10

I am running into errors like The JSON request was too large to be deserialized..

Quick search on stackoverflow tells you that you should set appSetting aspnet:MaxJsonDeserializerMembers to be higher to fix the issue. However, the msdn documentation on the appSettings says 

  Caution
  Setting this attribute to too large a number can pose a security risk.

I would expect that you are cautioned against setting this value to higher numbers to prevent anyone from submitting large payloads that could impact your system. However, given that I am already setting the value of maxRequestLength to a large number, will changing the aspnet:MaxJsonDeserializerMembers value have any other security implications?

I do not see how 1001 small json members could pose any more security threat that a single large json object.

KnightFox
  • 3,132
  • 4
  • 20
  • 35

1 Answers1

7

ASP.NET applications reject requests that have more than 1000 of these elements.

https://support.microsoft.com/en-us/kb/2661403

The Microsoft security update that security bulletin MS11-100 addresses changes the default maximum number of form keys, files, and JSON members that ASP.NET will accept in a request to 1,000. This change was made to address the Denial of Service vulnerability that the Microsoft security bulletin MS11-100 documents.

KnightFox
  • 3,132
  • 4
  • 20
  • 35
Garrann
  • 336
  • 1
  • 4
  • 11