dgn
Reputation: 103
ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST in Asp.Net MVc
I scanned my source code with Fortify SCA
I encountered ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST (API Abuse, Structural) bug when I checked Fortify report
Fortify found high level bug that say
Recommendations:
The following controller action accepts only the POST verb because it has the
[HttpPost] attribute:
[HttpPost]
public ActionResult UpdateWidget(Model model)
{
// ... controller logic
}
But I looked that line of code.It contains
[HtttpPost]
attribute.
Is it false positive or not?
Upvotes: 1
Views: 2699
Answers (1)
malkam
Reputation: 2355
Fortify SCA itself giving two contrast statements.
ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST (API Abuse, Structural)
Recommendations:
The following controller action accepts only the POST verb because it has the
[HttpPost] attribute:
If you are updating model or DB using Model in UpdateWidget method add HttpPost action attribute which is more secure. If you are sure that you've added HttpPost action attribute ignore Fortify bug
Upvotes: 1
Related Questions
- Controller Action ambiguity even with [HttpPost] attribute? (ASP.NET MVC4)
- HttpPost in MVC 1
- Choosing between safe and unsafe HTTP Method when creating MVC action
- HttpPost Not working in asp.net mvc4
- .NET MVC preventing forged POST
- MVC Side effect of using [HttpPost, ValidateInput(false)]
- ASP.NET MVC POST action request protection
- MVC - How to avoid action returning 404 if not POST
- Handling post requests in ASP.NET MVC
- Question about ASP.NET MVC & a form post using HTTP-POST