Blog

CSRF Security Module: Not All Surfing Is Good

Nathaniel Francis February 20, 2015

Spread the word

Nathaniel Francis

February 20, 2015

Spread the word


Share your thoughts

Welcome to the jungle

Remember a time when the internet was a safe place. Where your email wasn't getting hacked every 3 months, nobody wanted to XSS something malicious to you or through you, and no one conceived of encrypting your hard drive for money?

I don't either. Since its inception, the internet has been a jungle of security complications.

CSRF: not the good kind of surfing

This discussion could quickly dive into a host of security complications and safety precautions that we, as developers should be paying attention to. Instead, I'm going to focus on one security breach and a modular technique that ColdBox 4.0 provides to help us developers fight against it.

CSRF aka "Cross-Site Request Forgery", commonly pronounced "sea-surf", is a web exploitation where the offender violates the trust between a website and a user's browser. I know that's vague. There are various forms that CSRF takes, but they all boil down to the website being violated by the user's browser in some way, shape, or form. This is just the basic idea. The whole story is worth a decent Google search.

We got a module for that!

As with any multi-faceted security aspect, there is no singular answer. If a burglar can come into your house through either the window or the door, you may want to shut and lock both, or get a guard dog, or move. However, with CSRF security violations, there is one common flaw. The violation of trust comes from triggering actions on your site without your consent. That we can handle.

The ColdBox Cross Site Request Forgery (CSRF) Tokens module generates tokens that generate a verification, "secret handshake" system between your server and the browser. This added layer of security is subtle, but powerful in CSRF violations because it prevents a foreign agent from violating the trust between browser and server.

To install the ColdBox Cross Site Request Forgery (CSRF) Tokens module, simply go to CommandBox and enter:

box install cbcsrf

The ReadMe for this module includes the following simple example of how to use the CSRF module's functionality:

component {
    any function signUp(event, rc, prc) {
        // Store this in a hidden field in the form
        prc.token = generateCSRFToken();
    }

    any function signUpProcess(event, rc, prc) {
        // Verify CSFR token from form
        if(verifyCSRFToken(rc.token) {
            // save form
        } else {
            // Something isn't right
            setNextEvent( 'handler.signup' );
        }
    }
}

The ColdBox Cross Site Request Forgery (CSRF) Tokens module is a simple, elegant solution to a common security problem.

Add Your Comment

Recent Entries

Ortus Solutions Soars Back to CFCamp Munich as Platinum Sponsor and Keynote Presenter!

Ortus Solutions Soars Back to CFCamp Munich as Platinum Sponsor and Keynote Presenter!

We're thrilled to announce that Ortus Solutions is returning to CFCamp Munich for another year! We're incredibly proud to be a continuing sponsor of this fantastic event and can't wait to connect with the ColdFusion community once again.

Taking Center Stage with the Day 1 Keynote

Get ready for some deep dives into the world of BoxLang! Ortus Solutions will be kicking off CFCamp with a dynamic keynote address on day 1. This is your chance to gain valua...

Cristobal Escobar
Cristobal Escobar
May 28, 2024
Into the Box 2025 - Blind Tickets are Out!

Into the Box 2025 - Blind Tickets are Out!

Ortus Solutions is thrilled to announce the release of blind tickets for Into the Box 2025, the premier event for web developers. This year's conference promises to be a game-changer, especially with the unveiling of our groundbreaking new product, BoxLang. **Our team is working hard to get all modern CFML developers amazing tools and software features to improve their productivity. **

Maria Jose Herrera
Maria Jose Herrera
May 27, 2024
Into the Box - Keynote Recap Day 1

Into the Box - Keynote Recap Day 1

Day 1 of Into the Box kicked off with an electrifying keynote session that set the tone for an incredible conference. The excitement was palpable as developers, tech enthusiasts, and industry leaders gathered to explore the latest innovations and trends in web development.

Maria Jose Herrera
Maria Jose Herrera
May 24, 2024