aspnet:MaxJsonDeserializerMembers vs maxRequestLength
I am running into errors like The JSON request was too large to be deserialized..
Quick search on stackoverflow tells you that you should set appSetting aspnet:MaxJsonDeserializerMembers to be higher to fix the issue. However, the msdn documentation on the appSettings says
Caution
Setting this attribute to too large a number can pose a security risk.
I would expect that you are cautioned against setting this value to higher numbers to prevent anyone from submitting large payloads that could impact your system. However, given that I am already setting the value of maxRequestLength to a large number, will changing the aspnet:MaxJsonDeserializerMembers value have any other security implications?
I do not see how 1001 small json members could pose any more security threat that a single large json object.
Answer
ASP.NET applications reject requests that have more than 1000 of these elements.
https://support.microsoft.com/en-us/kb/2661403
The Microsoft security update that security bulletin MS11-100 addresses changes the default maximum number of form keys, files, and JSON members that ASP.NET will accept in a request to 1,000. This change was made to address the Denial of Service vulnerability that the Microsoft security bulletin MS11-100 documents.