Benefit of Parameter Map size validation in web application controller
I have a web application (Spring MVC) and have input data validation for every parameter in the controller. What is NOT present is checking for accepted Parameter Map Size. i.e When the controller expected 10 parameters and the request has 11 or 9.
I have been told that parameter size is important to check to ward off any attack or Injection i.e security pov, especially Parameter Injection. This is highlighted during scanning by ZAP where ZAP adds a new parameter query to an URL that has no request parameters.
In my opinion,checking for size can be skipped unless there is a business reason. The application will simply ignore the extra parameters and if there is any less than acceptable, the input data validation will take care of it.The size check is not adding reasonable benefit to security.
My reasoning is that the developer may only write to have 10 parameters, but the underlying framework can add more parameter. For-ex Spring MVC will add one parameter(csrf token). And any upgrade in the framework can introduce more or less of these.
So now , Question-Is it important to check for the size of the parameter map when each parameter validation is already in place? What is the real security benefit of this?
