How to prevent HTTP GET for ASP.NET events? or How to check for Request.Type on all events?

Question

With the help of fiddler, I did this "replay attack" with the following HTTP GET request

http://svr/Default.aspx?__EVENTTARGET=LinkButton1&__EVENTARGUMENT=&__VIEWSTATE=%2snipg%3D%3D&__EVENTVALIDATION=%2snip

To my surprise, it works as long as there is valid viewstate and event validation. The following stops GET on my click event, but...

protected void BtnUploadClick(object sender, EventArgs e)
{
   if(Request.RequestType == "GET") throw new HttpException(405, "GET not allowed for this.");
}

I have events all over my code. Is there a way to globally add this behavior to events that are normally postback events?

Answer 1

You can yes. Attach to application's PreRequestHandlerExecute event. Do it either as a separate HttpModule or in Global.asax.

In event hadler you can either check:

1. _EVENTTARGET_ , _VIEWSTATE_ are not part of Request.QueryString property (on each request)
2. on GET you can check that Request.Form is empty. Because asp.net only posts a form on POST actions.

Answer 2

Assuming you never want to process GETs for this particular application on certain page types you can disable GET for the various pages in your application using IIS. Under the Properties pane for the site or application click on Home Directory and then Configuration (assuming an application is configured) then click on the ASPX or other extension and you can limit the verbs in use for that extension.