We need to implement a way prevent Cross Site Request
Forgery, a.k.a. CSRF or XSRF.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
From what I've read, one way to tackle this (assuming one has
no XSS vulnerabilities) is within every <form>, put a
unique/unpredictable token and check this against a value that was
saved into the user's session.
So for every page request that has a <form>:
1. Create a unique/unpredictable token. I'll be using SQL
Server's NewID() since Coldfusion's CreateUUID() function is a
little more predictable in within a small timeframe.
2. Append this token to an array in the user's session. This
array may have more than one token since a user may multiple
browser windows open. I may implement a timestamp on each token but
that's undecided for now.
3. Write this token value as a hidden form field.
4. Check for the existence and value of the token form field
within the array in the user's session for all POST requests. This
can can be done in Application.cfc/cfm.
5. Reject requests that do not have the token or which
contain an invalid token.
This seems pretty straightforward. The problem is that we may
have to do this for 300-500 forms on our site. Most are regular
HTML but some are CFFORMs.
Is any way using CF or any third-party tool to write this
token into the form automatically at runtime? I found something
called CSRFGuard
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
but I'm not sure how to integrate this with Coldfusion.
Thanks, and if you have any suggestions or comments please
post.
Erik
2
Replies
AdChoices