I have an ASP.Net 3.5 platform and windows 2003 server with all the updates.
There is a limit with .Net that it cannot handle more than 260 characters. Moreover if you look it up on web, you will find that IE 6 fails to work if it is not patched at above 100 charcters.
I want to have the rewrite path module to be supported on maximum number of browsers, so I am looking for an acceptable limit to which I can create verbose URL's.
A Url is path + querystring, and the linked article only talks about limiting the path. Therefore, if you're using asp.net, don't exceed a path of 260 characters. Less than 260 will always work, and asp.net has no troubles with long querystrings.
http://somewhere.com/directory/filename.aspx?id=1234
^^^^^^^- querystring
^^^^^^^^^^^^^^^^^^^^^^^^ -------- path
Typically the issue is with the browser. Long ago I did tests and recall that many browsers support 4k url's, except for IE which limits it to 2083, so for all practical purposes, limit it to 2083. I don't know if IE7 and 8 have the limitation, but if you're going to broad compatibility, you need to go for the lowest common denominator.
There is no length limit specified by the W3C, but look here for practical limits
http://www.boutell.com/newfaq/misc/urllength.html
pick your own limit from that.
The default limit in IIS is 16,384 characters
But IE doesn't support more than 2083
More info at link
This article gives the limits imposed by various browsers. It seems that IE limits the URL to 2083 chars, so you should probably stay under that if any of your users are on IE.
Define "optimum" for your application.
The HTTP standard has a limit (it depends on your application):
The HTTP protocol does not place any
a priori limit on the length of a URI.
Servers MUST be able to handle the URI
of any resource they serve, and SHOULD
be able to handle URIs of unbounded
length if they provide GET-based forms
that could generate such URIs. A
server SHOULD return 414 (Request-URI
Too Long) status if a URI is longer
than the server can handle (see
section 10.4.15).
Note: Servers ought to be cautious about depending on URI
lengths above 255 bytes, because some older client or proxy
implementations might not properly support these lengths.
So the question is - what is the limit of your program, or what is the maximum resource identifier size your program needs to perform all its functionality?
Your program should have a natural limit.
If it doesn't you might as well stick it as 16k, as you don't have enough information to define the problem.
-Adam
Short ;-)
The problem is that every web server and every browser has own ideas how long the maximum is. The RFC for the HTTP protocol gives no maximum length. IE limits the get to 2083 characters, the path itself may be at most 2,048 characters. However, this limit is not universal. Firefox claims to support at least up to 65,536, however some people verified that on some platforms even 100,000 characters work. Safari is above 80,000 (tested). Apache server on the other hand has a limit of 4,000. Microsofts Internet Information Server has one being 16,384 (but it is configurable).
My recommendation is to stay below 2'000 characters in any case. This is not guaranteed to work with every browser in the world (especially not older ones), but it will work with all modern browsers. Further I recommend to use POST wherever possible (e.g. avoid using GET for FORM submits - if some users want to simulate a FORM submit via GET, make sure your application supports the desired parameters either via POST or via GET, but when you submit the page yourself via a button or JS, prefer POST over GET).
I think the RFC says 4096 chars but IE truncates down to 2083 characters. Stay well under that to be safe.
Practically, shorter URLs are friendlier.
More information is needed but for normal situations I would say try to keep it under 150 for sure. If for nothing else than pure ascetics, I hate when someone sends me a GI-NORMOUS link...
Are you passing values through the query string? I assume that is why you asked, correct?
What is "optimum" anyway?
GET requests can be several kB in length, so this is entirely subjective.
I'd say - stay within the address bar length of a maximized 1024x768 window to be user friendly.
If you're trying to get people to remember the URL, I wouldn't go more than 60. Use words if possible, because it's easier to remember "www.example.com/this-is-the-url" than "www.example.com/179264". If you're trying to get the page indexed, you could probably go more. The spiders look for words in the title too, and some people may be more likely to click on the link if the URL looks readable.
When you say "Optimum", I think "Easily Accessible To Users", in which case, I think the shorter the URL, the better. I would think 20-30 characters maximum, in that case.
Related
A lot of people are asking "What is the maximum length a URL can be?" but as far as I can see nobody is asking the question:
What is a safe maximum length a segment in a URL path should be?
I think this question is equally as important.
This question is a general question aimed at supporting as many systems out of the box as possible.
In C#, you can get a list of URL path segments from an incoming request, with security modules installed what is considered the maximum length a segment in a URL path can be for this scenario?
I've read on the following page that URL path segments over 260 characters can cause problems in custom ASP.NET modules:
http://www.paraesthesia.com/archive/2011/08/26/long-url-path-segments-in-asp-net-routing-yield-400.aspx/
In web browsers, you type URL segments regardless of what website you visit, / is a URL path segment which is usually mapped to a homepage. With Internet Explorer, Chrome and Firefox being popular browsers, what is the maximum length of a URL path segment length they support?
I can see from the following resource that the maximum length of a URL path differs for different browsers and the figure is sometimes quite high:
What is apache's maximum url length?
But this is a path and not a path segment.
I'm also aware that when rewriting paths, the underlying file system path length comes into play, and the ball park figure of what I can see supported is around 255 characters in a *nix OS.
Other considerations include the maximum length of a URL path segment in a database table. For instance, in MySQL a varchar column can contain up to 255 characters, but is there a case for this, are people storing segments of paths in tables in MySQL or are people storing full URL's in varchar columns? Could this mean 255 characters is too long for a URL path segment?
Is there any W3C specification on how long a URL path segment can be as I can't spot anything?
I did read the W3C specification on URI's but again I didn't spot anything of use:
http://www.ietf.org/rfc/rfc2396.txt
I'm quite baffled that there is no set standard on what a length a URL path segment should be, so maybe I am missing something?
I'm really looking for as much information as possible on what different systems support, and what is considered a safe length for a URL path segment.
Possibly related of What is the maximum length of a URL in different browsers?
In short
According to the HTTP spec, there is no limit to a URL's length. Keep your URLs under 2048 characters; this will ensure the URLs work in all clients & server configurations. Also, search engines like URLs to remain under approximately 2000 characters.
Chrome has a 2MB limit for URLs, IE8 and 9 have a 2084 character limit. So everything points in keeping your URLs limited to approx. 2000 characters.
Also, from a usability point-of-view, URLs that long are not usable/readable by users.
However, the domain name has a max. length of 255 characters.
So to be on the safe side, the max. length of an URL segment would be around 1745 characters, given that your URL exists out of 1 segment.
There is no such specification limit. There may be implementation limits, but you won't find those in the specifications.
Nit: URIs are defined by the IETF, not the W3C, and the current spec is RFC 3986.
The URL length shouldn't exceed 2K (just common practice). The segment path can be any size.
The domain length shouldn't be more than 255 characters (see RFC3986). Limits exist only for implementation. Segments attached to URLs are limited only in particular cases (the old common use).
Nowadays almost all requests go through one file for the rewrite rule, so segment length does not matter.
After that, the segment is kept in a variable that can be very large, so there's basically no limit.
I'm using HTTP requests in my program to pass data via a querystring to a web-based status page. The requests are of the form:
http://www.example.com/poststatus.asp?ID="FRED"&widgetscompleted=1234&...parameterN=valueN
The ASP page parses the querystring and updates a database.
My question is: what is the sensible length limit of the querystring? I've seen mention of 2000-odd bytes but that seems to be browser-related and there is no browser involved here - just my app (using Indy) and IIS.
Browser dependent, for more this might help
With the limitation on characters, what i usually do is minimize the querystring values from your example: &widgetscompleted= could be abreviated to &wc=.
I am certain if you minimize these, the length shouldn't be an issue.
I currently perform penetration testing of ASP.NET application and trying to exploit Padding Oracle Attack. This AFAIK is based on response code analysis, but both ScriptResource and WebResource axds of the system under test always respond with 200 OK, even if cipher has been invalid. In this case, however, the content of the response is an empty string.
Is it possible to use any of the axd as the oracle in this case? Maybe basing on response content difference.
The Padding Oracle Attack works by being able to distinguish between two cases:
The server failed to decrypt the data because, upon decryption, it did not found a properly formatted padding.
The server found a correct padding, but the decrypted data turned out to be random junk.
There may be several ways for an attacker to get such a distinction. A specific error code from the server is just the easiest to exploit; but any detectable difference is enough. The attack was first published in 2002 (yes, it took 8 years for people to notice that it could be applied to ASP !) and it has been demonstrated on a SSL connection with only a timing difference: the server was decrypting the data, and then was verifying the MAC only if the decryption went fine; the extra 2ms taken by the MAC computation were enough for the attacker to know whether the padding was valid, allowing for direct application of the Padding Oracle Attack.
To answer your original question, the content length can be used. Padbuster notes the status code but I think it detects entirely off the response length.
To answer your reply to Troy, a long ciphertext length does not indicate they are vulnerable. Typically a short ciphertext length does indicate they are vulnerable, but you need to dot net url decode the value then see if modulus 8=0 to see if it's vulnerable. In other words, the length will be a multiple of 8. Usually i'll see one block of ciphertext (16 bytes) end up about 25 bytes once it's dot net url encoded. The fix includes a HMAC (I think), which extends the length and should make one block cipertexts impossible. I can't say this with certainty, as I'm not sure how long the HMAC is and if it works after padding or not.
It sounds to me like the padding oracle patch may have been installed and as a result you're not getting the error codes you were expecting. Have a look at Do you trust your hosting provider and have they really installed the padding oracle patch and see if you can establish this.
can anyone help me with the length of maximum characters that can be contain in a normal HTML text box....
As to the HTML side, when the maxlength attribute is not specified, then the maximum length of the input value is unlimited. However, if you're sending the request as GET instead of POST, then the limit will depend on the webbrowser and webserver used. The HTTP 1.1 specification even warns about this, here's an extract of chapter 3.2.1:
Note: Servers ought to be cautious about depending on URI lengths
above 255 bytes, because some older client or proxy
implementations might not properly support these lengths.
As to the webbrowsers, the practical limit is in Firefox about 8KB, in Opera about 4KB and in IE and Safari about 2KB. So the total length of all inputs should not exceed this if you want a succesful processing. As to the webservers, most have a configureable limit of 8KB. When the limit is exceeded, then it will often just be truncated, but some webservers may send a HTTP 414 error.
When you're sending the request as POST, then the limit depends on the server config. Often it's around 2GB. When it's exceeded, the server will often return a HTTP 500 error.
Default maxlength is unlimited for a <input type='text'/>. You may optionally provide this value to constrain input (but there's no guarantees the browser will enforce the rule).
A <textarea> does not support a maxlength so unlimited characters are accepted for input.
(ref: https://www.w3.org/MarkUp/HTMLPlus/htmlplus_41.html)
RE: Long string breaking during submit
There can be a maximum size to the amount of data submitted from a form when using the method get (the default if not specified). It's only a can because many browsers allow many more characters now. If you use a form with the post method, there is no maximum to the amount of data submitted.
In HTML4, the maxlength attribute is only supported on the input element. HTML5 extends this to allow it on textarea as well. A quick test works in Firefox 4 and WebKit, but not Firefox 3 or Opera. If you need support for HTML4, use JavaScript to manually limit the length.
Has anyone used Google translation API ? What is the max length limit for using it?
The limit was 500... now it is 5000 chars.
source
500 characters
source
At the moment, the throttle limit is 100,000 characters per day. Looks like you can apply to have that limit increased/removed.
I've used it to translate Japanese to English.
I don't believe the 500 char limit is true if you use http://code.google.com/p/jquery-translate/, but one thing that is true is you're restricted as to the number of requests you can make within a certain period of time. They also try to detect whether or not you're sending a lot of requests with a similar period, almost like a mini "denial of service" attack.
So when I did this I wrote a client with a random length sleep between requests. I also ran it on a grid so all the requests didn't come from a single IP address.
I had to translate ~2000 Java messages from a resource bundle from Japanese to English. It worked out pretty nicely, as long as the text was single words. Longer phrases with context came out awkwardly.
Please have look at this link it will give the correct answer at the bottom of the page.
https://developers.google.com/translate/v2/faq
What is the maximum number of characters per request?
The maximum size of each text to be translated is 5000 characters, not including any HTML tags.
You can send source strings of up to 5,000 characters, but there are a
few provisos that are sometimes lost.
You can only send the 5,000 characters via the POST method.
If you use GET method, you are limited to 2,000-character length limit on urls. If a url is longer than that, Google's servers will just reject it.
Note: 2,000-character limit including the path and the rest
of the query string as well + you must count uri encoding (for instance every space becomes a %20, every quotation
mark a %22)
The Cloud Translation API is optimized for translating of smaller requests. The recommended maximum length for each request is 5K characters (code points). However, the more characters that you include, the higher the response latency. For Cloud Translation - Advanced, the maximum number of code points for a single request is 30K. Cloud Translation - Basic has a maximum request size of 100K bytes.
https://cloud.google.com/translate/quotas