GET AND POST are interchangeable

Question

User-1149473135 posted

Hi,

My web application runs on IIS7 and Windows Server 2008. Right now, we are facing an issue where the application was found to accept parameters using the GET and POST HTTP Methods interchangeably. This provides 2 distinct methods for providing input to the application and can make certain attacks more viable.

For example, if an attacker found a POST parameter which was vulnerable to cross site scripting(XSS),  and GET and POST requests were interchangeable, the XSS attack could be performed via GET instead, allowing them to create a URL to send to potential victims.

I would be glad if someone could help me to resolve this issue.

Answer 1

User1283497924 posted

Hi you can use AntiForgeryToken for preventing this.

Have a look of this link

http://www.adamriddick.com/2013/04/asp-net-mvc-security-preventing-cross-site-scripting/

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Answer 2

User-1149473135 posted

My App is developed in ASP.NET not MVC and the fraemwork is 4.0

Answer 3

User1283497924 posted

Hi have a look of this link for same in asp.net

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

http://www.jardinesoftware.net/2013/01/07/asp-net-and-csrf/

http://stackoverflow.com/questions/3291414/antiforgery-implementation-in-asp-net-forms

Answer 4

User-760709272 posted

Your code will have things like this;

string data = Request["param"]

If you expect the data from a post it should be

string data = Request.Form["param"]

from the url

string data = Request.QueryString["param"]

and so on.  Using Request[key] it goes through all request collections in turn, if you explicitly use Request.Form then it will only look in the POST data.