CSRF attack

Cross-Site Request Forgery (CSRF) forces users to execute unwanted actions on a web application for which they are authenticated. For example, sending a URL using an email or chat to a privileged user. Clicking the URL link forces the user to do an action of the attacker's choice.

  • Following methods can be used to reduce CSRF vulnerability:

    • CSRFGenerateToken: Returns a random token and stores it in the session.

    • CSRFVerifyToken: Validates the given token and the key against the same stored in the session.

      Example: CSRFGenerateToken

      The following example lets you enter value and submit. The page generates a token and calls another ColdFusion page.

      <cfset csrfToken=CSRFGenerateToken() /> 
      <cfform method="post" action="sayHello.cfm"> 
          <cfinput name="userName" type="text" > 
          <cfinput name="token" value="#csrfToken#" type="hidden" > 
          <cfinput name="submit"  value="Say Hello!!" type="submit" > 

      The following page, sayHello.cfm, validates the token generated and displays the output of CSRFverifyToken(token).

      <cfset token=form.token> 
          <cfset validate = CSRFverifyToken(token)> 
      <cfoutput >#validate#</cfoutput>
      Note: Enable SessionManagement for protection against CSRF. Disabling session variables in the administrator console disables CSRF protection.