Skip to content

CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications #4

Closed
Closed
CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications#4
Assignees
kevinbackhouse
Labels
All For OneSubmissions to the All for One, One for All bountyLowBounty entry rated as LowPR mergedCodeQL team just merge the contributionReviewed by the Lab 🧪GH Security Lab has rate the contribution
@cldrn

Description

@cldrn
cldrn
opened on Nov 16, 2019

Report

ASP.NET applications with large MaxLengthRequest are vulnerable to denial of service attacks. The recommended value by Microsoft is 4096 KB (4 MB) so anything larger than that gets flagged as a warning. This checks corresponds to CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.

This issue is still commonly found in ASP.NET applications and have been related to the mitigations of other CVEs in the past such as:

CodeQL query PR: github/codeql#2355

Metadata

Metadata

Assignees

Labels

All For OneSubmissions to the All for One, One for All bountyLowBounty entry rated as LowPR mergedCodeQL team just merge the contributionReviewed by the Lab 🧪GH Security Lab has rate the contribution

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions