coldfusioncsrfcfmlcoldfusion-2016fw1

ColdFusion forcing CSRF to fail


I have a website that check for CSRF tokens when a user logs in. The form looks like

<cfoutput>
    <input type="hidden" name="token" value="#CSRFGenerateToken()#" />
</cfoutput>

Later it is checked with

if (framework.getCGIRequestMethod() == "post" && !CSRFverifyToken(rc.token))    {
    rc.arMessage.append("<b>Debug:</b> Fail Token");

    return;
    }

I would like to verify that this is actually checking. Does the token ever expire or timeout? Changing this.name= in application.cfc does not seem to do anything. is the token based on domain name?

I need to test this. I don't need to automate the testing, but just test it somehow.


Solution

  • For testing this, use something like https://www.getpostman.com/.

    Target the form's action page: