What is CSRF (Cross Site Request Forgery) Attack?
In Cross-Site Request Forgery (CSRF), which is also called one-click attack or session riding, the attacker forces the victim’s browser to execute unwanted actions on a web application in which he/she is currently authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands. Though CSRF has some pre-conditions that an attacker must set in place before he succeeds, it is an important attack to understand and protect against. In simple words, CSRF vulnerabilities occur when the web application cannot distinguish legitimate requests from forged requests. CSRF is rated among the 10 most critical web application security flaws in OWASP’s Top 10 project. CSRF attack is possible with both POST and GET requests.
Traditionally, applications are being protected against CSRF attack using Captcha. But, what if you have an alternative where you need not enter a verification code, no hassle of user errors while entering the security codes and keep your form clean? Awesome! This is now possible with ColdFusion 10.
In ColdFusion 10, two new functions – CSRFGenerateToken() and CSRFVerifyToken() are added to protect your ColdFusion web application against a CSRF attack. Here is an example on how to add the CSRF protection.
<cfset csrftoken= CSRFGenerateToken()/>
<cfform method="post" action="loginAction.cfm">
<cfinput name="csrftoken" type="hidden" value="#csrfToken#">
Login ID: <cfinput name="loginID" type="text"><br/>
Password: <cfinput name="password" type="password"><br/>
<cfinput name="Submit" type="submit" value="Sign In">
<cfif (not isdefined("form.csrfToken")) or (not CSRFVerifyToken(form.csrfToken))>
Sorry, invalid Login ID or Password
<!--- logic for authenticated user goes here --->
There are lot other security enhancements in ColdFusion 10 on which we’ll discuss in future articles. Meanwhile, if you have any questions or need help in securing your ColdFusion application, don’t hesitate to reach us.
References: ColdFusion Security Improvements, Fragile Security