http://www.listsearch.com/cf-talk.lasso?id=31210&-session=listsearch_coldfusion:A3EA90500f040147C3sOm28F6DCB
However, there's something I'd like clarification on. The custom tag CodeCleaner and the URLScan IIS security tool were both thrown out as options for scanning the request for invalid/malicious requests. Am I correct in that if I use URLScan to scan the incoming request I do not need to use CodeCleaner to do the same? In fact would using them both for this cause problems? I ask because from http://www.securityfocus.com/infocus/1755 it mentions under normaling the URL that one common reason for web apps to break once URLScan is implemented is "it is known to break various web applications. The cause of this failure is typically because the application expects to receive encoded characters and tries to process regular characters as encoded characters." Why would one choose CodeCleaner over URLScan for scanning requests?
Specifically for XSS (not its brother SQL Injection) what other measures should be taken besides URLScan? I was thinking form input validation, but wouldn't URLScan include those in it's scan once the user submits the form (even if it's a post submission)? What information in the request is not scanned by URL Scan? Since URLScan would need to be set to the weakest setting required for the application (e.g. - if some fields required the use of some special characters and others didn't URLScan would have to allow those specifical characters) I may have to do some additional checking in these types of circumstances (using CodeCleaner). However, assuming I can lockdown requests with URLScan without exceptions like these would URLScan provide the protection I need for XSS? If not, what else should I be looking at?
I found the notification for the following XSS vulnerability:
http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html . Does URLScan not include scans of these aspects so we need to make sure we don't use these (or scan them with CodeCleaner)?
I'm working on a CF5 box with IIS5. Eventually I'll need to lock down CF MX with IIS6 at which point UrlScan won't do as much since IIS6 includes a lot (http://www.microsoft.com/technet/security/tools/urlscan.mspx?#XSLTsection123121120120)
Any thoughts would be appreciated.
Thanks,
Bob
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
