ColdFusion forcing CSRF to fail

Question

I have a website that check for CSRF tokens when a user logs in. The form looks like

<cfoutput>
    <input type="hidden" name="token" value="#CSRFGenerateToken()#" />
</cfoutput>

Later it is checked with

if (framework.getCGIRequestMethod() == "post" && !CSRFverifyToken(rc.token))    {
    rc.arMessage.append("<b>Debug:</b> Fail Token");

    return;
    }

I would like to verify that this is actually checking. Does the token ever expire or timeout? Changing this.name= in application.cfc does not seem to do anything. is the token based on domain name?

I need to test this. I don't need to automate the testing, but just test it somehow.

According to the docs, the values should be created and put into the current session. Maybe dump that and verify the value exists there? You should be able to have one for the entire session or force a new value to be used with each form (which seems like overkill). https://cfdocs.org/csrfgeneratetoken — Adrian J. Moreno, Oct 21 '19 at 00:29
It is interesting that in the linked documentation, all the examples are a part of forms. Not one is in a session scoped variable — James A Mohler, Oct 21 '19 at 02:04
I think that function essentially does, "if this session variable doesn't exist, create it and define it to be this value". Then submits that value as a form field variable, which lets you verify the form scoped variable value against the session variable value. — Adrian J. Moreno, Oct 21 '19 at 04:55

score 1 · Accepted Answer · answered Oct 21 '19 at 16:16

For testing this, use something like https://www.getpostman.com/.

Target the form's action page:

Create a GET request; verify it throws an error.
Create a POST request without the token field; verify it throws an error.
Create a POST request with the token field and with a value that does not match the value generated by CSRFGenerateToken(); verify it throws an error.
Create a POST request with the token and the correct value; verify it processes correctly.

I didn't even think of that. Postman can just pull a regular page, not just JSON data. — James A Mohler, Oct 21 '19 at 16:23

ColdFusion forcing CSRF to fail

1 Answers1