Cross Site Request Forgery (CSRF)
ColdFusion Security Guide

In this guide you'll learn what a Cross Site Request Forgery is, and how you can prevent them in your CFML or ColdFusion code.
ColdFusion Developer Security Training Online Class

The Risk

Cross Site Request Forgery attacks allow an attacker to make an unintended request on behalf of an authorized and authenticated user.

The level of risk to your application depends on the sensitivity of the operations that users can perform.

Vulnerable Code Example

userObject.deleteUser(id);

In this example the deleteUser function is invoked with an id value that comes from the request (a form or url variable for example).

It is vulnerable because there is no check to ensure that this request originated from your application. The request could have originated from a different site very easily, for example with an img tag:

<img src="https://example.com/admin/delete-user.cfm?id=123">

If the victim views a page with that img tag in a browser window that is logged in to the site, and the session cookies are not specified as SameSite=lax or SameSite=strict then the action will be performed as the identity of the victim.

Mitigating CSRF in ColdFusion and Lucee

A good first step is to ensure that your session cookies are using SameSite=lax or SameSite=strict. This will protect users on browsers that support it, but potentially not all of your users.

A CSRF token is a common technique used to mitigate CSRF attacks. ColdFusion 10 added builtin functions csrfGenerateToken() and csrfVerifyToken() to simplify the process. Lucee also supports these CSRF functions. On your form you would include the token:

<form>
    <input type="hidden" name="csrf" value="#csrfGenerateToken()#">
    ...
</form>

Then on the form action you would verify the token before performing the action:

if (csrfVerifyToken(form.csrf)) {
    userObject.deleteUser(form.id);
} else {
    //log event, etc.
}

Some additional mitigation you can add:

Fixinator

Fixinator is a CFML source code security scanner that can find and fix several types of security issues.

Learn More
Fixinator Logo
ColdFusion Security by Foundeo

FuseGuard

FuseGuard is a web application firewall can runs onRequestStart to block or log malicious requests to your ColdFusion web applications.

Learn More