RE: URL Hack Fix??

Shawn Grover Mon, 13 Aug 2001 10:38:46 -0700
You should ALWAYS check the validity of URL parameters.  You never know if a
user is going to simply type in a URL, and not click a link in your app.

At a bare minimum, you have to make sure you have the required parameters to
prevent your page from crapping out.
For numeric values, checking to make sure the value is within an expected
range would probably be a good idea - will your application break if someone
passes in a negative value? or a value larger than a large integer?
For string values, I prefer to do exact matches to validate them - for
instance if URL.Action is not ADD or DELETE, then it's a bogus parameter,
and handle it accordingly.

As a final step, any data we store to our database replaces the angle
brackets < and > with square brackets [ and ].  This serves to prevent any
<script> commands or other HTML being subitted.

Of course, your application has it's own requirements, but here's hoping
this helps you get started.

Shawn Grover

-----Original Message-----
From: Timothy Lynn [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 11:49 AM
To: CF-Talk
Subject: Re: URL Hack Fix??


And on a related note.. What are the best ways to go about ensuring that
the parameters passed are valid?

Is a simple:

cfif IsDefined("URL.id") AND IsNumeric(URL.id)
    do the query
cfelse
    kick someone in the keister
/cfif

sufficient, or are there more sinister things to look for? (This of
course assumes passing simple numeric values, which seems pretty
commonplace).

-Tim

----- Original Message -----
From: "S R" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Monday, August 13, 2001 12:43 PM
Subject: URL Hack Fix??


> another hack question. I've read Don Vawter's website on how to
prevent this
> type of attack. Someone told me at my work that there's an IIS patch
that
> prevents this. Is this true? I'm using IIS 4.0 and SQL 7.0 and SQL
2000 for
> the backend. I want to go back and add these fixes to my CF pages, but
if
> there's a patch, I won't need to do it.
>
> Thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: URL Hack Fix??

Reply via email to
