The Risk

Cross Site Request Forgery attacks allow an attacker to make an unintended request on behalf of an authorized and authenticated user.

The level of risk to your application depends on the sensitivity of the operations that users can perform.

Vulnerable Code Example

userObject.deleteUser(id);

In this example the deleteUser function is invoked with an id value that comes from the request (a form or url variable for example).

It is vulnerable because there is no check to ensure that this request originated from your application. The request could have originated from a different site very easily, for example with an img tag:

<img src="https://example.com/admin/delete-user.cfm?id=123">

If the victim views a page with that img tag in a browser window that is logged in to the site, and the session cookies are not specified as SameSite=lax or SameSite=strict then the action will be performed as the identity of the victim.

Mitigating CSRF in ColdFusion and Lucee

A good first step is to ensure that your session cookies are using SameSite=lax or SameSite=strict. This will protect users on browsers that support it, but potentially not all of your users.

A CSRF token is a common technique used to mitigate CSRF attacks. ColdFusion 10 added builtin functions csrfGenerateToken() and csrfVerifyToken() to simplify the process. Lucee also supports these CSRF functions. On your form you would include the token:

<form>
    <input type="hidden" name="csrf" value="#csrfGenerateToken()#">
    ...
</form>

Then on the form action you would verify the token before performing the action:

if (csrfVerifyToken(form.csrf)) {
    userObject.deleteUser(form.id);
} else {
    //log event, etc.
}

Some additional mitigation you can add:

• Fully scope your variables, use #form.id# instead of just #id#
• Validate the HTTP Method, for example: if (cgi.request_method == "POST") { }
• If the operation is highly sensitive add a re-authentication prompt.