With the help of fiddler, I did this "replay attack" with the following HTTP GET request
http://svr/Default.aspx?__EVENTTARGET=LinkButton1&__EVENTARGUMENT=&__VIEWSTATE=%2snipg%3D%3D&__EVENTVALIDATION=%2snip
To my surprise, it works as long as there is valid viewstate and event validation. The following stops GET on my click event, but…
protected void BtnUploadClick(object sender, EventArgs e)
{
if(Request.RequestType == "GET") throw new HttpException(405, "GET not allowed for this.");
}
I have events all over my code. Is there a way to globally add this behavior to events that are normally postback events?
Best Answer
You can yes. Attach to application's PreRequestHandlerExecute event. Do it either as a separate
HttpModule
or inGlobal.asax
.In event hadler you can either check:
_EVENTTARGET_
,_VIEWSTATE_
are not part ofRequest.QueryString
property (on each request)Request.Form
is empty. Because asp.net only posts a form on POST actions.