We have to send a large packet to an ASP.Net web service through the URL. We cannot use POST for certain reasons, so we are URL encoding an XML package and we make a GET request to the service.
http://service.example.com/collect?content=AAAAAAAA...(+5000 characters)
The service responds with
Error 404 - File or directory not found.
I have read that there is no error code for max-content-length-exceeded so IIS sends back this 404 error. Knowing that, I have changed the configuration in the following way to allow large requests:
Changed query string length, max URL length, max request length and deactivated validation
<httpRuntime
requestValidationMode="2.0"
maxQueryStringLength="262144000"
maxUrlLength="262144000"
maxRequestLength="262144000" />
...
<pages validateRequest="false" />
...
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="262144000" />
</requestFiltering>
</security>
</system.webServer>
I still receive the same error. How do I make a request to my web service with an extremely large/long URL?
Update 1
I am not sending images. The content is something like:
<packet date="1243235246436">
<param type="1" id="45">
5
</param>
</packet>
without the new line characters and URL encoded.
Update 2
After setting the limits to a larger number in the IIS Request Filtering the 404 is now transformed to
HTTP Error 400. The size of the request headers is too long.
This is because the size of the headers is too large now. Tried to follow the instructions from this article by adding the MaxFieldLength and MaxRequestBytes registry entries, but I am still capped at 16k URL length.
What can I do to be able to send 1,000,000 long URLs? Is this even possible? What can I do to send at least 65k long URLs? This is the max length a header can have, but my settings are not taken into consideration.
The MSDN documentation of maxQueryStringLength also talks about IIS filtering in case of very long URLs. Have you checked this ?
The property names mentioned there are a bit different: maxQueryString, maxUrl.
A GET request is only limited by a browser's limit on the length of the URL string.
In IE it is 2,083 characters, minus the number of characters in the actual path. Other browsers do not have a clearly defined limit on the length of the URL string. These articles might be helpful to you.
http://www.boutell.com/newfaq/misc/urllength.html
http://support.microsoft.com/kb/q208427
RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1," does not specify any requirement for URL length, so browsers are free to stipulate what they deem fit.
Related
I'm currently applying security fixes for a vulnerability which was found by a third party software. This is the issue (Often Misused: HTTP Method Override vulnerability).
The request from the software was similar to:
POST /Home/ViewProfile HTTP/1.1
Referer: https://somesite.com/Home/ViewProfile?qrystr=blahblah
[...]
X-HTTP-METHOD: PUT
X-HTTP-Method-Override: PUT
X-METHOD-OVERRIDE: PUT
[...]
And the response was:
HTTP/1.1 200 OK
[...]
The web application is not a RESTful API, it's just a an ASP.NET MVC site which only has GET and POST actions.
I have a few questions:
Is this a false positive given the type of app?
By default, does ASP.NET do anything with these headers X-HTTP-Method, X-HTTP-Method-Override, X-METHOD-OVERRIDE if not explicitly told to do so such as in this example?
Regarding the first linked issue above, what is the best way to go about achieving the recommended remediations if they're necessary/applicable based on my case:
"Ensure that only the required headers are allowed, and that the allowed headers are properly configured."
and
"Ensure that no workarounds are implemented to bypass security measures implemented by user-agents, frameworks, or web servers."
Another thing to note is I don't have access to modify IIS settings, but I can modify the Web.Config.
I had the same problem with a scan from my security team. What I did was limiting the size of those requests to zero (0) in the web.config. The server then returns a "HTTP Error 431.0 - Request Header Fields Too Large", effectively blocking the overrides.
</system.webServer>
...
<security>
<requestFiltering>
<requestLimits>
<headerLimits>
<add header="X-Http-Method-Override" sizeLimit="0" />
<add header="X-Method-Override" sizeLimit="0" />
<add header="X-HTTP-Method" sizeLimit="0" />
</headerLimits>
</requestLimits>
...
</requestFiltering>
</security>
...
</system.webServer>
However, I haven't checked yet if this effectively cancels the alert by the security scanner. I suspect it might still show, but I'm ready to report back as a false positive because the server is blocking all calls with those headers. I'll let you know as soon as I get a response from the security team.
I am using .net 4.5. I set maximum request length and maxAllowedContentLength in config file as 100 mb. When I try to upload larger than 100 mb file (like 200mb to 1000mb) I am getting an error
The request filtering module is configured to deny a request that exceeds the request content length
This is normal and expected error but when I try to larger than 1 gb, I am getting error "internet explorer cannot display page".
I think it is due to a timeout issue but I really can't figure out actual reason of this error.
Thank u.
This has been asked about on StackOverflow many times. I'll continue the tradition :) For large uploads you need to set two parameters:
maxAllowedContentLength is measured in bytes, so make sure you've actually set it correctly. To allow 1GB uploads, it should be 134217728.
You also need to configure maxRequestLength as well as maxAllowedContentLength. Note though that it is measured in kilobytes, so it will be different.
For example:
<configuration>
<system.web>
<httpRuntime maxRequestLength="1048576" />
</system.web>
</configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="1073741824" />
</requestFiltering>
</security>
</system.webServer>
It's a little unclear, but what I think you're running into is IIS's normal behavior reguarding exceptions: any issue with the request returns a 500 server error response.
In oder to view exceptions you can either disable this behavior in the configuration file (MSDN Link), or transfer the file while logged into the server (connections from localhost bypass this behavior by default).
I have a application developed in asp net mvc 4 (IIS 7 and windows server 2008) and it has a upload system.
The problem is that with large files I get an 413 http error.
I am trying to set uploadaheadsize but canĀ“t find it anywhere.
Tried Roles and features and also in application pool. Could someone guide me through this config setting?
Thanks.
I found the solution.
Just added:
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="524288000"/>
</requestFiltering>
</security>
in my web.config!
Edit 1:
In addition, I found this useful information on www.iis.net:
The requestLimits element specifies limits on HTTP requests that are
processed by the Web server. These limits include the maximum size of
a request, the maximum URL length, and the maximum length for a query
string. In addition, the element can contain a
collection of user-defined HTTP header limits in the
element, which allows you to define custom settings on HTTP headers.
reference: http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits
What are the best practices that I can follow to increase the max length of the URL in IIS7/ASP.NET?
Please advise.
From this site: http://technet.microsoft.com/en-us/library/cc754791(v=ws.10).aspx
Use command line : appcmd set config /section:requestfiltering/requestlimits.maxurl: unit
Here is explained how to use appcmd:
http://www.windowsnetworking.com/articles_tutorials/Configuring-IIS-7-command-line-Appcmdexe-Part1.html
You need to know where the AppCmd.exe command is located as it is not
in the default PATH. In order to run AppCmd.exe, you will either need
to change directory into %windir%\system32\inetsrv\ or add that
directory to your PATH variable. On my Windows 2008 server with a
default installation, AppCmd.exe was located in
C:\Windows\System32\inetsrv.
But be careful. If your request url became realy realy large, use post message to pass parameters
Although the specification of the HTTP protocol does not specify any maximum length, the practical limit is 2,083 characters, with no more than 2,048 characters in the path portion of the URL. These are the restrictions currently enforced by Microsoft Interet Explorer, which is still used by a sizeable majority of all users. A reasonable upper limit on the length of URLs has always been imposed by major web browsers. When you wish to submit a form containing many fields, which would otherwise produce a very long URL, the standard solution is to use the POST method rather than the GET method:
<form action="myscript.php" method="POST">
...
</form>
The form fields are then transmitted as part of the HTTP transaction header, not as part of the URL.
You may be limited by the following setting in web.config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<requestLimits>
</requestLimits>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Refer to:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits#005
I was getting 404 errors for some long URLs on a website I'm developing. After a bit of digging I discovered that this occurs when the length of certain aspects of the URL exceed configurable limits in IIS7. In this case the maxQueryString attribute of the requestLimits property needed to be increased in the web.config
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="4096" maxAllowedContentLength="4096" maxUrl="8192" >
</requestLimits>
</requestFiltering>
</security>
This fixed the problem instantly on my development server but on the remote server I now get:
500 - Internal server error.
There is
a problem with the resource you are
looking for, and it cannot be
displayed.
And that's all the information it gives me.
Change your Flash to send the data as POST, so it won't be appended to the URL. Here's some sample code. Also, you may need to change the server side to look for the data as POST instead of GET.
Are you sure your hoster/production-server is running Windows Server 2008 (or 2008 R2)?
The settings you are describing above are only valid for IIS 7+.
You should not use such long URLs. Among other reasons, at least one of the common toolbars (Bing, Yahoo, Google) will break them, producing just such errors. Users will blame you.
I know this because one of my users was having just such a problem with a legacy app. When I removed the toolbars (she had all three installed!), the problem went away.
A GET request is only limited by a browser's limit on the length of the URL string.
In IE it is 2,083 characters, minus the number of characters in the actual path. Other browsers do not have a clearly defined limit on the length of the URL string. These articles might be helpful to you.
http://www.boutell.com/newfaq/misc/urllength.html
http://support.microsoft.com/kb/q208427
RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1," does not specify any requirement for URL length, so browsers are free to stipulate what they deem fit.
therefore you should use POST instead of GET if it's fits within your requirements