Classic ASP version of ASP.NET MVC AntiForgeryToken validator

AntiForgeryTokenValidator.asp

<%
' Use with a very short session (basically the page lifecycle, GET then POST)
Class AntiForgeryValidator
    
    Private m_securityToken
    
    
    Sub SetCookie()
        m_securityToken = CreateWindowsGuid()
        Response.Cookies("RequestVerificationToken") =  m_securityToken
        Response.Cookies("RequestVerificationToken").Secure = True
        Response.AddHeader "X-Frame-Options", "SAMEORIGIN"
    End Sub
    
    Function GetCookie()
        GetCookie = Request.Cookies("RequestVerificationToken")
    End Function
    
    Function CreateWindowsGuid()
        CreateWindowsGuid = CreateGuid(8) & "-" & _
        CreateGuid(4) & "-" & _
        CreateGuid(4) & "-" & _
        CreateGuid(4) & "-" & _
        CreateGuid(12)
    End Function
    
    Function CreateGuid(length)
' VbScript keywords, Randomize is a sub, and Timer is a function.
        Randomize Timer
        Dim counter
        Dim guid
        Const Valid = "0123456789ABCDEF"
        For counter = 1 To length
            guid = guid & Mid(Valid, Int(Rnd(1) * Len(Valid)) + 1, 1)
        Next
        
        CreateGuid = guid
    End Function
    
    Function GetFormInputElement
        GetFormInputElement = "<input name=""RequestVerificationToken"" type=""hidden"" " &_
        " value=""" & m_securityToken & """ />"
        
    End Function
    
    Function Validate
        Dim formValue
        formValue = Request.Form("RequestVerificationToken")
        Dim cookieValue
        cookieValue = GetCookie()
        Response.Write "cookieValue = " & cookieValue & vbCrLf
        Response.Write "formValue = " & formValue & vbCrLf
        Validate = (cookieValue = formValue and Len(cookieValue) > 0)
        
    End Function
    
End Class

Dim vv
Set vv = new AntiForgeryValidator
'vv.SetCookie
Response.Write vv.GetCookie() & VbCrLf
Response.Write vv.GetFormInputElement() & vbCrLf

Response.Write vv.Validate() & vbCrLf
%>

<form action="AntiForgery.asp" method="POST">
    <%=vv.GetFormInputElement() %>
    <input type="submit" value="click" />



</form>

Fixed bug that allowed forged requests to break security by editing the token cookie.

good day. i found this interesting and might help me with my website. can i ask how can i implement this to my website? this is my first time to implement anti-forgery to my website. thanks in advance.

good day!

same here! found this interesting and seems to be the perfect fit for my need right now.

our asp classic app has penetration test findings (one of which is CSRF). Been finding for solutions here and there until boom, I made it here.

basically, how do i apply this on my asp classic website?

appreciate your prompt reply.

thank you in advance!

create above file in project, add this to the asp pages that need it at top <!-- #include file ="AntiForgeryTokenValidator.asp" -->
and start playing

you can also set Secure to false in order to see cookie in browser tools for testing Response.Cookies("RequestVerificationToken").Secure = False

Response.AddHeader "X-Frame-Options", "SAMEORIGIN"

Is it necessary?

CreateGuid(length)

=>

CreateObject("Scriptlet.TypeLib").GUID

Can I use it?

In order to get this to work i had to call "#include virtual ="/App/AntiForgeryTokenValidator.asp"" at the top of the page. "include file" did not work for me.

also, to call "vv.SetCookie", i had to wrap it in an IF statement and check if the page is not a post. Or else the cookie in the users session would just refresh to something different that what was saved in the form. Like so:

If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then
vv.SetCookie
End If