Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-12-18 Thread Eric Dawson 
good code.
cfabort in application.cfm?
I think I'll do the same.
- Original Message - 
From: "Andrew Grosset" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Saturday, December 18, 2004 4:36 PM
Subject: Re: Securing CF Apps against SQL Injection & Cross Site Scripting


> I just put the following in my application template to check all urls:
>
> 
> tmp = urldecode(cgi.query_string);
> // remove all opening and closing tags..
> tmp = Replace(tmp, "<", "", "ALL");
> tmp = Replace(tmp, ">", "", "ALL");
>
> // remove other...
> // [ and ] have to be handled seperately
>
> other="[\(){}]";
> tmp = REReplace(tmp,other,"","ALL");
> tmp = Replace(tmp,"[","","ALL");
> tmp = Replace(tmp,"]","","ALL");
>
> tmp = Replace(tmp,"+","","ALL");
> tmp = Replace(tmp,"*","","ALL");
>
> tmp = ReplaceNoCase(tmp,"DROP","","ALL");
> tmp = ReplaceNoCase(tmp,"DELETE","","ALL");
> tmp = ReplaceNoCase(tmp,"exe","","ALL");
> 
>
> 
>
>   
>
>   
>
> 
>
>
> >Would you be willing to share your modded cf_codecleaner custom tag?
> >
> >Thanks!
> >MAD
> >
>
> 

~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188157
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-12-18 Thread Andrew Grosset 
I just put the following in my application template to check all urls:


tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, "<", "", "ALL");
tmp = Replace(tmp, ">", "", "ALL");

// remove other...
// [ and ] have to be handled seperately

other="[\(){}]"; 
tmp = REReplace(tmp,other,"","ALL"); 
tmp = Replace(tmp,"[","","ALL"); 
tmp = Replace(tmp,"]","","ALL");

tmp = Replace(tmp,"+","","ALL");
tmp = Replace(tmp,"*","","ALL");

tmp = ReplaceNoCase(tmp,"DROP","","ALL");
tmp = ReplaceNoCase(tmp,"DELETE","","ALL");
tmp = ReplaceNoCase(tmp,"exe","","ALL");



  
  
  
  
  



>Would you be willing to share your modded cf_codecleaner custom tag?
>
>Thanks!
>MAD
>

~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188153
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-12-16 Thread Michael Dawson 
Would you be willing to share your modded cf_codecleaner custom tag?

Thanks!
MAD

> Yes, I did virtually the same except I modified cf_codecleaner to do 
> the CompareNoCase within the tag, email me the details and cflocation 
> (I'm going to make a "special" 500 page as I can't get cfheader to 
> work with all browsers - notably cfheader, and do away with 
> cflocation). This keeps the application.cfm less "cluttered" as I can 
> then do all the business within one line of code in application.cfm.
> 
> Also I use #urldecode(cgi.query_string)# as otherwise %3c (percent 3 
> c) will not be scrubbed (also applies to all other HTML escaped 
> encoding).
> 
> Within the script tags I also added:
> 
> // remove other...
> // [ and ] have to be handled seperately
> 

> other="[\(){}]"; 

> tmp = REReplace(tmp,other,"","ALL"); 

> tmp = Replace(tmp,"[","","ALL"); 

> tmp = Replace(tmp,"]","","ALL");
>   
>   tmp = Replace(tmp,"+","","ALL");
>   tmp = Replace(tmp,"*","","ALL");
> 
> It's pretty consistant at around 15-16ms which is good.
> 
> regards, Andrew.

~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187934
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-14 Thread Dave Watts 
> On IIS you can use the Microsoft tool URLScan for this,
> or the Aqtronix Web Knight. I believe this capability 
> is built into IIS 6 on Win2K3, but I haven't used it 
> yet to know for sure.

Yes, IIS 6 has an input filter, although it's not exactly the same as
URLScan.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-14 Thread Brandon Harper 
I'm jumping a little late into this discussion, but I see a couple of
things which haven't been discussed.

I think you need to do protection against XSS and SQL Injection in
multiple layers.

1.) Web Server / Application Server Layer
2.) Pre-Application Execution
3.) Post User Input / Pre Query

1:

On IIS you can use the Microsoft tool URLScan for this, or the Aqtronix
Web Knight.  I believe this capability is built into IIS 6 on Win2K3,
but I haven't used it yet to know for sure.

For Apache, you should check into mod_security.  I was pretty happy when
this was released, and use it on my site.

2:

I essentially wrote a custom app which checks various scopes for various
RegEx's related to XSS and SQL Injection which are ran from
Application.cfm, as well as the detection of buffer overflow
attempts, etc.  If something is violated, we get an e-mail with the
details about it, and the user is redirected gracefully.

3:

Make sure you scrub all user input, including checking the Len(Trim)) of
each parameter to make sure it's not too long.  Never trust anything which
is coming in via form, url, cookie, or client variables (such as
CGI.HTTP_USER_AGENT.  And as others have mentioned, proper granular
security on databases.

This is a bit on the anal side, but the software I work with requires it.

Note that pretty much all of these solutions assume you have a decent
grasp of writing RegEx's, as well as know how the various exploits can be
performed.

Thanks,

- Brandon

http://devnulled.com
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

RE: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-13 Thread Ian Vaughan 
Such as using regex etc to stop html tags being added to the URL.

 
If you take a look at the article below on MSDN, you will see that they
suggest using regex, and using HTML encode all input when it is used as
output tp prevent cross site scripting, buffer overflows etc.

 
http://msdn.microsoft.com/security/understanding/overview/default.aspx?p
ull=/msdnmag/issues/02/09/securitytips/default.aspx



From: Jochem van Dieten [mailto:[EMAIL PROTECTED] 
Sent: 13 May 2004 10:42
To: CF-Talk
Subject: Re: Securing CF Apps against SQL Injection & Cross Site
Scripting

Ian Vaughan wrote:
> How could I prevent
>  
> ?name=alert('hi!');
>  
> this type of input being added to the URL in Coldfusion ??

You can never prevent a visitor from adding things to a URL, you 
can only design your application to respond properly to what has 
been added to a URL. That means you first have to define what a 
proper response would be and after that we might be able to help 
you code for it.

Jochem

-- 
I don't get it
immigrants don't work
and steal our jobs
 - Loesje 

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-13 Thread Jochem van Dieten 
Ian Vaughan wrote:
> How could I prevent
>  
> ?name=alert('hi!');
>  
> this type of input being added to the URL in Coldfusion ??

You can never prevent a visitor from adding things to a URL, you 
can only design your application to respond properly to what has 
been added to a URL. That means you first have to define what a 
proper response would be and after that we might be able to help 
you code for it.

Jochem

-- 
I don't get it
immigrants don't work
and steal our jobs
 - Loesje
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

RE: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-13 Thread Ian Vaughan 
How could I prevent

 
?name=alert('hi!');

 
this type of input being added to the URL in Coldfusion ??

 
Any ideas on how to prevent this ??



From: Matt Robertson [mailto:[EMAIL PROTECTED] 
Sent: 07 May 2004 07:44
To: CF-Talk
Subject: RE: Securing CF Apps against SQL Injection & Cross Site
Scripting

good ideas, all.  Thanks for sharing!


Matt Robertson   [EMAIL PROTECTED] 
MSB Designs, Inc.  http://mysecretbase.com
 

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-07 Thread Thomas Chiverton 
On Friday 07 May 2004 00:01 am, Andrew Grosset wrote:
> Works great in IE, but Mozilla Firebird ignores cfheader and displays the

*Really* ?!?
:tests
Bonkers.
I'd stick a cfabort in after the cfheader, just to be sure anyway.

-- 
Tom Chiverton 
Advanced ColdFusion Programmer

Tel: +44(0)1749 834997
email: [EMAIL PROTECTED]
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

RE: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Matt Robertson 
good ideas, all.  Thanks for sharing!


 Matt Robertson   [EMAIL PROTECTED] 
 MSB Designs, Inc.  http://mysecretbase.com

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Andrew Grosset 
> Andrew Grosset wrote:
> >Works great in IE, but Mozilla Firebird ignores cfheader and displays 
> 
> >the page as normal...
> 
> I put in  right afterwards :D
> 
> Here's the whole test I'm using.  I put this into application.cfm and, 
> as you say, it only eats a max of 15ms.
> 
> 
> 
> Cleanurl=clean_code>
>  
> 	
> 	
> 
> 
> 
> --
> ---

 
> Matt Robertson, [EMAIL PROTECTED]

 
> MSB Designs, Inc. http://mysecretbase.com
> ---
> 
--
Yes, I did virtually the same except I modified cf_codecleaner to do the CompareNoCase within the tag, email me the details and cflocation (I'm going to make a "special" 500 page as I can't get cfheader to work with all browsers - notably cfheader, and do away with cflocation). This keeps the application.cfm less "cluttered" as I can then do all the business within one line of code in application.cfm.

Also I use #urldecode(cgi.query_string)# as otherwise %3c (percent 3 c) will not be scrubbed (also applies to all other HTML escaped encoding).

Within the script tags I also added:

// remove other...
// [ and ] have to be handled seperately

other="[\(){}]"; 
tmp = REReplace(tmp,other,"","ALL"); 
tmp = Replace(tmp,"[","","ALL"); 
tmp = Replace(tmp,"]","","ALL");
		
	tmp = Replace(tmp,"+","","ALL");
	tmp = Replace(tmp,"*","","ALL");

It's pretty consistant at around 15-16ms which is good.

regards, Andrew.
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Matt Robertson 
Andrew Grosset wrote:
>Works great in IE, but Mozilla Firebird ignores cfheader and displays 
>the page as normal...

I put in  right afterwards :D

Here's the whole test I'm using.  I put this into application.cfm and, as you say, it only eats a max of 15ms.



 
	
	


--
---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Andrew Grosset 
Works great in IE, but Mozilla Firebird ignores cfheader and displays the page as normal...

>My turn for a dumb question:  Would this be all there is to it?
>
>
>
>
>
>--Matt Robertson--
>MSB Designs, Inc.
>http://mysecretbase.com
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Matt Robertson 
John wrote:
>what codecleaner does? and where do I find it?

http://tinyurl.com/2vo8k

--
---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread John Ho 
what codecleaner does? and where do I find it?

> Jim wrote:
> >How do I use it?  
> 
> For just a form var its completely painless.  CodeCleaner is just a 
> custom tag, so you either put it into the current folder or the custom 
> tags folder.  Then, on a form post page you would validate all of your 
> form fields with it.  I do it in a block like you see below.  Each 
> call takes only a smidgen of time:
> 
> 
> 
> FirstName=clean_code>
> 
> LastName=clean_code>
> 
> EmailAddr=clean_code>
> 
> MailAddr=clean_code>
> 
> MailCity=clean_code>
> 
> MailState=clean_code>
> 
> MailZIP=clean_code>
> 
> 
> 
> --
> ---

 
> Matt Robertson, [EMAIL PROTECTED]

 
> MSB Designs, Inc. http://mysecretbase.com
> ---
> 
--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Matt Robertson 
>>Why not return a 500 (or other perment) HTTP error ?
>Yes, that would be a better solution.

My turn for a dumb question:  Would this be all there is to it?





--Matt Robertson--
MSB Designs, Inc.
http://mysecretbase.com
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Matt Robertson 
Jim wrote:
>How do I use it?  

For just a form var its completely painless.  CodeCleaner is just a custom tag, so you either put it into the current folder or the custom tags folder.  Then, on a form post page you would validate all of your form fields with it.  I do it in a block like you see below.  Each call takes only a smidgen of time:










--
---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Jim Louis 
Ok I know stupid answer is comming up for this question.  I downloaded the Codecleaner.  How do I use it?  Do I add it to my application.cfm? If so How do I?  and what is the tag line in the form?

Jim

> CodeCleaner is an absolutely fantastic tag.  Runs like lightning.  I 
> use cfqueryparam but nonetheless I still scrub form inputs with it.
> 
> What did you need to modify in CodeCleaner to make it scrub urls?  I 
> glanced at it very quickly and it seems like it'll take whatever you 
> feed it.
> 
> 
> 
> --
> ---

 
> Matt Robertson, [EMAIL PROTECTED]

 
> MSB Designs, Inc. http://mysecretbase.com
> ---
> 
--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Andrew Grosset 
When checking the query string I also decode it like this:

#urldecode(cgi.query_string)#

this is to escape any HTML escaped encoding
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Andrew Grosset 
Yes, that would be a better solution.

>Why not return a 500 (or other perment) HTTP error ?
>
>-- 
>Tom Chiverton 
>Advanced ColdFusion Programmer
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-06 Thread Thomas Chiverton 
On Thursday 06 May 2004 01:29 am, Andrew Grosset wrote:
> same as the scrubbed result (tmp). If caller.check GT 0 then I email myself
> the details and throw them out to google!

Why not return a 500 (or other perment) HTTP error ?

-- 
Tom Chiverton 
Advanced ColdFusion Programmer

Tel: +44(0)1749 834997
email: [EMAIL PROTECTED]
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-05 Thread Andrew Grosset 
I'm checking to see whether the original input (attributes.input) is the same as the scrubbed result (tmp). If caller.check GT 0 then I email myself the details and throw them out to google!

My theory being is if somebody is "playing" with the urls I don't want to show them the scrubbed result (in case I've missed something) and for 99% of bona-fida users the caller.check will always return "0" - in which case I do nothing.


    


> CodeCleaner is an absolutely fantastic tag.  Runs like lightning.  I 
> use cfqueryparam but nonetheless I still scrub form inputs with it.
> 
> What did you need to modify in CodeCleaner to make it scrub urls?  I 
> glanced at it very quickly and it seems like it'll take whatever you 
> feed it.
> 
> 
> 
> --
> ---

 
> Matt Robertson, [EMAIL PROTECTED]

 
> MSB Designs, Inc. http://mysecretbase.com
> ---
> 
--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-05 Thread Matt Robertson 
CodeCleaner is an absolutely fantastic tag.  Runs like lightning.  I use cfqueryparam but nonetheless I still scrub form inputs with it.

What did you need to modify in CodeCleaner to make it scrub urls?  I glanced at it very quickly and it seems like it'll take whatever you feed it.

--
---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

--
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-05 Thread Andrew Grosset 
I would like to emphasise reading "Understanding the cause and effect of CSS (XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.

If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious dangers of unrestricted form input there is also inline scripting where malicious code is used in the url.

One could pass all urls (#cgi.script_name##cgi.query_string#) through a tag like CF_codecleaner (available at Macromedia.com). However all we need to establish is whether there are "naughty bits" in the url so a quick 

CompareNoCase(attributes.input,cleaned_input) 

(to compare original url+query string with the cleansed url+querystring)

is all one needs. I roughed up a quick mod to cf_codecleaner to do this and it takes 15 milliseconds to check the url. If the url is "unacceptable" you can then email yourself the details and cflocation to google etc!
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: Securing CF Apps against SQL Injection & Cross Site Scripting

2004-05-05 Thread Andrew Grosset 
I would like to emphasise reading "Understanding the cause and effect of CSS (XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.

If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious dangers of unrestricted form input there is also inline scripting where malicious code is used in the url.

One could pass all urls (#cgi.script_name##cgi.query_string#) through a tag like CF_codecleaner (available at Macromedia.com). However all we need to establish is whether there are "naughty bits" in the url so a quick 

CompareNoCase(attributes.input,cleaned_input) 

(to compare original url+query string with the cleansed url+querystring)

is all one needs. I roughed up a quick mod to cf_codecleaner to do this and it takes 15 milliseconds to check the url. If the url is "unacceptable" you can then email yourself the details and cflocation to google etc!
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]