Monday, 16 April 2012

Hash Collision Attacks in .NET

Hash collision attacks attempt to populate a hash-table within a server application with large numbers of items whose keys resolve to the same hash code.  These key collisions can significantly slow down operations on the hash-table, and with enough elements can cause a server to spend minutes (or even hours) processing them.  This can block a web server from processing requests from other users, and cause a denial of service (meaning the web site becomes unresponsive or slow).

How Microsoft cured this?

Microsoft launched an update patch (MS11-100) on Dec 29, 2011. This patch limits the number of individual form fields to be 1000 per HTTP post. Internet applications using ASP.NET had this update that set a limit of 1000 items to be accepted by a web form. While this is not the only limit imposed, it is the one that some applications are hitting.  If you exceed this value, an exception is thrown that looks like the one below:

The URL-encoded form data is not valid. ---> System.InvalidOperationException: Operation is not valid due to the
current state of the object.
   at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
   at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
   at System.Web.HttpRequest.FillInFormCollection()
   --- End of inner exception stack trace ---
   at System.Web.HttpRequest.FillInFormCollection()
   at System.Web.HttpRequest.get_Form()

The key here is ThrowIfMaxHttpCollectionKeysExceeded.  If that is in your stack trace, you know that you have exceeded the value the patch imposes. To keep this exception from being thrown, you need to change the value of aspnet:MaxHttpCollectionKeys in the web.config of your application to a value that is as high as the highest allowed count of keys in your hash table. This limit is configurable, though, and so if you do have scenarios where you need to post more than 1000 fields you can increase it. 

  <add key="aspnet:MaxHttpCollectionKeys" value="some number here"/>

No comments:

Post a Comment