Unauthorized controller method detected by a bot in ASP.NET MVC - c#

Through my application log, I have noticed the following HttpException has been raised:
"A public action method 'MyMethod' was not found on controller 'MyApp.Controllers.MyController'"
Controller: "MyController", Action: "MyAction" (GET)
This is normal because MyAction is a POST method.
But MyController can be accessed by authenticated users only, thanks to a controller filter overriding HandleUnauthorizedRequest() method.
Moreover, MyAction is called by Ajax from a Scripts file dedicated to authenticated functionalities.
(Please note that MyAction and MyController are not the real names, I have changed them here, and they are absolutely uncommon names which cannot be guessed without reading the JS file.)
I fear for my application security.
How is this possible that the existence of this controller method has been detected by an unauthentified user (which is a bot according to its IP address location)? What should I do to avoid that issue?

Related

How to find the controller/action which maps to an attribute route?

Given a URL, and I want to know which action in which controller is responsible for handling that URL. What I do right now is that I search for the route name in the project from visual studio. But I think there might be a package or tool that lists the routes and their corresponding Controller actions.
Is there a more neat way to find that:
url/examples/1
is handled by:
[HttpGet]
[Route("examples/{id}")]
public Task viewExmaple()
Try Swagger, as I think this will be as close as you can get in terms of "lists the routes and their corresponding Controller actions". By default, swagger acts a GUI (web page) that displays every controller with corresponding controller methods nested beneath(accordion style).
Swagger is also a great tool for debugging and testing. It displays details like which HTTP verb the methods use, which query string params (or JSON payload in body) the method accepts. Great for documentation as well.
Behind the scenes, swagger builds one giant JSON payload that nests all of your controller / controller actions so you may also be able to view it like that.
You would access it by hitting http(s)://your.app.path/swagger
Setting up in a .NET Standard (Non-Core) app

Allow cross site post request on specific ASP.NET Core controller

I am using a complex template for my new ASP.NET Core application. Now I wanted to create a new controller which receives a POST request from another external server. That didn't work. I tried a lot until I found out that there is a mechanism set up which only allows POST request to access my controller which have a certain header (X-XSRF-TOKEN). This is done to prevent a Cross-Site-Request-Forgery attack.
However one specific controller should allow such requests, because this controller is not used from the webpage visitors browser. Is there a way to annotate the controller or any other way to allow this exception?
I finally found the answer and it is indeed possible by using an annotation. Just annotate your controller or action with [IgnoreAntiforgeryTokenAttribute] and the whole XSRF mechanism won't bother your controller any more.
Note that even if you don't intend to use that controller action from a browser, if it can be accessed via http, it may easily be susceptible to CSRF. An attacker may still for example create a rogue webpage, which if visited by one of your users, makes the user send a request to that action. If session management is cookie-based or equivalent and the action changes server state, it would still be an exploitable vulnerability.
So while you can turn of CSRF protection, you need to consider consequences carefully.

How does ASP.NET MVC invoke different controller when URL never changes?

In this Adding a Controller (C#) tutorial I read:
ASP.NET MVC invokes different controller classes (and different action
methods within them) depending on the incoming URL
However, I am looking now at the source code full of such Controllers, the web app is fully functional, switches from Controller to Controller smoothly, without ever changing the URL...
How does this work?
Also, based on method, so one action might handle POST requests because it is decorated with [HttpPost] attribute and another one for GET requests as it is decorated with [HttpGet] attribute
I need to do some more guesswork as you've not detailed your observation: your application might send AJAX requests, and while the Url of the page is not changing, different actions in controllers are invoked because of these behind the scene requests.

.NET MVC WebApi - Global message handler excluding a specific controller

I have a few controllers and a few methods decorated with a [Route] attribute.
Now the thing is, i want to add a global message handler excluding one single controller.
here is a snapshot from the http configuration code:+
The problem is, my Free controller (defined in the FreeApi route) is still getting the Custom message handler somehow in the pipeline.
How can i achieve this kind of behavior?
Thanks!

Difference between ActionFilters and HTTPHandlers?

What is the difference between ActionFilters and HTTPHandlers? In the context of a MVC web app, to authenticate a user. How would I use either of them to perform authentication?
Action filter
An action filter is an attribute. You can apply most action filters to either an individual controller action or an entire controller.
HTTP Handlers
HTTP Handlers are any Class that implements System.Web.IHttpHandler Interface becomes HttpHandler . And this class run as processes in response to a request made to the ASP.NET Site. The most common handler is an ASP.NET page handler that processes .aspx files.

Categories

Resources