Is it safe if I only check on HttpGet?

Question

Is it safe if I only check on HttpGet?

Controller:

[HttpGet]
public ActionResult Edit(int id)
{
    var obj = _uow.User.Get(id);
    if (obj.Name != User.Identity.Name) //validate
    {
        return new HttpStatusCodeResult(HttpStatusCode.Forbidden);
    }

    return View(obj);
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(UserViewModel model)
{
    var obj = Mapper.Map<UserViewModel, User>(model); //map between EF Entity and ViewModel

    _uow.User.Update(obj);
    _uow.Save();
    return RedirectToAction("Index");
}

As you can see my method HttpGet, check if the current user is the same user from the database. But mine HttpPostdoes not perform any checks. Is this safe enough or should I check both methods?

Is it possible for an attacker to POST without performing a GET?

thanks

+4

security c # asp.net-mvc asp.net-mvc-5

warheat1990 Oct 05 '15 at 10:20

source share

1 answer

CodeCaster · Accepted Answer · 2015-10-05T10:24:37+0000

Is it possible for an attacker to POST without performing a GET?

Oh sure. HTTP has no status. Anyone who knows what POST is for this URI can recreate and modify it without first executing a GET.

, GET, -, , .

. , UserViewModel IsAdmin, , .

?

, .

Is it safe if I only check on HttpGet?

More articles: