1

We have the recurring issue with either users reloading pages or attacks sending:

  • POST to GET actions
  • GET to POST actions.

Especially the hacking part floods our logs with errors while trying all kind of url parameters...

Obviously this results in a

HttpException: A public action method 'xyz' was not found on controller 'abc'

  • Should we add the other action as well and return 404 Not Found or 400 Bad Request?
  • This isn't entirely an asp.net issue. How do other frameworks handle this?

We could also just filter the error messages but this seems kind of a cover up...

Peter Csala
  • 17,736
  • 16
  • 35
  • 75
M R
  • 15
  • 2
  • 1
    Have you considered to use **405 (Method Not Allowed)** to indicate that the resource exist, but the provided verb is not allowed against it? What can you see from the logs: is it a D-DOS attack or a path traversal or ??? – Peter Csala Jul 06 '20 at 08:04
  • Just lots of request in a short time with different url parameters, sometimes with SQL queries for injection which won't work either... For the 405 we would need to impelement the method as well, correct? – M R Jul 06 '20 at 10:37
  • Yes, 405 needs manual labouring. For me it does seem like someone is using some sort of penetration testing tool against your site. – Peter Csala Jul 06 '20 at 11:16

0 Answers0