none
MaxReceivedMessageSize and maxStringContentLength RRS feed

  • Question

  • Hi all,

    I was wondering how the following two properties are related to eachother:

    • MaxReceivedMessageSize
    • maxStringContentLength

    The MaxReceivedMessageSize Gets or sets the maximum size for a message that can be received on a channel configured with this binding. So this settings is representing how big the message could be in bytes, based on the current binding.

    The maxStringContentLength is a positive integer that specifies the maximum characters allowed in XML element content. The default is 8192.

    Raising the MaxReceivedMessageSize without raising the maxStringContentLength could give you some problems, right? When do you want to raise only the maxreceivedmessagesize without raising the maxStringContentLength?

    Thanks in advance!

    Regards,

    Dennis

     

    Saturday, October 16, 2010 12:03 PM

Answers

  • Hi Dennis

    First you must understand the reason for these two settings (and some others as well).

    These settings come to protect your WCF service against a DOS (denial-of-service) attack, where a malicious party sends very big messages to your server and your server tries to process them and fills its memory. With these settings on, your service can immediately identify such attacks and not process them.

    Now consider this message:

    <body>

    <id>11</id>

    <id>22</id>

    <id>33</id>

    ...

    </body>

    This message can become very long. However it might be a legal message if your service does handle ID lists. So you want to allow a large number of elements which implies you need to increase maxReceivedMessageSize.

     

    But an attacker can send this:

     

    <id>11111111...[very long content]....</id>

     

    which you do not want. So you should set max string length to be lower. So a string length only deals with a specific string value.

     

    Now you could say this does not help much since an attacker would instead send a huge number of elements which you allow. Well, hopefully your server is optimized for such kind of messages anyway, but there is no silver bullet against DOS attacks and it is just one more protection layer.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Saturday, October 16, 2010 12:48 PM

All replies

  • Hi Dennis

    First you must understand the reason for these two settings (and some others as well).

    These settings come to protect your WCF service against a DOS (denial-of-service) attack, where a malicious party sends very big messages to your server and your server tries to process them and fills its memory. With these settings on, your service can immediately identify such attacks and not process them.

    Now consider this message:

    <body>

    <id>11</id>

    <id>22</id>

    <id>33</id>

    ...

    </body>

    This message can become very long. However it might be a legal message if your service does handle ID lists. So you want to allow a large number of elements which implies you need to increase maxReceivedMessageSize.

     

    But an attacker can send this:

     

    <id>11111111...[very long content]....</id>

     

    which you do not want. So you should set max string length to be lower. So a string length only deals with a specific string value.

     

    Now you could say this does not help much since an attacker would instead send a huge number of elements which you allow. Well, hopefully your server is optimized for such kind of messages anyway, but there is no silver bullet against DOS attacks and it is just one more protection layer.


    http://webservices20.blogspot.com/
    WCF Security, Interoperability And Performance Blog
    Saturday, October 16, 2010 12:48 PM
  • Hi Yaron,

    Thanks for the clear explanation. This makes sense!

    Kind regards,

    Dennis

    Saturday, October 16, 2010 12:58 PM