Prevent Cross-Site Scripting in ColdFusion 5
I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Prevent Cross-Site Scripting in ColdFusion 5
It's easy enough to write your own function for this sort of thing. Here's the basis of how I might approach it: cfset REQUEST.qs = 'var1=andyvar2=Jaimevar3=Noelle' cfset REQUEST.qsArr = ArrayNew(1) cfloop index=REQUEST.outer list=#REQUEST.qs# delimiters= cfset REQUEST.key = ListFirst(REQUEST.outer,'=') cfset REQUEST.value = ListLast(REQUEST.outer,'=') /cfloop At that point you could do anything you wanted to with REQUEST.key or REQUEST.value. andy -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, March 02, 2010 4:34 PM To: cf-talk Subject: Re: Prevent Cross-Site Scripting in ColdFusion 5 I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross Site scripting
Ok, point taken, I was thinking in the context of a forum application where one may have strict rules on user input and that input may go through complex validation that might be server intensive and probably would be unlikely that the data validation would require future review. If new vunerabilities were found the data could still be parsed and updated in the database once as a seperate call instead of every time it is outputed. The primary objective should be as Dave said: deny all, then allow. Andrew As Brad pointed out, who's to say what's junk? It is impossible, practically speaking, to identify every possible bad character that may exist in your data, and you may want to use that data in different ways and different places. You may, in fact, want to use data in new ways in the future, only to find that you have new vulnerabilities for which your current data is unsanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Prevent Cross Site scripting
So what do you recommend instead? The built in xxs protection doesn't catch everything. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303772 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
I'm not sure if you're directing that question at Dave or me, so I will clarify my recommendation just in case. == Any time you embed text which a user/third party enters or has control over into another media, ensure that the potentially-unsafe text has any necessary meta-characters escaped. == That means if you want to output a name from the database into a JavaScript variable, you should run it through jsstringformat to remove any single ticks etc. var users_name = '#jsstringformat(my_query.users_name)#'; If you are building an XML document out of user-entered form fields, use xmlformat. rootemployee#xmlformat(form.name)#/employee/root If you are outputting a message in an HTML page, use htmleditformat. table tr td #htmleditformat(qry_message.message_text)# /td /tr /table Any time you are evaluating a string as code like as in a JSON string returned from an external web service, use a JSON parser instead of just throwing it into an eval() function. I know those are all generic examples, but I don't think there is necessarily a silver bullet snippet of code you can paste at the top of your page that will catch everything. In theory, if ALL data were properly escaped/sanitized according to the environment it was being embedded in, XSS attacks would not exist. In my opinion, _most_ XSS attacks happen because programmers get lazy-- a sin I've certainly been guilty of myself. ~Brad -Original Message- From: Ian Rutherford [mailto:[EMAIL PROTECTED] Sent: Friday, April 18, 2008 2:06 PM To: CF-Talk Subject: Re: Prevent Cross Site scripting So what do you recommend instead? The built in xxs protection doesn't catch everything. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303773 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
So what do you recommend instead? The built in xxs protection doesn't catch everything. I recommend that you consider accepting and storing unsafe strings, and escape them appropriately when displaying them. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303783 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be escaped/purified before you store it? then you're escaping it once as opposed to escaping it 1000's of times every time you display/output it? So what do you recommend instead? The built in xxs protection doesn't catch everything. I recommend that you consider accepting and storing unsafe strings, and escape them appropriately when displaying them. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
-Original Message-
From: Andrew Grosset [mailto:[EMAIL PROTECTED]
Sent: Friday, April 18, 2008 7:38 PM
To: CF-Talk
Subject: Re: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
escape them appropriately when displaying them.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Training: Adobe/Google/Paperthin Certified Partners
http://training.figleaf.com/
WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers!
http://www.webmaniacsconference.com/
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303793
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Prevent Cross Site scripting
Sorry, you haven't convinced me, I appreciate what you're saying but having to
cache the static pages after you've cleansed them doesn't seem right either
Of course if you're relying on javascript to display as in ajax then you have a
point.
Andrew.
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303796
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be escaped/purified before you store it? then you're escaping it once as opposed to escaping it 1000's of times every time you display/output it? As Brad pointed out, who's to say what's junk? It is impossible, practically speaking, to identify every possible bad character that may exist in your data, and you may want to use that data in different ways and different places. You may, in fact, want to use data in new ways in the future, only to find that you have new vulnerabilities for which your current data is unsanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303797 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
Displaying or using data now in one way doesn't necessarily mean that's how
you or someone else may need or want to display or use it later. It has been
my experience that storing data just as it was entered is the better
solution all around. Once you strip information out that you deem unsafe for
your current needs, you can't get it back later if/when you or someone else
decides otherwise.
..:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
-Original Message-
From: Andrew Grosset [mailto:[EMAIL PROTECTED]
Sent: Friday, April 18, 2008 11:12 PM
To: CF-Talk
Subject: Re: Prevent Cross Site scripting
Sorry, you haven't convinced me, I appreciate what you're saying but having
to cache the static pages after you've cleansed them doesn't seem right
either
Of course if you're relying on javascript to display as in ajax then you
have a point.
Andrew.
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303798
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting issues:
cfif urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains [ or
urldecode(cgi.QUERY_STRING) contains ] or
urldecode(cgi.QUERY_STRING) contains * or
urldecode(cgi.QUERY_STRING) contains ( or
urldecode(cgi.QUERY_STRING) contains ) or
urldecode(cgi.QUERY_STRING) contains \ or
urldecode(cgi.QUERY_STRING) contains { or
urldecode(cgi.QUERY_STRING) contains } or
urldecode(cgi.QUERY_STRING) contains delete or
urldecode(cgi.QUERY_STRING) contains drop or
urldecode(cgi.QUERY_STRING) contains exe
BAD STRING!
cfabort
/cfif
Thanks Jacob
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303696
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
Not necessarily, but this will help:
Name: #htmleditformat(user_entered_data_I_dont_trust)#
XSS from my understanding is when someone is able in inject HTML/JS into
a page so it is executed and then they can manipulate the contents of
the page and or make an Ajax call which will send any cookies the site
has.
The easiest way for people to do that is when you have a text area or
input field which is later displayed on an HTML page and special
characters are not escaped.
For instance, entering a name like
script language=javascriptalert('I\'m in!');/script
When that value was output in an HTML page, the script block would be
executed in the security context of that page.
Also keep in mind, the cgi.query_string only includes url vars, not form
variables. I prefer to sanitize them at the point of outputting them,
not at the point of collecting them. There may be a good reason to have
some special characters in a form field.
~Brad
-Original Message-
From: Jacob [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 17, 2008 4:01 PM
To: CF-Talk
Subject: Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting
issues:
cfif urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains [ or
urldecode(cgi.QUERY_STRING) contains ] or
urldecode(cgi.QUERY_STRING) contains * or
urldecode(cgi.QUERY_STRING) contains ( or
urldecode(cgi.QUERY_STRING) contains ) or
urldecode(cgi.QUERY_STRING) contains \ or
urldecode(cgi.QUERY_STRING) contains { or
urldecode(cgi.QUERY_STRING) contains } or
urldecode(cgi.QUERY_STRING) contains delete or
urldecode(cgi.QUERY_STRING) contains drop or
urldecode(cgi.QUERY_STRING) contains exe
BAD STRING!
cfabort
/cfif
Thanks Jacob
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303697
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting issues ... No, that's not sufficient. First, there are other scopes that can contain XSS attack patterns. Second, you're better off following a deny all, then allow approach instead of what you're doing. You can't guarantee that you can identify every possible unsafe character or sequence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303717 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Good script to prevent cross-site scripting sql injection?
I just stumbled across the safeText function over at cflib.org - http://www.cflib.org/codeView.cfm?ID=56 Any views on how suitable this is for XSS protection (not SQL injection)? -- Mark Stanton Gruden Pty Ltd http://www.gruden.com ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249278 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
interesting tag... however if you are allowing html input the best technique is to establish a list of allowable tags and then remove everything else. Trying to come up with a comprehensive list of bad tags to disallow is nearly impossible. Andrew I just stumbled across the safeText function over at cflib.org - http://www.cflib.org/codeView.cfm?ID=56 Any views on how suitable this is for XSS protection (not SQL injection)? -- Mark Stanton Gruden Pty Ltd http://www.gruden.com ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Good script to prevent cross-site scripting sql injection?
I have a site where the guestbook is a constant problem for me. I've tried persuading the radio station management that they really dont want a guestbook but they see it as an important way to interact with the listeners. We'll get a fan of a show saying how the host is wonderful - a dream - 'a real spunk' then a whole tribe of others saying how ugly and totally undesirable the host is. Never any middle ground. So I have to keep it going. It's a constant source of problems, from people at other stations or fans of other stations trying to embarass us by putting links to porn or telling out-and-out lies there. We get lots of spammers trying to use our guestbook form to send their emails or post links to their sites. Here are some of the things we do (and it's a changing feast - i'm always tinkering with teh process page to tighten it up a little without inhibiting the real listeners posting (which is why we havent gone to useing Captcha yet). [A] no guestbook post goes straight to the site. It goes to an editor first [B] any post containing the character gets dumped. (early attempt to filter out html) [C] any post containing some reserved words gets dumped. [D] Just in case b didnt catch it, all posts are HTMLEditFormated [E] All posts go through cfqueryparam on their way into the database [F] Any posts not coming from the right page (ie having cgi.http_referer with the correct value) get dumped. [G] Ip address of every post are stored, and posts coming from some ips and some domains are dumped. The poster doesn't always get notified that the post has been dumped - I dont want to give too many clues to the abusers about what checks are being made. There arent any foolproof safeguards but we keep on working on it while trying to resist any measure that will make it more difficult for legitimate listeners to post. It keeps managing that site interesting though! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 8/8/06, Dave Watts [EMAIL PROTECTED] wrote: Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249118 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Here is a good example of the kind of determination people trying to prevent JS hacks (e.g. XSS) are facing: http://namb.la/popular/tech.html On 8/8/06, Mike Kear [EMAIL PROTECTED] wrote: I have a site where the guestbook is a constant problem for me. I've tried persuading the radio station management that they really dont want a guestbook but they see it as an important way to interact with the listeners. We'll get a fan of a show saying how the host is wonderful - a dream - 'a real spunk' then a whole tribe of others saying how ugly and totally undesirable the host is. Never any middle ground. So I have to keep it going. It's a constant source of problems, from people at other stations or fans of other stations trying to embarass us by putting links to porn or telling out-and-out lies there. We get lots of spammers trying to use our guestbook form to send their emails or post links to their sites. Here are some of the things we do (and it's a changing feast - i'm always tinkering with teh process page to tighten it up a little without inhibiting the real listeners posting (which is why we havent gone to useing Captcha yet). [A] no guestbook post goes straight to the site. It goes to an editor first [B] any post containing the character gets dumped. (early attempt to filter out html) [C] any post containing some reserved words gets dumped. [D] Just in case b didnt catch it, all posts are HTMLEditFormated [E] All posts go through cfqueryparam on their way into the database [F] Any posts not coming from the right page (ie having cgi.http_referer with the correct value) get dumped. [G] Ip address of every post are stored, and posts coming from some ips and some domains are dumped. The poster doesn't always get notified that the post has been dumped - I dont want to give too many clues to the abusers about what checks are being made. There arent any foolproof safeguards but we keep on working on it while trying to resist any measure that will make it more difficult for legitimate listeners to post. It keeps managing that site interesting though! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 8/8/06, Dave Watts [EMAIL PROTECTED] wrote: Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249120 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Good script to prevent cross-site scripting sql injection?
Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249022 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
For SQL injection, dedicated use of cfqueryparam ... in all queries where user input is accepted prevents most if not all attacks. For Cross Scripting, I think urlEncodedFormat() can be used in some places, but I'm not sure how universal this one is? -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249023 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
look into cfqueryparam, you can't go wrong with it On 8/7/06, Rey Bango [EMAIL PROTECTED] wrote: Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249024 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
I don't have any scripts par se, but I usually check the cgi referrer to prevent someone from posting off-site forms to my process scripts. As far as sql injection, cfqueryparam will go a long way to help that... and be careful of the preservingsinglequotes() function-- it can make it easier to insert SQL. Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. ~Brad -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249025 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249027 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. -- All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249030 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Awesome. Thanks for all of the suggestions guys! Rey ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249031 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
If you use cfqueryprocparam, you can still have troubles if your stored proc builds a dynamic statement and then executes it without stripping out single ticks. We found that out on accident, when our order find would blow up every time someone searched for a name like O'Neil. :) ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:27 PM To: CF-Talk Subject: RE: Good script to prevent cross-site scripting sql injection? I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249033 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
Social engineering can be much more effective, and harder to code for. ~Brad -Original Message- From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:43 PM To: CF-Talk Subject: RE: Good script to prevent cross-site scripting sql injection? I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. -- All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249035 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
I found a tag called cf_scriptkill in the exchange which seems to work quite well. So along with the cfqueryparam, this should help out a lot. Thanks for all of the suggestions. Rey,. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249036 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. The protection this provides is minimal, at best. It's really no substitute for properly preventing XSS attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249046 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. Well, actually, CFQUERYPARAM prevents SQL injection attacks from working, period. SQL injection attacks rely upon the ability to have your database execute code, and CFQUERYPARAM prevents that from happening. That said, CFQUERYPARAM does nothing to prevent other sorts of attacks, so you will certainly want to filter inputs appropriately. There are various approaches you can take to this, but essentially you want to remove or disable any content that would be executable within a browser, such as JavaScript. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249045 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Dave, Do you have any scripts that you can share? Rey... Dave Watts wrote: Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. The protection this provides is minimal, at best. It's really no substitute for properly preventing XSS attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249049 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
As others have mentioned, use cfqueryparam for input, but you should also use htmlEditFormat() for ALL output that could have originated outside your application. This will escape all tags and should render any javascript blocks useless. M!ke ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249052 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249063 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
