocType: Strict, Transitional and Frameset
      • How the ASP.NET authentication process works?
      • Response.Redirect vs Server.Transfer: What to use ...
      • GET vs POST: Which one is better? A 10 point compa...
      • HTTP vs HTTPS: Similarities and Differences
      • How IIS processes ASP.NET request?
      • AutoEventWireup in ASP.NET: Why my ASP.NET events ...
      • Web Farms in ASP.NET: Advantages and Issues
      • Cautions while dropping a tablespace
      • 12 Point Comparision between FTP and HTTP Protocol...
      • Dataset, Dataview, Datatable and common operations...
      • Client Side State Management in ASP.NET
      • Difference between page_init, page_load and page_p...
      • Database FLASHBACK mode: Overview
      • Database ARCHIVELOG mode: Overview
      • Hash Collision Attacks in .NET
      • ADO.NET: A quick revision
      • What is SQL Injection?
      • What is ASP.NET AJAX?
      • What is DLL HELL?
      • DIV vs TABLE tag: Which one to use?
      • Exception Handling in ASP.NET
      • Business Intelligence (BI): Data Warehouse, Data M...
      • UDDI: Universal Description, Discovery and Integra...
      • Web Services: Exposing and Consuming
      • Web Service Description Language
      • Simple Object Access Protocol
      • Caching in ASP.NET
      • Partial Classes in ASP.NET
      • Difference between DLL and EXE Files
      • What is an ASP.NET User Control?
      • Page Directive in ASP.NET
      • DOTNET Framework: CLR, CTS and CLS
      • What is Tethering and Hotspot?
      • Preventing Caching in AJAX URLs
      • What is web.config file? What is the significance ...
      • HTML vs XHTML vs DHTML
      • AJAX - A quick revision
      • Web Server vs Application Server vs Database Server
      • Difference Between ASP.NET Server Controls and HTM...
      • web.config vs app.config vs machine.config
      • Assemblies in .NET Framework
      • Silver Bullets for Testing
      • Unix Commands which should be on tips of each deve...
      • Basics of IBM Websphere MQ (Part 1)
      • What is Garbage Collector? How and when does it run?
Powered by Blogger.

About Me

Unknown
View my complete profile