Risk of high value in maxParameterCount

Question

I have this error on Tomcat 9

INFO: More than the maximum number of request parameters (GET plus POST) for a single request ([10,000]) were detected. Any parameters beyond this limit have been ignored. To change this limit, set the maxParameterCount attribute on the Connector.

I found the solution in this post: set the maxParameterCount attribute on the Connector

But the question I have is:

What risks exist in placing a very high value in this parameter or even setting it to 0 so that it does not limit it.

What is the risk of this?

Put this value in server.xml

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" maxParameterCount="300000"/> With this I solved the problem. ​

Answer 1

In my view, bumping up the maxParameterCount in Tomcat to solve the issue seems like a quick fix, but there are a few things to keep in mind. First off, setting it too high might put a strain on your server's resources. More parameters mean more memory usage, and that could slow things down.

Also, there's a risk of opening the door to potential trouble. Allowing a crazy number of parameters per request could make your application a target for denial-of-service (DoS) attacks. Imagine an attacker bombarding your server with requests, each carrying loads of parameters. It is not going to be a pretty sight.

Sure, it might work for now, but there could be performance hiccups down the road. Handling a boatload of parameters in a single request might make your app sluggish. And let's not forget about security. Giving free rein to an unlimited number of parameters might expose your app to more security vulnerabilities. It's usually better to set reasonable limits to play it safe.

While this configuration may have sorted things out temporarily, I'd recommend taking a closer look at why your app is spitting out so many parameters. Maybe there are tweaks or changes you can make to dial it back a bit and avoid potential headaches in the long run? As an alternative to passing a large number of parameters as URL query parameters or form data, consider sending data as a JSON payload in the request body. This is often more organized and it allows you to structure data hierarchically. You can also try to combine or reduce the number of parameters by using another delimiter like : or ,. If dealing with large datasets, use pagination instead of sending all the data in a single request. This can be achieved by introducing parameters like page and pageSize to submit the form in smaller parts instead of all at once.