ASP-NET: The URL-encoded form data is not valid

In ASP.NET 4.x, there is an upper bound on the number of simultaneous HTTP form elements that may be posted. The default is 1000 without explicitly changing it with this key in the <appSettings> portion of the web.config:

<configuration>
  <appSettings>
    <add key="aspnet:MaxHttpCollectionKeys"
    value="2000" />
  </appSettings>
</configuration>

This patch was released by Microsoft in 2011 to prevent a Denial of Service vulnerability that involved an attacker overwhelming a request with too many keys (the science of which is beyond the remit of this question).


Here is the official statement from Microsoft:

• This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. 
• The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. 
• An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.
•  This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows. 

Source: Microsoft Knowledge Base Article 294871