Is it secure if I only validate on HttpGet?

Question

Controller :

[HttpGet]
public ActionResult Edit(int id)
{
    var obj = _uow.User.Get(id);
    if (obj.Name != User.Identity.Name) //validate
    {
        return new HttpStatusCodeResult(HttpStatusCode.Forbidden);
    }

    return View(obj);
}

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(UserViewModel model)
{
    var obj = Mapper.Map<UserViewModel, User>(model); //map between EF Entity and ViewModel

    _uow.User.Update(obj);
    _uow.Save();
    return RedirectToAction("Index");
}

As you can see my HttpGet method check if current user is the same user from database. But my HttpPost doesn't do any check. Is this secure enough or I should validate in both method?

Is it possible for attacker to POST without doing GET?

Thanks

Answer 1

Is it possible for attacker to POST without doing GET?

Yes, of course. HTTP is stateless. Anyone who knows what a POST to that URI looks like, can recreate and alter it without performing a GET first.

Of course they have to do a GET first to obtain the anti forgery token, but after that they can POST whatever they want.

You also may want to look into binding specific properties and authorization thereof. For example if your UserViewModel has an IsAdmin property, which you don't check, then an attacker can make themselves admin.

should I validate in both method?

So, yes.