Best Windows Hosting

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 16 April 2012

Hash Collision Attacks in .NET

Posted on 08:53 by Unknown
Hash collision attacks attempt to populate a hash-table within a server application with large numbers of items whose keys resolve to the same hash code.  These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.  This can block a web server from processing requests from other users, and cause a denial of service (meaning the web site becomes unresponsive or slow).

How Microsoft cured this?

Microsoft launched an update patch (MS11-100) on Dec 29, 2011. This patch limits the number of individual form fields to be 1000 per HTTP post. Internet applications using ASP.NET had this update that set a limit of 1000 items to be accepted by a web form. While this is not the only limit imposed, it is the one that some applications are hitting.  If you exceed this value, an exception is thrown that looks like the one below:

System.Web.HttpException:
The URL-encoded form data is not valid. ---> System.InvalidOperationException: Operation is not valid due to the
current state of the object.
   at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
   at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
   at System.Web.HttpRequest.FillInFormCollection()
   --- End of inner exception stack trace ---
   at System.Web.HttpRequest.FillInFormCollection()
   at System.Web.HttpRequest.get_Form()

The key here is ThrowIfMaxHttpCollectionKeysExceeded.  If that is in your stack trace, you know that you have exceeded the value the patch imposes. To keep this exception from being thrown, you need to change the value of aspnet:MaxHttpCollectionKeys in the web.config of your application to a value that is as high as the highest allowed count of keys in your hash table. This limit is configurable, though, and so if you do have scenarios where you need to post more than 1000 fields you can increase it. 

<appSettings>
  <add key="aspnet:MaxHttpCollectionKeys" value="some number here"/>
</appSettings>
Email ThisBlogThis!Share to XShare to Facebook
Posted in DOTNET | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Online Marketing Degrees
    Because global competition has become so intense, it should come as no surprise that companies invest heavily in their marketing and promoti...
  • Protecting E-mail Addresses on Webpages: Beware of using mailto protocol
    Placing an e-mail address on a Web page is a dangerous prospect nowadays. If the document on which the address appears generates even a medi...
  • Silver Bullets for Testing
    Know Our Application Don’t start testing without understanding the requirements. If we test without knowledge of the requirements, we will n...
  • Preloading Images: A trick to overcome delays in image-rich webpages loading
    One of the things that can really slow down the display of Web pages is an abundance of images, each one of which can contain the equivalent...
  • Unix Commands which should be on tips of each developer
    General Commands: 1. date: shows date and time 2. history: lists the previously executed commands 3. man ls: shows online documentation by...
  • Online Music Degrees
    For those who want to pursue a music degree but find it difficult to do so because of time constraints, financial difficulties or physical l...
  • Client Side State Management in ASP.NET
    State Management in done on client side as well as on server side in ASP.NET. In this article, we will just focus on clinet side state manag...
  • Frameset, Frame and IFrame Elements in HTML
    Frame Element With frames, you can display more than one HTML document in the same browser window. Each HTML document is called a frame, and...
  • 5 E-mail Etiquette You Must Know
    From memos and letters to answering machines, voice mail and now email, the last one is here to stay. Studies show that nearly two million e...
  • Cautions while dropping a tablespace
    DROP TABLESPACE drops the tablespace from database. But, there are few things which you should take care while firing this statement. 1. DRO...

Categories

  • AJAX
  • C++
  • CSS
  • Delphi
  • DOTNET
  • HTML
  • Javascript
  • jQuery
  • Management
  • Online Degrees
  • Oracle
  • Others
  • Phonegap
  • PHP
  • Unix
  • XML

Blog Archive

  • ▼  2012 (155)
    • ►  September (64)
    • ►  August (11)
    • ►  July (4)
    • ►  June (3)
    • ►  May (25)
    • ▼  April (48)
      • DOM Events: Mouse Events, Keyboard Events, Form Ev...
      • What is DOM (Document Object Model): Tree and Node...
      • DocType: Strict, Transitional and Frameset
      • How the ASP.NET authentication process works?
      • Response.Redirect vs Server.Transfer: What to use ...
      • GET vs POST: Which one is better? A 10 point compa...
      • HTTP vs HTTPS: Similarities and Differences
      • How IIS processes ASP.NET request?
      • AutoEventWireup in ASP.NET: Why my ASP.NET events ...
      • Web Farms in ASP.NET: Advantages and Issues
      • Cautions while dropping a tablespace
      • 12 Point Comparision between FTP and HTTP Protocol...
      • Dataset, Dataview, Datatable and common operations...
      • Client Side State Management in ASP.NET
      • Difference between page_init, page_load and page_p...
      • Database FLASHBACK mode: Overview
      • Database ARCHIVELOG mode: Overview
      • Hash Collision Attacks in .NET
      • ADO.NET: A quick revision
      • What is SQL Injection?
      • What is ASP.NET AJAX?
      • What is DLL HELL?
      • DIV vs TABLE tag: Which one to use?
      • Exception Handling in ASP.NET
      • Business Intelligence (BI): Data Warehouse, Data M...
      • UDDI: Universal Description, Discovery and Integra...
      • Web Services: Exposing and Consuming
      • Web Service Description Language
      • Simple Object Access Protocol
      • Caching in ASP.NET
      • Partial Classes in ASP.NET
      • Difference between DLL and EXE Files
      • What is an ASP.NET User Control?
      • Page Directive in ASP.NET
      • DOTNET Framework: CLR, CTS and CLS
      • What is Tethering and Hotspot?
      • Preventing Caching in AJAX URLs
      • What is web.config file? What is the significance ...
      • HTML vs XHTML vs DHTML
      • AJAX - A quick revision
      • Web Server vs Application Server vs Database Server
      • Difference Between ASP.NET Server Controls and HTM...
      • web.config vs app.config vs machine.config
      • Assemblies in .NET Framework
      • Silver Bullets for Testing
      • Unix Commands which should be on tips of each deve...
      • Basics of IBM Websphere MQ (Part 1)
      • What is Garbage Collector? How and when does it run?
Powered by Blogger.

About Me

Unknown
View my complete profile