Geek asks and answers

Should URL string length be limited by security enhancement?

I am using ColdFusion 8 and jQuery 1.7.2.

I use CFAJAXPROXY to transfer data to CFC. This creates a JSON array (collection of arguments) and passes it through the URL. The string can be very long, since quite a lot of data is being transmitted.

The site that I am working on has existing code that limits the length of any line of the URL request to 250 characters. This is done in the application.cfm file by checking the length of the query string. If any query string exceeds 250 characters, the query aborts. The purpose of this was to ensure that hackers or other malicious code would not be passed through the URL string.

Now that we use the query string to pass JSON arrays in the URL, we find that the Ajax request has been interrupted quite often.

We have many other security methods, such as removing any "<>" tags from code and using CFQUERYPARAM.

My question is: Does URL string limit for security reasons is a good idea or just inefficient?

+3
source share
4 answers

There is absolutely no correlation between URI length and security, not the question:

  • , , " ". , , , , -, , . , , , .
  • , , ..

, - GET ( ), POST, PUT, DELETE HTTP.

+4

Evik -

( ) , . , - " ", , .

OWASP , . , URL- . .: https://www.owasp.org/index.php/Top_10_2010-Main

Hereblur, , , .

+2

ColdFusion. , .

, . SQL- .

, . POST. . , utf-8 9 . , 27 .

+1

DOS - ( DOS - , ). - ( CF) POST, . URL, , - .

Thus, there is some modest risk associated with such things. Back in NT days, IIS 3 had a number of shortcomings that were "blocked" by limiting the length of the URL, but these days are long gone. There are many more exploits representing low hanging fruit that I would look at the beginning before considering this problem too closely - unless, of course, you feel that you have a problem with people who are checking you (with long URLs I I mean:).

+1
source

More articles:


All Articles