We Keep Coding

ColdFusion CSRF XSS attack prevention

I have implemented the csrfGenerateToken and csrfVerifyToken functions in trying the prevent a CSRF attack.
I have set up the webpage header with these:
set X-XSS-Protection "1; mode=block"
always set X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
Strict-Transport-Security "max-age=63072000" env=HTTPS
I have done some research and proceed as recommended by Adobe doing something like this:
<cfset tokenVar = 't' & lCase( hash( createUUID() & randRange( 1000, 100000 ), 'MD5', 'UTF-8', 250 ) )>
<form action="updateprofile.cfm" method="post">
<input type="hidden" name="f#hash( 'tokenVar', 'SHA-256', 'UTF-8')#" value="#tokenVar#">
<input type="hidden" name="f#hash( 'formToken', 'SHA-256', 'UTF-8')#" value="#csrfGenerateToken( tokenVar, true )#">
<input type="text" name="emailAddress" value="#EmailAddress#">
<input type="text" name="phoneNumber" value="#PhoneNumber#">
<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>
Updateprofile.cfm would have:
<cfparam name="FORM[ 'f' & hash( 'tokenVar', 'SHA-256', 'UTF-8')]" default="0">
<cfparam name="FORM[ 'f' & hash( 'formToken', 'SHA-256', 'UTF-8')]" default="0">
<cfif not csrfVerifyToken( FORM[ 'f' & hash( 'formToken', 'SHA-256', 'UTF-8')], FORM[ 'f' & hash( 'tokenVar', 'SHA-256', 'UTF-8')] )>
<!--- CSRF attack. Clear cookies and kick user out --->
<cfinclude template="clearcookies.cfm">
<cflocation url="signin.htm" addToken = "no">
</cfif>
This will work if 2 accounts are signed in on the same browsers and if one tries to update the other. However, when I simply saved a copy of the resulting html from one of them and save it as csrf-attack.htm locally:
<html><body>
<script>history.pushState('', '', '/')</script>
<form action="http://www.exsample.com/updateprofile.cfm" method="post">
<input type="hidden" name="f41BE6B4E09CBA69BDB76DBB69B493E8D49F5DD9ED230085913397B4C751D4E60" value="t93315a7c3ecb43d4d1b9422da97ffb09">
<input type="hidden" name="f08DFC2607D4119D7B16B4C01DC5C00F54B044DC937257ABC411F9A7E55BB4191" value="A0EED67C55F5E17683E2E1B21FF3454FE690E0B1">
<input type="text" name="emailAddress" value="test#test.com">
<input type="text" name="phoneNumber" value="1-222-3333">
<input type="submit" name="btnSubmit" value="Change Profile Info">
</form>
</body><html>
I processed the original form to update the phone number to 1-333-4444. Then I came back to the form again. At this time a new CSRFToken should have been created because ForceNew was set to true.
Then I go to the static HTML page that I have saved, and simply changed the value of the email address to test2#test.com instead of test#test.com with the old token, then clicked the "Change Profile Info" button, I was able to update it to the site!!
Am I doing something wrong or is it how it works? It seems that the token is useless if I can simply copy the token values and manipulate the content, then post it. How can I mitigate issue like this on the receiving page?
Thanks in advance.

The csrfVerifyToken result will still pass until you generate another CSRF token with the same key, at that point it will get invalidated. So if you are making single use tokens then you need to invalidate the old token by calling csrfGenerateToken with the same tokenVar after you call csrfVerifyToken
I wrote up a blog entry with a code example to illustrate this: https://www.petefreitag.com/item/856.cfm

Jack, 2 points:
First, things will seem to "not protect anything" if your requests (including that html page) are made from the same browser, thus using the same session cookies for the site, thus using the same cf session.
The generated token is saved in the cf session for that user/browser (saved in a way not visible with a cfdump of the session). And the verify is then checking the passed-in token against that. But if you run the "other" code in another browser, it would NOT share the same session (unless you also copied in the user's cookies).
Second, even if you did duplicate the session cookies, the value in that csrf token field (simulating being grabbed by the bad guy who saw the form and "copied it off" to that other page) will be the value that was created when THEY did that...not the value that a real user would have in their session if they'd been to the page that did the csrfgeneratetoken. So the tokens won't match.
Make sense? It's easy to misconstrue what this is does and does not do, and just as easy to get tripped up setting up a demo prove if it "works", if you don't keep all this in mind.
And I may be lacking in my answer, so am open to comments and criticism.

How to perform submit button function in ColdFusion?

I am new to coldfusion ,
please check my code below
<cfif isDefined("form.submit")>
<cfoutput>
<h3>hi</h3>
</cfoutput>
</cfif>
<cfform action="#CGI.SCRIPT_NAME#">
User Name:<cfinput type="Text" name="usr_nm"><br>
<cfinput type="Radio" name="access_flg" value="0">Admin
<cfinput type="Radio" name="access_flg" value="1">User</br>
<cfinput type="submit" name="submit" value="submit"><br>
</cfform>
But ,When I am clicking submit button ,I am expecting result as hi
I haven't see hi message, Is there any thing wrong in my code ,Any one please help me

Since you're new to ColdFusion, I'll give you some advice straight away:
1. Do not submit a form to the same page.
Submit the form to a separate page for processing. Reason being, as you get into more advanced applications, you'll need to restrict pages/URLs to only respond to an appropriate HTML Verb.
Your form page should respond to HTTP GET.
Your form processing page should only respond to HTTP POST.
2. Do not use CFFORM.
The function of CFFORM is to create JavaScript validation and server-side interactions. This can easily be done with modern JavaScript libraries like
https://jquery.com/
http://jqueryvalidation.org/
3. Give your form elements an ID, as well as a NAME.
This allows easier reference to the form elements when using JavaScript.
4. Do not name your submit button "submit".
If you ever want to use JavaScript to submit a form, the function is submit().
For example: $('#myForm').submit();
Having a form element named the same as a function will cause errors.
Here's my_form.cfm:
<form id="myForm" name="myForm" action="my_form_action.cfm" method="post">
User Name:<input type="Text" id="usr_nm" name="usr_nm"><br>
<input type="Radio" id="access_flg_0" name="access_flg" value="0">Admin
<input type="Radio" id="access_flg_1" name="access_flg" value="1">User</br>
<input type="submit" id="my_form_submit" name="my_form_submit" value="Submit"><br>
</form>
5. You don't need to use CFOUTPUT unless you are rendering data from the server.
Here's my_form_action.cfm:
<cfif structKeyExists(form, "my_form_submit")>
<h3>Hi!<lt>
</cfif>
Even better:
<cfif (cgi.request_method IS "post") AND (structKeyExists(form, "my_form_submit"))>
<h3>Hi!<lt>
</cfif>

This is an elaboration of this part of Adrian's answer:
<cfif (cgi.request_method IS "post") AND (structKeyExists form, "my_form_submit"))>
<h3>Hi!</h3>
</cfif>
This is a candidate for code re-use. In one of our applications, I wrote a custom tag that does something like this:
if (StructKeyExists(attributes, 'ScopeToCheck') is false)
attributes.ScopeToCheck = "form";
if (StructKeyExists(caller, attributes.ScopeToCheck) is false)
Redirect = true;
else if (StructIsEmpty(caller[attributes.ScopeToCheck]) is true)
Redirect = true;
else
Redirect = false;
if (Redirect == true)
location(somewhere, false);
The custom tag approach was appropriate for my situation. For other situations, the same logic can be put into a udf that returns either true or false. Then the calling page can decide what to do with that information.

How can I include CSRFProvider in my existing site?

\edited: added creation of instance
I want to protect a site against CSRF. But because we're on CF9, I cannot use CSRFGenerateToken(). So I've done a little bit of research and found this: CSRFProvider.
It's a cfc providing protection against CSRF attacks.
My question is, how can I include it in my site? I want to use the 'hidden-forms' method, which is explained as followed:
// Writes a hidden form field to your view, you must pass an 'intention' which should be unique per form, per application
#csrf.renderToken(intention="my_unique_form_name")#
// On form submission, the application must verify the token using the same 'intention'
validSubmission = csrf.verifyToken(intention="my_unique_form_name", token=form._token);
I have copied the cfc in the apllications directory and created a form inside test.cfm with a hidden field:
<cfset csrf = new CSRFProvider()>
<cfform method="post" action="test2.cfm" name="qwertz">
<cfinput name="csrftoken" type="hidden" value="#csrf.renderToken(intention="qwertz")#">
<cfinput name="whatever" type="text" > <br/>
<cfinput name="Submit" type="submit" value="blah"> </cfform>
And in test2.cfm:
<cfif validSubmission = csrf.verifyToken(intention="qwertz", token=form._token); >
<p>valid</P>
<cfelse>
<p>nope</P
</cfif>
When I'm trying to open the site, it always tells me:
The method renderToken was not found in component [actual_path_to_my_applycation]/CSRFProvider.cfc.
Thanks in advance!

CFFILE Upload all Issues - Coldfusion 9

I am trying to use this code for uploading files to my server but is giving me an error.
This is the code:
<cfif isdefined("form.submit")>
<cffile action="uploadall" destination="#expandpath('../../images/Uploads/after')#">
</cfif>
<cfform action="#cgi.script_name#" enctype="multipart/form-data">
<cfinput type="file" name="attachment1"><br>
<cfinput type="file" name="attachment2"><br>
<cfinput type="file" name="attachment3"><br>
<cfinput type="submit" name=" submit" value="submit">
</cfform>
This is the Error:
The following information is meant for the website developer for debugging purposes.
Error Occurred While Processing Request
Invalid content type: application/x-www-form-urlencoded.
The files upload action requires forms to use enctype="multipart/form-data".
The error occurred in E:\sites\Example.Com\testing\handlers\upload\after.cfm: line 20

I see that you've moved on to a different solution, but I wanted to answer your question because the answer is plain crazy (and is stereotypical of some of the bizarre gotchas in Coldfusion). The problem is that <cfform> simply doesn't support the enctype attribute. If you want to upload files, you have to use a plain <form>. Weird, right?
(I suppose you could change the XSLT so that a cfform with a file input results in the enctype being set correctly automatically. But why it doesn't do this out of the box is beyond me.)

Does the directory structure that you are referencing in the destination attribute exist '"#expandpath('../../images/Uploads/after')#"'?
If the destination attribute is not an absolute path then it is relative to ColdFusion's temp directory. Not relative to your web root or the template that is running.
Here is the description from the docs here
Pathname of directory in which to upload the file. If not an absolute path (starting with a drive letter and a colon, or a forward or backward slash), it is relative to the ColdFusion temporary directory, which is returned by the GetTempDirectory function.

Coldfusion Multi-Select box without CFSelect

How would one go about building a multiselect box in Coldfusion without using CFForm or CFSelect?
This is to pull values from a DB so its not just a static select box it is dynamic.
This is my first time every trying to code in ColdFusion, I have always been a .Net person so this is a bit of a change for me.
The reason why I am needing this is because I've gotten hired into a department at work that uses Coldfusion but from what the Lead developer told me is they do not use CFForm and seeing as how CFSelect requires to be inside CFForm I need a different way of doing this.

Use plain old HTML, for example:
<cfquery name="qryUsers" datasource="datasourcename">
SELECT [User].[UserID], [User].[FirstName]
FROM [User]
</cfquery>
<cfoutput>
<form ...>
<select name="users" multiple="multiple">
<option value="">- please select -</option>
<cfloop query="qryUsers">
<option value="#UserID#">#FirstName#</option>
</cfloop>
</select>
</form>
</cfoutput>