Security Classic ASP
Question
Is this secure enough? I don't have any experience with classic ASP or VBScript.
I have a classic ASP page that takes in form data and sends it to another classic ASP page that makes a connection to the database. I use this for my CSRF token on the form input page:
<%
Dim token
token = CreateGUID()
Function CreateGUID()
Dim tmpTemp
tmpTemp = Right(String(4,48) & Year(Now()),4)
tmpTemp = tmpTemp & Right(String(4,48) & Month(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Day(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Hour(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Minute(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Second(Now()),2)
CreateGUID = tmpTemp
End Function
%>
<input type="hidden" ng-model="user.token" value="<%=token%>">
I'm using an AJAX call (with AngularJS if that matters) in the same page to post the form data to the page that will make a connection to the database.That page looks like this:
<%@ LANGUAGE="VBScript" %>
<%If Request.ServerVariables("REQUEST_METHOD") = "POST" Then%>
<%If Request.Form("token") = Session("token") Then %>
'here I make connection to database and and insert rest of form data in database
2 answers
solution1
1 2014-12-12 13:18:49
OK, so let's go over this bit by bit...
You're getting all the fields of the current date and time, and using Right(..., 2) along with String(4,48) to zero-pad them. And then you concatenate them together. This results in... A string that represents the current date and time. For example, running this right now for me produces 20141212131100 .
Firstly, it's definitely not a GUID , which is carefully specified to be dependent on time, hardware info and a bit of random. Clearly, as soon as someone sees this token, they will understand how it's made and how to forge it. They only need to be accurate to the nearest minute too! There is absolutely no randomness in this token generator.
So to answer your question, no, it's not secure. If you don't have access to a COM object that can generate real GUIDs or UUIDs, how about just using a long random number instead? It wouldn't be perfect, but it would be far better than what you have right now.
solution2
1 2017-09-06 10:01:40
I thought I'd help out a little more by showing you how to generate a true GUID from VBScript.
Function NewGUID()
Dim TypeLib : Set TypeLib = CreateObject("Scriptlet.TypeLib")
NewGUID = CStr(TypeLib.Guid)
End Function
If you use this as your anti-CSRF token then it should be as safe as any other solution out there.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.