Cross-Site Request Forgery (CSRF)

By David Epler (Bio)

Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

One of the many examples occurred with Netflix in 2006; if you used the "Remember Me" functionality and came across any web page that had <img src="http://www.netflix.com/AddToQueue?movieid=70011204" />, embedded in it, a copy of “SpongeBob Squarepants” would be added to your Netflix queue.

ColdFusion 10 introduced two new functions to deal with CSRF; CSRFGenerateToken() and CSRFVerifyToken(). To use the functions, the web application needs to have Session Management enabled, which works by creating a random token that can be checked when the submission occurs.

<cfif NOT StructIsEmpty(form) >

    <cfif NOT CSRFverifyToken(form.token)>
        <cfabort showerror="Invalid Token" />

    <cfoutput><p>Hello, #EncodeForHTML(form.name)#</p></cfoutput>

<form method="post" name="csrfexample">
    <input name="token" type="hidden" value="#CSRFGenerateToken()#" />
    <input name="name" type="text">
<input name="submit" type="submit" value="Submit"> </form> </cfoutput>

If there is a Cross-Site Scripting (XSS) vulnerability in the web application, it is not possible to prevent CSRF since the XSS vulnerability will allow the attacker to grab the token and include the token with a forged request.

If the action that needs to be done is sensitive, another approach to prevent CSRF is to force the user to re-authenticate with their password before allowing the action to proceed.

Additional Resources: