I have a web application (Spring MVC) and have input data validation for every parameter in the controller. What is NOT present is checking for accepted Parameter Map Size. i.e When the controller expected 10 parameters and the request has 11 or 9.
I have been told that parameter size is important to check to ward off any attack or Injection i.e security pov, especially Parameter tempering. This is highlighted during scanning by ZAP where ZAP adds a new parameter query to an URL that has no request parameters.
In my opinion,checking for size can be skipped unless there is a business reason. The application will simply ignore the extra parameters and if there is any less than acceptable, the input data validation will take care of it.The size check is not adding reasonable benefit to security.
My reasoning is that the developer may only write to have 10 parameters, but the underlying framework can add more parameter. For-ex Spring MVC will add one parameter(csrf token). And any upgrade in the framework can introduce more or less of these.
So now , Question-Is it important to check for the size of the parameter map when each parameter validation is already in place? What is the real security benefit of this?
PS:I didnt get a respond on security exchange and hence posting it here. https://security.stackexchange.com/questions/192569/benefit-of-parameter-map-size-validation-in-web-application-controller
There are a few benefits to using a size map. Such as prevention of HPP attacks, etc. You've got to weigh the maintenance headache vs. the risk of such attacks with regard to your app. ZAP adds the query param on URLs with no params in order to test a few things like DOM XSS etc which might be missed or overlooked otherwise.