I have a website that check for CSRF tokens when a user logs in. The form looks like
<cfoutput>
<input type="hidden" name="token" value="#CSRFGenerateToken()#" />
</cfoutput>
Later it is checked with
if (framework.getCGIRequestMethod() == "post" && !CSRFverifyToken(rc.token)) {
rc.arMessage.append("<b>Debug:</b> Fail Token");
return;
}
I would like to verify that this is actually checking. Does the token ever expire or timeout? Changing this.name=
in application.cfc
does not seem to do anything. is the token based on domain name?
I need to test this. I don't need to automate the testing, but just test it somehow.
For testing this, use something like https://www.getpostman.com/.
Target the form's action page:
GET
request; verify it throws an error.POST
request without the token
field; verify it throws an error.POST
request with the token
field and with a value that does not match the value generated by CSRFGenerateToken()
; verify it throws an error.POST
request with the token
and the correct value; verify it processes correctly.