I have an asp.net webforms application(.net framework 4.5) running on client's server. A recent security audit indicates that the application collapse the POST and GET parameters into a single collection and that this is a flawed design pattern from a security standpoint.
The audit further indicates that using interceptors, it is possible to change the method type to GET which is unsafe as the information is appended to the URL and can be easily tampered.
So, instead of allowing the user to login with the modified request, he/she should have been redirected to the login page/error page.