weixin_33720452 2014-11-07 15:30 采纳率: 0%
浏览 6

安全经典ASP

Is this secure enough? I don't have any experience with classic ASP or VBScript.

I have a classic ASP page that takes in form data and sends it to another classic ASP page that makes a connection to the database. I use this for my CSRF token on the form input page:

<%
Dim token
token = CreateGUID()

Function CreateGUID()
  Dim tmpTemp
  tmpTemp = Right(String(4,48) & Year(Now()),4)
  tmpTemp = tmpTemp & Right(String(4,48) & Month(Now()),2)
  tmpTemp = tmpTemp & Right(String(4,48) & Day(Now()),2)
  tmpTemp = tmpTemp & Right(String(4,48) & Hour(Now()),2)
  tmpTemp = tmpTemp & Right(String(4,48) & Minute(Now()),2)
  tmpTemp = tmpTemp & Right(String(4,48) & Second(Now()),2)
  CreateGUID = tmpTemp
End Function
%>
<input type="hidden" ng-model="user.token" value="<%=token%>">

I'm using an AJAX call (with AngularJS if that matters) in the same page to post the form data to the page that will make a connection to the database.That page looks like this:

<%@ LANGUAGE="VBScript" %>
<%If Request.ServerVariables("REQUEST_METHOD") = "POST" Then%>

    <%If Request.Form("token") = Session("token") Then %>
        'here I make connection to database and and insert rest of form data in database
  • 写回答

2条回答 默认 最新

  • ??yy 2014-12-12 13:18
    关注

    OK, so let's go over this bit by bit...

    You're getting all the fields of the current date and time, and using Right(..., 2) along with String(4,48) to zero-pad them. And then you concatenate them together. This results in... A string that represents the current date and time. For example, running this right now for me produces 20141212131100.

    Firstly, it's definitely not a GUID, which is carefully specified to be dependent on time, hardware info and a bit of random. Clearly, as soon as someone sees this token, they will understand how it's made and how to forge it. They only need to be accurate to the nearest minute too! There is absolutely no randomness in this token generator.

    So to answer your question, no, it's not secure. If you don't have access to a COM object that can generate real GUIDs or UUIDs, how about just using a long random number instead? It wouldn't be perfect, but it would be far better than what you have right now.

    评论

报告相同问题?

悬赏问题

  • ¥60 许可证msc licensing软件报错显示已有相同版本软件,但是下一步显示无法读取日志目录。
  • ¥15 Attention is all you need 的代码运行
  • ¥15 一个服务器已经有一个系统了如果用usb再装一个系统,原来的系统会被覆盖掉吗
  • ¥15 使用esm_msa1_t12_100M_UR50S蛋白质语言模型进行零样本预测时,终端显示出了sequence handled的进度条,但是并不出结果就自动终止回到命令提示行了是怎么回事:
  • ¥15 前置放大电路与功率放大电路相连放大倍数出现问题
  • ¥30 关于<main>标签页面跳转的问题
  • ¥80 部署运行web自动化项目
  • ¥15 腾讯云如何建立同一个项目中物模型之间的联系
  • ¥30 VMware 云桌面水印如何添加
  • ¥15 用ns3仿真出5G核心网网元