How to get request source in asp?

Navigation
2

I need to do a certain action with a page that is in classic asp.

What I need is to get the source of the request that is made on this page, and depending on which source I do something about this request.

For example, if the request comes from the page itself in asp, I let the flow run normally. But if the request has another source (the postman and the burp suite do this) then I would treat the situation differently.

The intent is to take care of system security.

How can I capture the source of this request in asp?

    
asked by anonymous 01.02.2017 / 19:42

2 answers

5

HTTP_REFERER does not guarantee any security , it is very easy to overwrite it and to defraud the source since it is a header.

The best thing to do in order to ensure the origin of the form could be using reCAPTCHA

Also try out techniques like protection anti-CSRF means Cross-Site Request Forgery ), it is not 100% efficient, but it works better than HTTP_REFERER , an example of SOen (I just do not know if md5 is really something needed)

I think it would look something like:

  • All pages that receive a request or have a Form or an Ajax must (can put in global or in a function): 

    Function GetGUID()

    GetGUID = CreateObject("Scriptlet.TypeLib").GUID

End Function

Dim token

' Só atualiza o valor da sessão se não vier de um POST
' com '<input name=csrftoken>'
If Request.Form("csrftoken") = "" Then
    token = md5(GetGUID())
    Session("token")=token
    Session("token_time")=Time()
End If

  • On the page receiving the POST / request you should have this: 

    If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
    ' Compara o Form com a sessão
    If Request.Form("csrftoken") = Session("token") Then
        ' Executa o seu código aqui !!!
    End If
End If

  • In form you should also add Session("token") 

    <form method="post" action="pagina.asp">
    <input type="text" name="foo" placeholder="Exemplo">
    <input type="submit" value="submit">
    <input type="hidden" value="<%= Session("token") %>" name="csrftoken">
</form>
  

For a long time I have not worked with classic asp, if you have any typos are free to fix them

How to Fool the Referer and Origin

With Postman or

01.02.2017 / 20:13
0

I believe that what you need is referer = Request.ServerVariables ("HTTP_REFERER") , follows a link with all the ServerVariables options.

Only informing that HTTP_REFERER does not work in all cases, if it comes from a redirect for example, it does not take that value.

    
01.02.2017 / 20:09
Regular expression, PHP dropdown with pure javascript