Search code examples
asp.netasp-classiccsrf-protection

How can I prevent csrf attack in classic asp site?

I have an application which is developed in vb6 and classic asp (12 years back). Now I have to prevent it from Cross-Site Request Forgery (CSRF).

How can I achieve this?

Solution

  • you can achieve it pretty much the same way like in asp.net mvc.

    1. generate a token on the Server and store it (e.g. in session)
    2. send the token to the Client
    3. the Client sends it back to the Server along with the "normal" form data
    4. check the token on the Server if needed

    you could even "copy" the asp.net functionality and write a vbscript function like this:

    public function AntiForgeryToken()
    AntiForgeryToken = "<input type=""hidden"" name=""CSRFToken"" value=""" & session("CSRFToken") & """/>"
end function

' then in every form as needed:

<form>
<%=AntiForgeryToken()%>
<input type="text" name="" value="">
<input type="submit" value="submit">
</form>

    further reading:

    synchronizer token pattern in classic asp

    Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet