安全经典ASP
[英]Security Classic ASP
问题描述
Is this secure enough? 
这足够安全吗? I don't have any experience with classic ASP or VBScript. 我没有使用经典ASP或VBScript的经验。
I have a classic ASP page that takes in form data and sends it to another classic ASP page that makes a connection to the database. 我有一个经典的ASP页,该页接受表单数据并将其发送到另一个与数据库建立连接的经典ASP页。 I use this for my CSRF token on the form input page: 我将其用于表单输入页面上的CSRF令牌:
<%
Dim token
token = CreateGUID()
Function CreateGUID()
Dim tmpTemp
tmpTemp = Right(String(4,48) & Year(Now()),4)
tmpTemp = tmpTemp & Right(String(4,48) & Month(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Day(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Hour(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Minute(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Second(Now()),2)
CreateGUID = tmpTemp
End Function
%>
<input type="hidden" ng-model="user.token" value="<%=token%>">
I'm using an AJAX call (with AngularJS if that matters) in the same page to post the form data to the page that will make a connection to the database.That page looks like this: 我在同一页面中使用AJAX调用(如果需要的话可以使用AngularJS)将表单数据发布到将与数据库建立连接的页面,该页面如下所示:
<%@ LANGUAGE="VBScript" %>
<%If Request.ServerVariables("REQUEST_METHOD") = "POST" Then%>
<%If Request.Form("token") = Session("token") Then %>
'here I make connection to database and and insert rest of form data in database
2 个解决方案
解决方案1
1 2014-12-12 13:18:49
OK, so let's go over this bit by bit... 好的,让我们逐一介绍一下...
You're getting all the fields of the current date and time, and using Right(..., 2) along with String(4,48) to zero-pad them. 您将获得当前日期和时间的所有字段,并使用Right(..., 2)和String(4,48)对它们进行零填充。 And then you concatenate them together. 然后将它们连接在一起。 This results in... A string that represents the current date and time. 这将导致...代表当前日期和时间的字符串。 For example, running this right now for me produces 20141212131100 . 例如,立即为我运行该命令会生成20141212131100 。
Firstly, it's definitely not a GUID , which is carefully specified to be dependent on time, hardware info and a bit of random. 首先,它绝对不是GUID ,它是根据时间,硬件信息和一些随机性精心设计的。 Clearly, as soon as someone sees this token, they will understand how it's made and how to forge it. 显然,只要有人看到此令牌,他们就会了解它是如何制成的以及如何伪造的。 They only need to be accurate to the nearest minute too! 他们也只需要精确到最近一分钟! There is absolutely no randomness in this token generator. 此令牌生成器绝对没有随机性。
So to answer your question, no, it's not secure. 因此,要回答您的问题,不,这是不安全的。 If you don't have access to a COM object that can generate real GUIDs or UUIDs, how about just using a long random number instead? 如果您无权访问可生成实际GUID或UUID的COM对象,那么仅使用长随机数怎么办? It wouldn't be perfect, but it would be far better than what you have right now. 它不是完美的,但是会比您现在拥有的要好得多。
解决方案2
1 2017-09-06 10:01:40
I thought I'd help out a little more by showing you how to generate a true GUID from VBScript. 我想通过向您展示如何从VBScript生成真正的GUID来提供更多帮助。
Function NewGUID()
Dim TypeLib : Set TypeLib = CreateObject("Scriptlet.TypeLib")
NewGUID = CStr(TypeLib.Guid)
End Function
If you use this as your anti-CSRF token then it should be as safe as any other solution out there. 如果将其用作反CSRF令牌,则它应与现有的其他解决方案一样安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.