After applying MS11-100, an out-of-band security update for ASP.NET to mitigate an ASP.NET Denial of Service vulnerability, you may experience the following error comming from an .NET web application:
HttpException (0x80004005): The URL-encoded form data is not valid.
A requirement is having a large form with many form fields, more than 1000.
MS-11-100‘s summary is:
Microsoft security update MS11-100 limits the maximum number of form keys, files, and JSON members to 1000 in an HTTP request. Because of this change, ASP.NET applications reject requests that have more than 1000 of these elements. HTTP clients that make these kinds of requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code. This new limit can be configured on a per-application basis. Please see the “Resolution” section for configuration instructions.
ASP.NET requests that have lots of form keys, files, or JSON payload receive an error response from the server. The Application log on the server has a Warning entry with a Source that is a specific version of ASP.NET, and an Event ID of 1309.
To resolve this error (issue) you can increase
MaxHttpCollectionKeys on a per application basis in your
web.config file. As follows:
<appsettings> <add key="aspnet:MaxHttpCollectionKeys" value="some number here"/> </appsettings>