Last post Mar 11, 2019 02:59 AM by Nan Yu
Mar 07, 2019 11:05 PM|sarang1183|LINK
I have a ASP.NET (3.5 framework) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability.
This tool is able to inject parameters from POST request into GET request, which i want to restrict.
I have 2 queries ->
Query 1. How to restrict attacker from sending POST parameters as GET parameters?
What i am looking for is, when the parameters from the POST request were submitted as a GET request (through the URL), and when a form submission via method besides POST is detected, the application should respond with an error from the 4xx status code family.
I want to throw 400 error in this case.
For e.g. below page as per regular behavior, does not accept query string. But attacker is trying to manipulate the GET request by copying all POST request +
additional few parameters into query string. How to validate this and throw 400 error ?
attacked GET request becomes
To fix this, I put below code in global.asax, but looks like its not working. I put checks for all __ parameters ->
void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
if (Request.HttpMethod !=
var hasPostParams = (Request.QueryString["__EVENTTARGET"]
?? Request.QueryString["__VIEWSTATE"] ??
Request.QueryString["__VIEWSTATEGENERATOR"] ?? Request.QueryString["__VIEWSTATEENCRYPTED"]
Request.QueryString["__ASYNCPOST"] ?? Request.QueryString["__PREVIOUSPAGE"])
Can you please guide how to fix this issue ?
Query 2 -> How to stop POST request getting modified ?
Attacker was able to modify post request by adding extra query string called "__PREVIOUSPAGE" as you can see below.
Attacked request ->
POST /<app_path>/DashboardStats.aspx HTTP/1.1
How to avoid this ?
As per my understanding, for any ASP.NET form, by POST method, below data is sent (correct if I am wrong). and looks like this attacker tool is trying to manipulate these fields, specially "VIEWSTATE".
How to stop it or how to throw 400 error in this case ? Any idea ?
Quick help will be highly appreciated.
Mar 08, 2019 09:15 AM|WatcherR|LINK
If you are using the post , below code will return , and your check will not fire :
if (Request.HttpMethod != "GET")
Mar 08, 2019 11:07 AM|sarang1183|LINK
This code block I am using for GET verification. But as per my query 2, I need to validate POST also.
If I have POST request and __VIEWSTATE is modified by attacker after form is posted... how should I check that this variable is modified maliciously and throw 400 error ?
Mar 11, 2019 02:59 AM|Nan Yu|LINK
Hi sarang ,
You may check if the request URI have any parameter :
Request.QueryString != null && Request.QueryString.Count > 0;