ColdFusion forcing CSRF to fail

343 Views Asked by James A Mohler At 20 October 2024 at 00:05

I have a website that check for CSRF tokens when a user logs in. The form looks like

<cfoutput>
    <input type="hidden" name="token" value="#CSRFGenerateToken()#" />
</cfoutput>

Later it is checked with

if (framework.getCGIRequestMethod() == "post" && !CSRFverifyToken(rc.token))    {
    rc.arMessage.append("<b>Debug:</b> Fail Token");

    return;
    }

I would like to verify that this is actually checking. Does the token ever expire or timeout? Changing this.name= in application.cfc does not seem to do anything. is the token based on domain name?

I need to test this. I don't need to automate the testing, but just test it somehow.

Original Q&A

There are 1 best solutions below

Adrian J. Moreno On 21 October 2019 at 16:16 BEST ANSWER

For testing this, use something like https://www.getpostman.com/.

Target the form's action page:

Create a GET request; verify it throws an error.
Create a POST request without the token field; verify it throws an error.
Create a POST request with the token field and with a value that does not match the value generated by CSRFGenerateToken(); verify it throws an error.
Create a POST request with the token and the correct value; verify it processes correctly.

ColdFusion forcing CSRF to fail

There are 1 best solutions below

Related Questions in COLDFUSION

Related Questions in CSRF

Related Questions in CFML

Related Questions in COLDFUSION-2016

Related Questions in FW1

Trending Questions

Popular # Hahtags

Popular Questions