How to get request source in asp?

2

I need to do a certain action with a page that is in classic asp.

What I need is to get the source of the request that is made on this page, and depending on which source I do something about this request.

For example, if the request comes from the page itself in asp, I let the flow run normally. But if the request has another source (the postman and the burp suite do this) then I would treat the situation differently.

The intent is to take care of system security.

How can I capture the source of this request in asp?

    
asked by anonymous 01.02.2017 / 19:42

2 answers

5

HTTP_REFERER does not guarantee any security , it is very easy to overwrite it and to defraud the source since it is a header.

The best thing to do in order to ensure the origin of the form could be using reCAPTCHA

Also try out techniques like protection anti-CSRF means Cross-Site Request Forgery ), it is not 100% efficient, but it works better than HTTP_REFERER , an example of SOen (I just do not know if md5 is really something needed)

I think it would look something like:

  • All pages that receive a request or have a Form or an Ajax must (can put in global or in a function):

    Function GetGUID()
    
        GetGUID = CreateObject("Scriptlet.TypeLib").GUID
    
    End Function
    
    Dim token
    
    ' Só atualiza o valor da sessão se não vier de um POST
    ' com '<input name=csrftoken>'
    If Request.Form("csrftoken") = "" Then
        token = md5(GetGUID())
        Session("token")=token
        Session("token_time")=Time()
    End If
    
  • On the page receiving the POST / request you should have this:

    If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
        ' Compara o Form com a sessão
        If Request.Form("csrftoken") = Session("token") Then
            ' Executa o seu código aqui !!!
        End If
    End If
    
  • In form you should also add Session("token")

    <form method="post" action="pagina.asp">
        <input type="text" name="foo" placeholder="Exemplo">
        <input type="submit" value="submit">
        <input type="hidden" value="<%= Session("token") %>" name="csrftoken">
    </form>
    
  

For a long time I have not worked with classic asp, if you have any typos are free to fix them

How to Fool the Referer and Origin

With Postman or

01.02.2017 / 20:13
0

I believe that what you need is referer = Request.ServerVariables ("HTTP_REFERER") , follows a link with all the ServerVariables options.

Only informing that HTTP_REFERER does not work in all cases, if it comes from a redirect for example, it does not take that value.

    
01.02.2017 / 20:09