← back to index

S5693 — HTTP request content length should be limited

Language: C#  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

Enforcing a maximum HTTP request content length limits how much data the server must accept per request, which helps control resource use and reduces the risk of denial-of-service attacks.

Why is this an issue?

Accepting HTTP requests without an upper bound on their content length exposes the application to Denial of Service (DoS) attacks. An attacker can send arbitrarily large requests that exhaust server memory, disk space, or processing capacity before the application can reject them. This rule detects when no maximum content length is configured, or when the configured limit exceeds the recommended thresholds (8 MB for file uploads, 2 MB for other requests).

What is the potential impact?

Denial of Service

An attacker who can send oversized HTTP requests can exhaust server resources—memory, CPU threads, or network bandwidth—causing the application to slow down or become completely unavailable. Even a single large upload can tie up a worker process and prevent other users from being served.

How to fix it in ASP.NET Core

Use RequestSizeLimit or RequestFormLimits attributes to enforce a maximum request body size.

Code examples

Noncompliant code example

using Microsoft.AspNetCore.Mvc;

public class MyController : Controller
{
    [HttpPost]
    [DisableRequestSizeLimit] // Noncompliant
    public IActionResult UnboundedPost(Model model)
    {
    // ...
    }

    [HttpPost]
    [RequestSizeLimit(10485760)] // Noncompliant
    public IActionResult PostRequest(Model model)
    {
    // ...
    }

    [HttpPost]
    [RequestFormLimits(MultipartBodyLengthLimit = 10485760)] // Noncompliant
    public IActionResult MultipartFormRequest(Model model)
    {
    // ...
    }
}

Compliant solution

using Microsoft.AspNetCore.Mvc;

public class MyController : Controller
{
    [HttpPost]
    [RequestSizeLimit(8388608)]
    public IActionResult PostRequest(Model model)
    {
    // ...
    }

    [HttpPost]
    [RequestFormLimits(MultipartBodyLengthLimit = 8388608)]
    public IActionResult MultipartFormRequest(Model model)
    {
    // ...
    }
}

How to fix it in ASP.NET

For ASP.NET applications that use Web.config (not ASP.NET Core), set httpRuntime maxRequestLength and requestLimits maxAllowedContentLength to enforce a maximum request size.

Code examples

Noncompliant code example

<configuration>
    <system.web>
        <httpRuntime maxRequestLength="81920" executionTimeout="3600" /> <!-- Noncompliant -->
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="83886080" /> <!-- Noncompliant -->
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Compliant solution

<configuration>
    <system.web>
        <httpRuntime maxRequestLength="8192" executionTimeout="3600" />
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="8388608" />
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Resources

Documentation

Articles & blog posts

Standards