Cross-site Scripting
Hi, What methods do you guys use to prevent cross-site scripting in a CF9 and JavaScript application? I have seen the scriptprotect attribute in the administrator, but have also seen that this doesnt fully protect. Thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357610 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Cross-site Scripting
See Jason Dean's presentation on Practical Ajax Security http://ow.ly/2prk5 Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357611 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Impact of cross site scripting in google search appliance
All - On our websites, we use google search appliance (GSA). When a user enters a search term, and submits the form, it goes to GSA.We are using GET method hence the search term is passed as a URL variable. There is chance of tampering the search term in the URL, for example adding alert statement to the search term. When this is done, GSA just returns that no search results are available. I am not understanding what is the impact of cross site scripting with google search appliance. Does anyone have an idea on this? Thanks. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Impact of cross site scripting in google search appliance
On our websites, we use google search appliance (GSA). When a user enters a search term, and submits the form, it goes to GSA.We are using GET method hence the search term is passed as a URL variable. There is chance of tampering the search term in the URL, for example adding alert statement to the search term. When this is done, GSA just returns that no search results are available. I am not understanding what is the impact of cross site scripting with google search appliance. Does anyone have an idea on this? By default, there isn't any impact, because as you observed, the GSA isn't going to do anything with that query parameter other than use it in server-side processing. But it is possible to modify the default XSLT to make it do dangerous things with inputs. You can avoid this problem by using CF as a proxy of sorts - instead of submitting the search form directly to the appliance, you could submit it back to CF, which could either validate values then redirect you to the GSA or make a CFHTTP call on your behalf. These things will increase the complexity of your application, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355147 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Impact of cross site scripting in google search appliance
Dave, What do you mean when you said that it is possibe to modify default XSLT and do dangerous things with inputs? Thanks, Lavanya On Tue, Mar 26, 2013 at 1:04 PM, Dave Watts dwa...@figleaf.com wrote: On our websites, we use google search appliance (GSA). When a user enters a search term, and submits the form, it goes to GSA.We are using GET method hence the search term is passed as a URL variable. There is chance of tampering the search term in the URL, for example adding alert statement to the search term. When this is done, GSA just returns that no search results are available. I am not understanding what is the impact of cross site scripting with google search appliance. Does anyone have an idea on this? By default, there isn't any impact, because as you observed, the GSA isn't going to do anything with that query parameter other than use it in server-side processing. But it is possible to modify the default XSLT to make it do dangerous things with inputs. You can avoid this problem by using CF as a proxy of sorts - instead of submitting the search form directly to the appliance, you could submit it back to CF, which could either validate values then redirect you to the GSA or make a CFHTTP call on your behalf. These things will increase the complexity of your application, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Impact of cross site scripting in google search appliance
Dave, What do you mean when you said that it is possible to modify default XSLT and do dangerous things with inputs? Thanks On Tue, Mar 26, 2013 at 1:04 PM, Dave Watts dwa...@figleaf.com wrote: On our websites, we use google search appliance (GSA). When a user enters a search term, and submits the form, it goes to GSA.We are using GET method hence the search term is passed as a URL variable. There is chance of tampering the search term in the URL, for example adding alert statement to the search term. When this is done, GSA just returns that no search results are available. I am not understanding what is the impact of cross site scripting with google search appliance. Does anyone have an idea on this? By default, there isn't any impact, because as you observed, the GSA isn't going to do anything with that query parameter other than use it in server-side processing. But it is possible to modify the default XSLT to make it do dangerous things with inputs. You can avoid this problem by using CF as a proxy of sorts - instead of submitting the search form directly to the appliance, you could submit it back to CF, which could either validate values then redirect you to the GSA or make a CFHTTP call on your behalf. These things will increase the complexity of your application, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355150 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Impact of cross site scripting in google search appliance
What do you mean when you said that it is possibe to modify default XSLT and do dangerous things with inputs? I mean that the administrator of the GSA could log into the admin console, modify the XSLT manually, and include code to automatically execute JavaScript found in URL parameters. Just like a CF developer could do when writing a CF page. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Impact of cross site scripting in google search appliance
Ok. With existing XSLT, when I use alert statement in GSA URL, it throws an alert statement but the search results return a message No results available. but when I use the same search term in google.com, it does not throw any alert statement. Do you think I need to update XSLT to not execute any scripts? is this possible? On Tue, Mar 26, 2013 at 1:42 PM, Dave Watts dwa...@figleaf.com wrote: What do you mean when you said that it is possibe to modify default XSLT and do dangerous things with inputs? I mean that the administrator of the GSA could log into the admin console, modify the XSLT manually, and include code to automatically execute JavaScript found in URL parameters. Just like a CF developer could do when writing a CF page. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
HTMLEditFormat and Cross Site Scripting
New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: form action=3Dindex.cfm method=3DPOST name=3DmyForm cfoutput trtd align=3Dright class=3Dtext9 Enter ID:/tdtdinput type=3Dtext name=3DlogName value=3D#HtmlEditFormat(VARIABLES.logName)# size=3D12/td/tr /cfoutput trtd align=3Dcenter colspan=3D2 input type=3Dsubmit name=3Dsubmit id=3Dsubbtn title=3DSubmit value=3DSubmit / /td/tr /FORM ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336624 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: HTMLEditFormat and Cross Site Scripting
Cindi, You need to use HTMLedit format in the handler... where's the code that takes the Post request and does something with it? -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: cindi gannon [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:00 PM To: cf-talk Subject: HTMLEditFormat and Cross Site Scripting New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: form action=3Dindex.cfm method=3DPOST name=3DmyForm cfoutput trtd align=3Dright class=3Dtext9 Enter ID:/tdtdinput type=3Dtext name=3DlogName value=3D#HtmlEditFormat(VARIABLES.logName)# size=3D12/td/tr /cfoutput trtd align=3Dcenter colspan=3D2 input type=3Dsubmit name=3Dsubmit id=3Dsubbtn title=3DSubmit value=3DSubmit / /td/tr /FORM ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336626 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: HTMLEditFormat and Cross Site Scripting
Hi there - I have it in the handle as shown below - but the javascript still executes, so , if i put scriptalert.../script in the logname field on the form - the alert comes up and then the form processes correctly. I'm just trying to prevent the alert or whatever js code is in there maliciously from executing. cfif isdefined(form.logname) cfquery name=getuser datasource=#application.dsn# select * from t_s1 u, t_s2 x where id = '#htmleditformat(form.logname)#' and u.id = x.id /cfquery Cindi Gannon, Sr Programmer Analyst ? The Bank of New York Mellon Corporation BNY Mellon Technology Support ? General Services Support Systems Syracuse Office: (315) 362-1196 ? FAX (315) 362-3603 cindi.gan...@bnymellon.com From: Mark A. Kruger mkru...@cfwebtools.com To: cf-talk cf-talk@houseoffusion.com Date: 08/27/2010 02:11 PM Subject: RE: HTMLEditFormat and Cross Site Scripting Cindi, You need to use HTMLedit format in the handler... where's the code that takes the Post request and does something with it? -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: cindi gannon [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:00 PM To: cf-talk Subject: HTMLEditFormat and Cross Site Scripting New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: form action=3Dindex.cfm method=3DPOST name=3DmyForm cfoutput trtd align=3Dright class=3Dtext9 Enter ID:/tdtdinput type=3Dtext name=3DlogName value=3D#HtmlEditFormat(VARIABLES.logName)# size=3D12/td/tr /cfoutput trtd align=3Dcenter colspan=3D2 input type=3Dsubmit name=3Dsubmit id=3Dsubbtn title=3DSubmit value=3DSubmit / /td/tr /FORM ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336627 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: HTMLEditFormat and Cross Site Scripting
cfqueryparam is your friend. On Fri, Aug 27, 2010 at 2:19 PM, cindi.gan...@bnymellon.com wrote: Hi there - I have it in the handle as shown below - but the javascript still executes, so , if i put scriptalert.../script in the logname field on the form - the alert comes up and then the form processes correctly. I'm just trying to prevent the alert or whatever js code is in there maliciously from executing. cfif isdefined(form.logname) cfquery name=getuser datasource=#application.dsn# select * from t_s1 u, t_s2 x where id = '#htmleditformat(form.logname)#' and u.id = x.id /cfquery Cindi Gannon, Sr Programmer Analyst ? The Bank of New York Mellon Corporation BNY Mellon Technology Support ? General Services Support Systems Syracuse Office: (315) 362-1196 ? FAX (315) 362-3603 cindi.gan...@bnymellon.com From: Mark A. Kruger mkru...@cfwebtools.com To: cf-talk cf-talk@houseoffusion.com Date: 08/27/2010 02:11 PM Subject: RE: HTMLEditFormat and Cross Site Scripting Cindi, You need to use HTMLedit format in the handler... where's the code that takes the Post request and does something with it? -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: cindi gannon [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:00 PM To: cf-talk Subject: HTMLEditFormat and Cross Site Scripting New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: form action=3Dindex.cfm method=3DPOST name=3DmyForm cfoutput trtd align=3Dright class=3Dtext9 Enter ID:/tdtdinput type=3Dtext name=3DlogName value=3D#HtmlEditFormat(VARIABLES.logName)# size=3D12/td/tr /cfoutput trtd align=3Dcenter colspan=3D2 input type=3Dsubmit name=3Dsubmit id=3Dsubbtn title=3DSubmit value=3DSubmit / /td/tr /FORM ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: HTMLEditFormat and Cross Site Scripting
cfqueryparam is your friend. That has no effect on XSS. It simply prevents SQL injection. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336629 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: HTMLEditFormat and Cross Site Scripting
Right. Cindi posted an example of a cfquery and I responded with cfqueryparam is your friend. Her query is vulnerable to sql injection. On Fri, Aug 27, 2010 at 2:27 PM, Dave Watts dwa...@figleaf.com wrote: cfqueryparam is your friend. That has no effect on XSS. It simply prevents SQL injection. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336630 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: HTMLEditFormat and Cross Site Scripting
Cindi, Do you have debugging on? Perhaps it's showing up in the debug and firing off. That's not a problem that would affect your users. -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: cindi.gan...@bnymellon.com [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:20 PM To: cf-talk Subject: RE: HTMLEditFormat and Cross Site Scripting Hi there - I have it in the handle as shown below - but the javascript still executes, so , if i put scriptalert.../script in the logname field on the form - the alert comes up and then the form processes correctly. I'm just trying to prevent the alert or whatever js code is in there maliciously from executing. cfif isdefined(form.logname) cfquery name=getuser datasource=#application.dsn# select * from t_s1 u, t_s2 x where id = '#htmleditformat(form.logname)#' and u.id = x.id /cfquery Cindi Gannon, Sr Programmer Analyst ? The Bank of New York Mellon Corporation BNY Mellon Technology Support ? General Services Support Systems Syracuse Office: (315) 362-1196 ? FAX (315) 362-3603 cindi.gan...@bnymellon.com From: Mark A. Kruger mkru...@cfwebtools.com To: cf-talk cf-talk@houseoffusion.com Date: 08/27/2010 02:11 PM Subject: RE: HTMLEditFormat and Cross Site Scripting Cindi, You need to use HTMLedit format in the handler... where's the code that takes the Post request and does something with it? -Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: cindi gannon [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:00 PM To: cf-talk Subject: HTMLEditFormat and Cross Site Scripting New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: form action=3Dindex.cfm method=3DPOST name=3DmyForm cfoutput trtd align=3Dright class=3Dtext9 Enter ID:/tdtdinput type=3Dtext name=3DlogName value=3D#HtmlEditFormat(VARIABLES.logName)# size=3D12/td/tr /cfoutput trtd align=3Dcenter colspan=3D2 input type=3Dsubmit name=3Dsubmit id=3Dsubbtn title=3DSubmit value=3DSubmit / /td/tr /FORM ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336635 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Prevent Cross-Site Scripting in ColdFusion 5
I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Prevent Cross-Site Scripting in ColdFusion 5
It's easy enough to write your own function for this sort of thing. Here's the basis of how I might approach it: cfset REQUEST.qs = 'var1=andyvar2=Jaimevar3=Noelle' cfset REQUEST.qsArr = ArrayNew(1) cfloop index=REQUEST.outer list=#REQUEST.qs# delimiters= cfset REQUEST.key = ListFirst(REQUEST.outer,'=') cfset REQUEST.value = ListLast(REQUEST.outer,'=') /cfloop At that point you could do anything you wanted to with REQUEST.key or REQUEST.value. andy -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, March 02, 2010 4:34 PM To: cf-talk Subject: Re: Prevent Cross-Site Scripting in ColdFusion 5 I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross Site scripting
Ok, point taken, I was thinking in the context of a forum application where one may have strict rules on user input and that input may go through complex validation that might be server intensive and probably would be unlikely that the data validation would require future review. If new vunerabilities were found the data could still be parsed and updated in the database once as a seperate call instead of every time it is outputed. The primary objective should be as Dave said: deny all, then allow. Andrew As Brad pointed out, who's to say what's junk? It is impossible, practically speaking, to identify every possible bad character that may exist in your data, and you may want to use that data in different ways and different places. You may, in fact, want to use data in new ways in the future, only to find that you have new vulnerabilities for which your current data is unsanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Prevent Cross Site scripting
So what do you recommend instead? The built in xxs protection doesn't catch everything. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303772 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
I'm not sure if you're directing that question at Dave or me, so I will clarify my recommendation just in case. == Any time you embed text which a user/third party enters or has control over into another media, ensure that the potentially-unsafe text has any necessary meta-characters escaped. == That means if you want to output a name from the database into a JavaScript variable, you should run it through jsstringformat to remove any single ticks etc. var users_name = '#jsstringformat(my_query.users_name)#'; If you are building an XML document out of user-entered form fields, use xmlformat. rootemployee#xmlformat(form.name)#/employee/root If you are outputting a message in an HTML page, use htmleditformat. table tr td #htmleditformat(qry_message.message_text)# /td /tr /table Any time you are evaluating a string as code like as in a JSON string returned from an external web service, use a JSON parser instead of just throwing it into an eval() function. I know those are all generic examples, but I don't think there is necessarily a silver bullet snippet of code you can paste at the top of your page that will catch everything. In theory, if ALL data were properly escaped/sanitized according to the environment it was being embedded in, XSS attacks would not exist. In my opinion, _most_ XSS attacks happen because programmers get lazy-- a sin I've certainly been guilty of myself. ~Brad -Original Message- From: Ian Rutherford [mailto:[EMAIL PROTECTED] Sent: Friday, April 18, 2008 2:06 PM To: CF-Talk Subject: Re: Prevent Cross Site scripting So what do you recommend instead? The built in xxs protection doesn't catch everything. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303773 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
So what do you recommend instead? The built in xxs protection doesn't catch everything. I recommend that you consider accepting and storing unsafe strings, and escape them appropriately when displaying them. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303783 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be escaped/purified before you store it? then you're escaping it once as opposed to escaping it 1000's of times every time you display/output it? So what do you recommend instead? The built in xxs protection doesn't catch everything. I recommend that you consider accepting and storing unsafe strings, and escape them appropriately when displaying them. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
-Original Message-
From: Andrew Grosset [mailto:[EMAIL PROTECTED]
Sent: Friday, April 18, 2008 7:38 PM
To: CF-Talk
Subject: Re: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
escape them appropriately when displaying them.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Training: Adobe/Google/Paperthin Certified Partners
http://training.figleaf.com/
WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers!
http://www.webmaniacsconference.com/
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303793
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Prevent Cross Site scripting
Sorry, you haven't convinced me, I appreciate what you're saying but having to
cache the static pages after you've cleansed them doesn't seem right either
Of course if you're relying on javascript to display as in ajax then you have a
point.
Andrew.
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303796
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
Why store junk? if you're going to store data shouldn't it be escaped/purified before you store it? then you're escaping it once as opposed to escaping it 1000's of times every time you display/output it? As Brad pointed out, who's to say what's junk? It is impossible, practically speaking, to identify every possible bad character that may exist in your data, and you may want to use that data in different ways and different places. You may, in fact, want to use data in new ways in the future, only to find that you have new vulnerabilities for which your current data is unsanitized. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303797 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
Displaying or using data now in one way doesn't necessarily mean that's how
you or someone else may need or want to display or use it later. It has been
my experience that storing data just as it was entered is the better
solution all around. Once you strip information out that you deem unsafe for
your current needs, you can't get it back later if/when you or someone else
decides otherwise.
..:.:.:.:.:.:.:.:.:.:.:.:.
Bobby Hartsfield
http://acoderslife.com
http://cf4em.com
-Original Message-
From: Andrew Grosset [mailto:[EMAIL PROTECTED]
Sent: Friday, April 18, 2008 11:12 PM
To: CF-Talk
Subject: Re: Prevent Cross Site scripting
Sorry, you haven't convinced me, I appreciate what you're saying but having
to cache the static pages after you've cleansed them doesn't seem right
either
Of course if you're relying on javascript to display as in ajax then you
have a point.
Andrew.
How do you know it's junk? Let's say you have a last name of O'reilly
entered into a form field. That string will break the following of
code:
script language=javascript
alert('#last_name#');
/script
You would not want to remove the tick from the name in the database, as
now you have lost part of your data. Instead you sanitize it at the
time you output it with jsstringformat.
Now, some of you are probably thinking, Why don't you just escape it
when you put it into the database? My answer to that is, How do you
know in what context that data might need to be displayed? If you
escape the data for a JavaScript string at the time you store it, then
it won't look right when you want to output it in HTML. OK, so you
might think you should escape it for HTML at the time you store it-- now
you write a flex front-end for your app and wish to display it in Flash.
There are reasons other than malicious attacks to clean your data, and
it is my option that the interface responsible for displaying the data
should also be responsible for cleaning it appropriately. If that is
done, O'Reilly won't be an issue and neither will XSS.
If you are concerned about the performance implications of formatting
the data over and over again you could cache static pages and serve them
up. If your data is ever-changing, I consider this overhead a small
price to pay that comes with the business of storing and regurgitating
data.
~Brad
Why store junk? if you're going to store data shouldn't it be
escaped/purified before you store it? then you're escaping it once as
opposed to escaping it 1000's of times every time you display/output it?
So what do you recommend instead? The built in xxs protection
doesn't catch everything.
I recommend that you consider accepting and storing unsafe strings,
and
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303798
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting issues:
cfif urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains [ or
urldecode(cgi.QUERY_STRING) contains ] or
urldecode(cgi.QUERY_STRING) contains * or
urldecode(cgi.QUERY_STRING) contains ( or
urldecode(cgi.QUERY_STRING) contains ) or
urldecode(cgi.QUERY_STRING) contains \ or
urldecode(cgi.QUERY_STRING) contains { or
urldecode(cgi.QUERY_STRING) contains } or
urldecode(cgi.QUERY_STRING) contains delete or
urldecode(cgi.QUERY_STRING) contains drop or
urldecode(cgi.QUERY_STRING) contains exe
BAD STRING!
cfabort
/cfif
Thanks Jacob
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303696
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Prevent Cross Site scripting
Not necessarily, but this will help:
Name: #htmleditformat(user_entered_data_I_dont_trust)#
XSS from my understanding is when someone is able in inject HTML/JS into
a page so it is executed and then they can manipulate the contents of
the page and or make an Ajax call which will send any cookies the site
has.
The easiest way for people to do that is when you have a text area or
input field which is later displayed on an HTML page and special
characters are not escaped.
For instance, entering a name like
script language=javascriptalert('I\'m in!');/script
When that value was output in an HTML page, the script block would be
executed in the security context of that page.
Also keep in mind, the cgi.query_string only includes url vars, not form
variables. I prefer to sanitize them at the point of outputting them,
not at the point of collecting them. There may be a good reason to have
some special characters in a form field.
~Brad
-Original Message-
From: Jacob [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 17, 2008 4:01 PM
To: CF-Talk
Subject: Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting
issues:
cfif urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains or
urldecode(cgi.QUERY_STRING) contains [ or
urldecode(cgi.QUERY_STRING) contains ] or
urldecode(cgi.QUERY_STRING) contains * or
urldecode(cgi.QUERY_STRING) contains ( or
urldecode(cgi.QUERY_STRING) contains ) or
urldecode(cgi.QUERY_STRING) contains \ or
urldecode(cgi.QUERY_STRING) contains { or
urldecode(cgi.QUERY_STRING) contains } or
urldecode(cgi.QUERY_STRING) contains delete or
urldecode(cgi.QUERY_STRING) contains drop or
urldecode(cgi.QUERY_STRING) contains exe
BAD STRING!
cfabort
/cfif
Thanks Jacob
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303697
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Prevent Cross Site scripting
If I added the following, would this prevent Cross Site Scripting issues ... No, that's not sufficient. First, there are other scopes that can contain XSS attack patterns. Second, you're better off following a deny all, then allow approach instead of what you're doing. You can't guarantee that you can identify every possible unsafe character or sequence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Training: Adobe/Google/Paperthin Certified Partners http://training.figleaf.com/ WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! http://www.webmaniacsconference.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303717 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Couldn't you provide the functionality of adding a google search box in the CMS. That way you control how it is added /displayed etc? I think you're working very hard to preserve a textbook definition of what you think the client's software should be. The owner of that software may well disagree with your definition. They even may know what they need and how to safeguard themselves in ways that have nothing to do with ossifying their software. Listen to the client's needs and define your parameters based on those needs. Don't put blinders and earmuffs on. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271839 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On Tuesday 06 Mar 2007, Mik Muller wrote: will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this Without realising that some people don't send the Referer: header ever ? Sometimes for reasons beyond their control. -- Tom Chiverton Helping to greatly foster viral relationships On: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271842 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
XSS - Cross Site Scripting
I'm on another list and heard the term XSS for the first time (honestly, I don't know where I've been for the past four years). http://en.wikipedia.org/wiki/Cross_site_scripting I've been using StripHTML() for a very long time in my message board SQL inserts, and only an hour ago learned of HTMLEditFormat() for the output. I've also recently put in code so that *NO* _action.cfm page on my site will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this after looking in my logs and saw that there is a server in Amsterdam that has been periodically trying to create users on several of my sites since September, about three times a day, once per week. (The users they try to create, btw, are set up to advertise sex toy shops in Russia and Amsterdam! :-) Everything is related.) So my question is... what do other people on this list do to mitigate XSS attacks? If this is becomming a real problem we may want to share as many techniques as we can to ensure that CF sites have a reputation as being as hack-proof as possible. Another selling point. Mik Michael Muller Admin, MontagueMA.net Website work (413) 863-0030 cell (413) 320-5336 skype: michaelBmuller http://www.MontagueMA.net Eschew Obfuscation ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271729 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: XSS - Cross Site Scripting
If you're using MX7 they have a setting called scriptProtect that can be set in both app.cfm an app.cfc to protect an individual scope or ALL. That should do the job to a certain extent. Rob -Original Message- From: Mik Muller [mailto:[EMAIL PROTECTED] Sent: 06 March 2007 16:44 To: CF-Talk Subject: XSS - Cross Site Scripting I'm on another list and heard the term XSS for the first time (honestly, I don't know where I've been for the past four years). http://en.wikipedia.org/wiki/Cross_site_scripting I've been using StripHTML() for a very long time in my message board SQL inserts, and only an hour ago learned of HTMLEditFormat() for the output. I've also recently put in code so that *NO* _action.cfm page on my site will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this after looking in my logs and saw that there is a server in Amsterdam that has been periodically trying to create users on several of my sites since September, about three times a day, once per week. (The users they try to create, btw, are set up to advertise sex toy shops in Russia and Amsterdam! :-) Everything is related.) So my question is... what do other people on this list do to mitigate XSS attacks? If this is becomming a real problem we may want to share as many techniques as we can to ensure that CF sites have a reputation as being as hack-proof as possible. Another selling point. Mik Michael Muller Admin, MontagueMA.net Website work (413) 863-0030 cell (413) 320-5336 skype: michaelBmuller http://www.MontagueMA.net Eschew Obfuscation ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271733 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
The built in script protection has a secunia vulnerability posted against it stating there is a method to circumvent it. You can find it here: http://secunia.com/advisories/23281/ Simply checking the domain submitting is the referral etc is not always fool proof as we've found individuals on certain proxies get bounced everytime as performing invalid actions when they were not. The solution we came up with was salting a hash based on certain key pieces of information that come from the (authenticated) user with some randomization added, and putting that as a hidden in all forms. If the hash doesn't match up we bounce em before the form processing occurs. - dk ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271745 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271782 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
CMS users adding JS?! Tut tut :-) This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 21:54:51 2007 Subject: Re: XSS - Cross Site Scripting An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271784 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: CMS users adding JS?! Tut tut :-) Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271785 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Lol, just say oi, no! This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 22:16:37 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: CMS users adding JS?! Tut tut :-) Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271786 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. For XSS? How does that do anything? It will prevent SQL injection, but that's a totally different attack. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. There are easy ways around that. First, you can set the script-protect in your application to not include form variables. That will at least protect you against URL, cookie and CGI-based XSS to some extent. But a better approach would be to have them input the javascript in the forms using a different format for the javascript tag that you then search-and-replace on in your action form. For instance use a [script] instead. Assuming these are pages that only admin users have, that will allow them to input what they need without opening the public area of the site up to XSS attacks. --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271788 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: XSS - Cross Site Scripting
An old tried and true defense component is cfqueryparam. Search for xss and cross-site scripting and you should find a wealth of information going back years on the subject. I'm sure you're already aware of this, but as helpful as CFQUERYPARAM is, it will not do anything to prevent XSS exploits. The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. Far from being too draconian, it's too lenient! It basically just looks for four or five words commonly used in XSS attacks, and strips them from input. That is not sufficient for any meaningful protection. And, if you're going to allow users to provide arbitrary JavaScript, there is nothing you can do with your inputs to prevent XSS exploits. You can only control what you display, in that case - and if you're letting people enter JavaScript intentionally, you are almost certainly letting people view content with said JavaScript. Unless you're vetting every JavaScript call to ensure its safety, your system is totally open to XSS exploits. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271789 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Mary Jo Sminkey [EMAIL PROTECTED] wrote: For XSS? How does that do anything? It will prevent SQL injection, but that's a totally different attack. memo to me. pay attention -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271790 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: XSS - Cross Site Scripting
Explain successfully to the client why they can't do the work they want, and they shouldn't want it, and you can tut all you like. I'll even let a 'harumph' slide :D That is part of your job as a developer, unfortunately. If you make them aware of the (very serious) risks resulting from their choices, and they choose to do so anyway, you should make sure that they indemnify you from any unfortunate results. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271791 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: And, if you're going to allow users to provide arbitrary JavaScript, Its what the client demanded and based on their needs it was a justifiable request. By 'draconian' I meant that the protection is applied to all form inputs, regardless of user authentication or anything else you as a developer want to throw into the mix. Throwing a complete blanket over everything without regard to allowing individual exceptions is where I have a problem. By all means protect yourself from XSS, but I disagree with a system that doesn't allow you to bypass the rules as a developer if there's a good reason to do so. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Surely there can be no real justification for them to do JS which you do not provide as a developer? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 22:45:44 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: And, if you're going to allow users to provide arbitrary JavaScript, Its what the client demanded and based on their needs it was a justifiable request. By 'draconian' I meant that the protection is applied to all form inputs, regardless of user authentication or anything else you as a developer want to throw into the mix. Throwing a complete blanket over everything without regard to allowing individual exceptions is where I have a problem. By all means protect yourself from XSS, but I disagree with a system that doesn't allow you to bypass the rules as a developer if there's a good reason to do so. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271794 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
memo to me. pay attention LOL...of course I *never* make the mistake of answering the wrong question. ;-) --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271795 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: That is part of your job as a developer, It is my job to make them aware of the risks. Not to tell them what their job should and should not be. In this case the job was to input javascript into a web page that was a part of their existing CMS. The only way to get that job done was to shut off CF's scriptProtect. Sure. Inputting js into a web page is inherently dangerous. So is driving an automobile. That doesn't mean you can't go out for a drive. Nor does it mean you should try to convince others that they should not drive. It does of course mean the driver should be trained, the automobile in good working order and the act of driving be undertaken safely. By following sensible rules an inherently dangerous and potentially deadly act can become an integral part of everyday life with an acceptable level of safety and comfort. The same goes for inputting js into a web page. Don't let just anybody do it. Don't auth people to do it without proper training and comfort level with the individual. Put safeguards in place for recovery. Control everything that isn't opened up for this input. Put in audit controls and so on and so on. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271796 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Surely there can be no real justification for them to do JS which you do not provide as a developer? In a CMS there certainly may be. I've run into similar issues with CFWebstore where customers often want to input some kind of custom script in some pages (Bizrate popup during checkout for instance). The pseudo-tag method works fine in these cases though as a way to get around the scriptprotect limitations. It certainly would be nice if you could override the settings on a page-by-page basis though. I'd love to hear some more ideas on what people are doing other than relying on ScriptProtect. Not all of my users are even on CF7, even if it did do the trick. --- Mary Jo ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271797 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: XSS - Cross Site Scripting
It is my job to make them aware of the risks. Not to tell them what their job should and should not be. Perhaps you should reread your question, and my response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271798 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Isn't that the whole point of a CMS? It should negate the need for users to code This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Mary Jo Sminkey To: CF-Talk Sent: Tue Mar 06 21:56:07 2007 Subject: Re: XSS - Cross Site Scripting Surely there can be no real justification for them to do JS which you do not provide as a developer? In a CMS there certainly may be. I've run into similar issues with CFWebstore where customers often want to input some kind of custom script in some pages (Bizrate popup during checkout for instance). The pseudo-tag method works fine in these cases though as a way to get around the scriptprotect limitations. It certainly would be nice if you could override the settings on a page-by-page basis though. I'd love to hear some more ideas on what people are doing other than relying on ScriptProtect. Not all of my users are even on CF7, even if it did do the trick. --- Mary Jo ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Surely there can be no real justification for them to do JS which you do not provide as a developer? Well, the web page they are maintaining is kept inside of a cms, and the site owner's staff needs to input little bits of js into the web pages to provide telltales for exterior systems. They expect to do this entirely for themselves. The CMS is in place specifically to eliminate the developer from the job picture. If the words javascript weren't involved it would be mind-numbingly dreary, day-to-day work. Its not developer-level work. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271803 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
Then surely the CMS isn't doing it's job? They are coding when the CMS should be managing the work? I can see your stance but the fact they are now coding ad-hoc (and no doubt the JS will not be checked) they could wreak havoc either deliberate or otherwise. More to the point... Telltales? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 23:46:20 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Surely there can be no real justification for them to do JS which you do not provide as a developer? Well, the web page they are maintaining is kept inside of a cms, and the site owner's staff needs to input little bits of js into the web pages to provide telltales for exterior systems. They expect to do this entirely for themselves. The CMS is in place specifically to eliminate the developer from the job picture. If the words javascript weren't involved it would be mind-numbingly dreary, day-to-day work. Its not developer-level work. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271804 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Isn't that the whole point of a CMS? It should negate the need for users to code I would answer that a lot of things should be in this world but reality doesn't always conform to the textbook definition. In the real world people want to use javascript inside some of their CMS systems. Mary Jo's example is an excellent one. Putting in a Google search box would be one I've been hit with personally. Telling the customer you can't do that because it violates the premise upon which the system is based is just not going to fly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271806 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Then surely the CMS isn't doing it's job? They are coding when the CMS should be managing the work? ONLY if you rigidly define the CMS' job by your definition. What if the customer -- who owns the system, after all, and is paying you to achieve *their* desired results -- doesn't see it your way? I can see your stance but the fact they are now coding ad-hoc (and no doubt the JS will not be checked) they could wreak havoc either deliberate or otherwise. There is actually a team review feature that allows one or more designated individuals to sign off onthe proposed published work. Although I'll say right off that the client is self-approving the work. Yes the system could be abused. Just as the automobile could be rammed into a sidewalk crowded with people, generating horrific results. But you don't see automobiles banned for this reason. Yes the consequences could be bad. But just as its possible to find safe drivers, there are safe editorial users. Is it perfect? Of course not, but its an acceptable level of risk according to an informed decision on the part of the site owner. More to the point... Telltales? Some goofball Google-esque thing, I think, that tracks page placement or something. I don't know what the hell it is. They just screamed until I got the system to take it without them emailing me telling me it still doesn't work. And yes, I started the whole deal with you don't want to do that. They did. :-) -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271808 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: XSS - Cross Site Scripting
On 3/6/07, Dave Watts [EMAIL PROTECTED] wrote: It is my job to make them aware of the risks. Not to tell them what their job should and should not be. Perhaps you should reread your question, and my response. Well, here's what I am keying on. I originally said Explain successfully to the client why they ***can't*** do the work they want, and they shouldn't want it, and you can tut all you like. ***emphasis added*** by me. I took this as your direct response: That is part of your job as a developer, unfortunately. I was keying on your response as it pertains to the first part of my statement, not the second. The can't part should never enter into the conversation unless it really can't be done. I do agree its my job to warn people that they want something crazy. If my clients (in particular the one that wanted the javascript hole to be opened up) could see this and see me coming across as the guy who wants to let people happily run barefoot through the data stream they would be howling. I don't go gently or quietly into the night on this stuff with the end user. But sometimes it really does make sense. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271809 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: XSS - Cross Site Scripting
Couldn't you provide the functionality of adding a google search box in the CMS. That way you control how it is added /displayed etc? This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Matt Robertson To: CF-Talk Sent: Tue Mar 06 23:59:38 2007 Subject: Re: XSS - Cross Site Scripting On 3/6/07, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Isn't that the whole point of a CMS? It should negate the need for users to code I would answer that a lot of things should be in this world but reality doesn't always conform to the textbook definition. In the real world people want to use javascript inside some of their CMS systems. Mary Jo's example is an excellent one. Putting in a Google search box would be one I've been hit with personally. Telling the customer you can't do that because it violates the premise upon which the system is based is just not going to fly. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271838 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFMX and cross-site scripting attack?
Hi, We have 3 development servers and 3 production servers on 3 different networks. We deployed an application across all 6 servers. All of them have the enable global script protection setting in CFAdmin checked. Everything was working great. Suddenly today, the app on one of the production server changed script to INVALIDTAG. It took us a while to figure out that this is CFMX 7 feature to prevent cross-site scripting attack. To disable, we can either uncheck the global setting in CFAdmin or add a scriptprotect attribute to the cfapplication tag. Now the question is why do all 6 servers have this global setting checked, but only one server did this, and it didn't do it to start with. More than that, we have two instances on this server, and only one instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254611 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFMX and cross-site scripting attack?
Did you recently apply a hotfix, as there is one that fixes an issue with the cross site scripting, perhaps this wa sthe issue. Russ -Original Message- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 14:53 To: CF-Talk Subject: CFMX and cross-site scripting attack? Hi, We have 3 development servers and 3 production servers on 3 different networks. We deployed an application across all 6 servers. All of them have the enable global script protection setting in CFAdmin checked. Everything was working great. Suddenly today, the app on one of the production server changed script to INVALIDTAG. It took us a while to figure out that this is CFMX 7 feature to prevent cross-site scripting attack. To disable, we can either uncheck the global setting in CFAdmin or add a scriptprotect attribute to the cfapplication tag. Now the question is why do all 6 servers have this global setting checked, but only one server did this, and it didn't do it to start with. More than that, we have two instances on this server, and only one instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254622 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX and cross-site scripting attack?
We have not. We talked about it but we haven't. Even if we did, both instances on the same server should be affected, not just one. Johnny Did you recently apply a hotfix, as there is one that fixes an issue with the cross site scripting, perhaps this wa sthe issue. Russ -Original Message- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 14:53 To: CF-Talk Subject: CFMX and cross-site scripting attack? Hi, We have 3 development servers and 3 production servers on 3 different networks. We deployed an application across all 6 servers. All of them have the enable global script protection setting in CFAdmin checked. Everything was working great. Suddenly today, the app on one of the production server changed script to INVALIDTAG. It took us a while to figure out that this is CFMX 7 feature to prevent cross-site scripting attack. To disable, we can either uncheck the global setting in CFAdmin or add a scriptprotect attribute to the cfapplication tag. Now the question is why do all 6 servers have this global setting checked, but only one server did this, and it didn't do it to start with. More than that, we have two instances on this server, and only one instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254624 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFMX and cross-site scripting attack?
Not neccisarily, some fixes you have to apply to each instance. Anyway is it possible that the cross site scripting protection was not triggered until now? Has the script tag previously been submitted in form posts that you know of ? Snake -Original Message- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 16:02 To: CF-Talk Subject: Re: CFMX and cross-site scripting attack? We have not. We talked about it but we haven't. Even if we did, both instances on the same server should be affected, not just one. Johnny Did you recently apply a hotfix, as there is one that fixes an issue with the cross site scripting, perhaps this wa sthe issue. Russ -Original Message- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 14:53 To: CF-Talk Subject: CFMX and cross-site scripting attack? Hi, We have 3 development servers and 3 production servers on 3 different networks. We deployed an application across all 6 servers. All of them have the enable global script protection setting in CFAdmin checked. Everything was working great. Suddenly today, the app on one of the production server changed script to INVALIDTAG. It took us a while to figure out that this is CFMX 7 feature to prevent cross-site scripting attack. To disable, we can either uncheck the global setting in CFAdmin or add a scriptprotect attribute to the cfapplication tag. Now the question is why do all 6 servers have this global setting checked, but only one server did this, and it didn't do it to start with. More than that, we have two instances on this server, and only one instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254629 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFMX and cross-site scripting attack?
Yah, as of right now, we have the script tags submitted in a form posts, and still they don't change in the other servers or the other instance. That is what I want to know if something triggers it and what exactly is this something. Johnny Not neccisarily, some fixes you have to apply to each instance. Anyway is it possible that the cross site scripting protection was not triggered until now? Has the script tag previously been submitted in form posts that you know of ? Snake -Original Message- From: Johnny Le [mailto:[EMAIL PROTECTED] Sent: 28 September 2006 16:02 To: CF-Talk Subject: Re: CFMX and cross-site scripting attack? We have not. We talked about it but we haven't. Even if we did, both instances on the same server should be affected, not just one. Johnny instance did this. So it looks like the global setting alone doesn't do it. There is something else that triggers the change. Could it be this and a combination of some settings in the IIS? I would greatly appreciate it if someone could shed some lights on it for me. Thank you. Johnny ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254639 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Good script to prevent cross-site scripting sql injection?
I just stumbled across the safeText function over at cflib.org - http://www.cflib.org/codeView.cfm?ID=56 Any views on how suitable this is for XSS protection (not SQL injection)? -- Mark Stanton Gruden Pty Ltd http://www.gruden.com ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249278 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
interesting tag... however if you are allowing html input the best technique is to establish a list of allowable tags and then remove everything else. Trying to come up with a comprehensive list of bad tags to disallow is nearly impossible. Andrew I just stumbled across the safeText function over at cflib.org - http://www.cflib.org/codeView.cfm?ID=56 Any views on how suitable this is for XSS protection (not SQL injection)? -- Mark Stanton Gruden Pty Ltd http://www.gruden.com ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249359 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Good script to prevent cross-site scripting sql injection?
I have a site where the guestbook is a constant problem for me. I've tried persuading the radio station management that they really dont want a guestbook but they see it as an important way to interact with the listeners. We'll get a fan of a show saying how the host is wonderful - a dream - 'a real spunk' then a whole tribe of others saying how ugly and totally undesirable the host is. Never any middle ground. So I have to keep it going. It's a constant source of problems, from people at other stations or fans of other stations trying to embarass us by putting links to porn or telling out-and-out lies there. We get lots of spammers trying to use our guestbook form to send their emails or post links to their sites. Here are some of the things we do (and it's a changing feast - i'm always tinkering with teh process page to tighten it up a little without inhibiting the real listeners posting (which is why we havent gone to useing Captcha yet). [A] no guestbook post goes straight to the site. It goes to an editor first [B] any post containing the character gets dumped. (early attempt to filter out html) [C] any post containing some reserved words gets dumped. [D] Just in case b didnt catch it, all posts are HTMLEditFormated [E] All posts go through cfqueryparam on their way into the database [F] Any posts not coming from the right page (ie having cgi.http_referer with the correct value) get dumped. [G] Ip address of every post are stored, and posts coming from some ips and some domains are dumped. The poster doesn't always get notified that the post has been dumped - I dont want to give too many clues to the abusers about what checks are being made. There arent any foolproof safeguards but we keep on working on it while trying to resist any measure that will make it more difficult for legitimate listeners to post. It keeps managing that site interesting though! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 8/8/06, Dave Watts [EMAIL PROTECTED] wrote: Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249118 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Here is a good example of the kind of determination people trying to prevent JS hacks (e.g. XSS) are facing: http://namb.la/popular/tech.html On 8/8/06, Mike Kear [EMAIL PROTECTED] wrote: I have a site where the guestbook is a constant problem for me. I've tried persuading the radio station management that they really dont want a guestbook but they see it as an important way to interact with the listeners. We'll get a fan of a show saying how the host is wonderful - a dream - 'a real spunk' then a whole tribe of others saying how ugly and totally undesirable the host is. Never any middle ground. So I have to keep it going. It's a constant source of problems, from people at other stations or fans of other stations trying to embarass us by putting links to porn or telling out-and-out lies there. We get lots of spammers trying to use our guestbook form to send their emails or post links to their sites. Here are some of the things we do (and it's a changing feast - i'm always tinkering with teh process page to tighten it up a little without inhibiting the real listeners posting (which is why we havent gone to useing Captcha yet). [A] no guestbook post goes straight to the site. It goes to an editor first [B] any post containing the character gets dumped. (early attempt to filter out html) [C] any post containing some reserved words gets dumped. [D] Just in case b didnt catch it, all posts are HTMLEditFormated [E] All posts go through cfqueryparam on their way into the database [F] Any posts not coming from the right page (ie having cgi.http_referer with the correct value) get dumped. [G] Ip address of every post are stored, and posts coming from some ips and some domains are dumped. The poster doesn't always get notified that the post has been dumped - I dont want to give too many clues to the abusers about what checks are being made. There arent any foolproof safeguards but we keep on working on it while trying to resist any measure that will make it more difficult for legitimate listeners to post. It keeps managing that site interesting though! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 8/8/06, Dave Watts [EMAIL PROTECTED] wrote: Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249120 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Good script to prevent cross-site scripting sql injection?
Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249022 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
For SQL injection, dedicated use of cfqueryparam ... in all queries where user input is accepted prevents most if not all attacks. For Cross Scripting, I think urlEncodedFormat() can be used in some places, but I'm not sure how universal this one is? -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249023 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
look into cfqueryparam, you can't go wrong with it On 8/7/06, Rey Bango [EMAIL PROTECTED] wrote: Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249024 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
I don't have any scripts par se, but I usually check the cgi referrer to prevent someone from posting off-site forms to my process scripts. As far as sql injection, cfqueryparam will go a long way to help that... and be careful of the preservingsinglequotes() function-- it can make it easier to insert SQL. Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. ~Brad -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249025 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249027 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. -- All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249030 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Awesome. Thanks for all of the suggestions guys! Rey ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249031 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
If you use cfqueryprocparam, you can still have troubles if your stored proc builds a dynamic statement and then executes it without stripping out single ticks. We found that out on accident, when our order find would blow up every time someone searched for a name like O'Neil. :) ~Brad -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:27 PM To: CF-Talk Subject: RE: Good script to prevent cross-site scripting sql injection? I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 11:39 AM To: CF-Talk Subject: Good script to prevent cross-site scripting sql injection? Hi guys, Any recommendations on a good script to prevent cross-site scripting sql injection? if someone has good code for this, I'd really appreciate it if I could use it. Rey... ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249033 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
Social engineering can be much more effective, and harder to code for. ~Brad -Original Message- From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:43 PM To: CF-Talk Subject: RE: Good script to prevent cross-site scripting sql injection? I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. -- All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249035 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
I found a tag called cf_scriptkill in the exchange which seems to work quite well. So along with the cfqueryparam, this should help out a lot. Thanks for all of the suggestions. Rey,. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249036 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. The protection this provides is minimal, at best. It's really no substitute for properly preventing XSS attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249046 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
I was under the impression that CFQUERYPARAM took care of all of the SQL injection possibilities. All that I know of, but I understand hacker types to often be very creative and intelligent people. I always assume that they have, or will someday, figure out new attacks. The hope being that the attacks are so convoluted and time consuming to usually not be worth it. Well, actually, CFQUERYPARAM prevents SQL injection attacks from working, period. SQL injection attacks rely upon the ability to have your database execute code, and CFQUERYPARAM prevents that from happening. That said, CFQUERYPARAM does nothing to prevent other sorts of attacks, so you will certainly want to filter inputs appropriately. There are various approaches you can take to this, but essentially you want to remove or disable any content that would be executable within a browser, such as JavaScript. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249045 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Good script to prevent cross-site scripting sql injection?
Dave, Do you have any scripts that you can share? Rey... Dave Watts wrote: Also, in MX7, look into the Enable Global Script Protection setting on the settings page of cf admin. The protection this provides is minimal, at best. It's really no substitute for properly preventing XSS attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249049 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Good script to prevent cross-site scripting sql injection?
As others have mentioned, use cfqueryparam for input, but you should also use htmlEditFormat() for ALL output that could have originated outside your application. This will escape all tags and should render any javascript blocks useless. M!ke ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249052 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Good script to prevent cross-site scripting sql injection?
Do you have any scripts that you can share? Well, no, unfortunately. The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why languages like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between safe and unsafe strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249063 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Cross - Site Scripting
Or one could use something like BBCode. -- Hugo Ahlenius - Hugo Ahlenius E-Mail: [EMAIL PROTECTED] Project OfficerPhone: +46 8 412 1427 UNEP GRID-Arendal Fax:+46 8 723 0348 Stockholm Office Mobile: +46 733 467111 WWW: http://www.grida.no Skype:callto:fraxxinus PLEASE NOTE: NEW PHONE AND FAX NUMBERS FROM SEPT 1ST 2005 - | -Original Message- | From: Joe Rinehart [mailto:[EMAIL PROTECTED] | Sent: Tuesday, October 18, 2005 19:44 | To: CF-Talk | Subject: Re: Cross - Site Scripting | | Right - in that case, I'd htmlEditFormat() then reverse in the things | I'd want to allow. The old firewall routine of default deny vs. | default allow. ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/ ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221445 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
Actually the attack was pure JS. The source code of the exploit makes for a good read - it demonstrates the things that need to be considered in sanitising user input, which even paranoid people might not consider. On 10/18/05, Matt Robertson [EMAIL PROTECTED] wrote: Can we Readers-Digest this saga and spill to the masses that these guys can't spell cfqueryparam? just curious as I'm not inclined to read this saga unless someone can show me a reason for same. Not so much a smart opinion as a late nite one... tired and not ready to give credence to a new threat that sounds like old news. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221296 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
I don't think myspace.com's related problem has anything to do with
cfqueryparam...
I think this is a bad coding, that's all...
Here's piece of the
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391self-propagating
cross-site scripting (XSS)
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391worm
code:
div id=mycode style=BACKGROUND: url('java
script:eval(document.all.mycode.expr)') expr=var
B=String.fromCharCode(34);var A=String.fromCharCode(39);function
g(){var C;try{var
D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return
C}else{return eval('document.body.inne'+'rHTML')}}
.
taken from http://namb.la/popular/tech.html
Rizal
masrizal.com
At 12:52 PM 18/10/2005, you wrote:
Can we Readers-Digest this saga and spill to the masses that these
guys can't spell cfqueryparam? just curious as I'm not inclined to
read this saga unless someone can show me a reason for same. Not so
much a smart opinion as a late nite one... tired and not ready to give
credence to a new threat that sounds like old news.
--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com
~|
Find out how CFTicket can increase your company's customer support
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221297
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
I dunno but their new pages running on bd are slower than a fart trying to escape out of a snow suit! ~Dave the disruptor~ Some people just don't appreciate how difficult it is to dispense wisdom and abuse at the same time. From: Rizal Firmansyah [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 2:10 AM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: Cross - Site Scripting I don't think myspace.com's related problem has anything to do with I think this is a bad coding, that's all... Here's piece of the self-propagating cross-site scripting (XSS) worm code: ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221298 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
That must be a link to the National Association of Marlon Brando Look Alikes? Sorry for those of you too grown-up to dig on some Southpark. --Ferg Andrew Grosset wrote: In case you didn't see the recent discussion in CF-Community about the worm introduced into MySpace.com within css script tags and XMLHTTPRequest, here is the link to the hackers web site where he explains how he did it! http://namb.la/popular/ Although (this one) was an IE flaw it certainly makes you realise the importance of server side (ColdFusion) script to minimise Cross-Site Scripting. Andrew. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221323 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
Memo to me: Beer + late night = no message posting. Sorry. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221348 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
I think the short of it is to htmlEditFormat() user-provided input instead of trying to parse out all threatening content by hand while selectively letting other things through. -Joe On 10/18/05, Matt Robertson [EMAIL PROTECTED] wrote: Can we Readers-Digest this saga and spill to the masses that these guys can't spell cfqueryparam? just curious as I'm not inclined to read this saga unless someone can show me a reason for same. Not so much a smart opinion as a late nite one... tired and not ready to give credence to a new threat that sounds like old news. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221350 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Cross - Site Scripting
I think the short of it is to htmlEditFormat() user-provided input instead of trying to parse out all threatening content by hand while selectively letting other things through. That's certainly the safest approach, but it doesn't work very well for CMSs and other sites which let you write HTML. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221353 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
Right - in that case, I'd htmlEditFormat() then reverse in the things I'd want to allow. The old firewall routine of default deny vs. default allow. -Joe On 10/18/05, Dave Watts [EMAIL PROTECTED] wrote: I think the short of it is to htmlEditFormat() user-provided input instead of trying to parse out all threatening content by hand while selectively letting other things through. That's certainly the safest approach, but it doesn't work very well for CMSs and other sites which let you write HTML. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221354 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Cross - Site Scripting
Yeah, you're right. They were denying stuff like 'JavaScript', but allowing anything that wasn't on their deny list. The problem is they want to allow as much stuff as possible to make it cool for the users, while not allowing too much. It should be possible to only allow a small set of characters/words/tags/etc., and still be secure (as long as there aren't any IE users around! ;) ). -Original Message- From: Joe Rinehart [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 11:44 AM To: CF-Talk Subject: Re: Cross - Site Scripting Right - in that case, I'd htmlEditFormat() then reverse in the things I'd want to allow. The old firewall routine of default deny vs. default allow. -Joe [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A2 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221369 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Cross - Site Scripting
In case you didn't see the recent discussion in CF-Community about the worm introduced into MySpace.com within css script tags and XMLHTTPRequest, here is the link to the hackers web site where he explains how he did it! http://namb.la/popular/ Although (this one) was an IE flaw it certainly makes you realise the importance of server side (ColdFusion) script to minimise Cross-Site Scripting. Andrew. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221294 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Cross - Site Scripting
Can we Readers-Digest this saga and spill to the masses that these guys can't spell cfqueryparam? just curious as I'm not inclined to read this saga unless someone can show me a reason for same. Not so much a smart opinion as a late nite one... tired and not ready to give credence to a new threat that sounds like old news. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221295 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing CF Apps against SQL Injection Cross Site Scripting
I just put the following in my application template to check all urls:
cfscript
tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, , , ALL);
tmp = Replace(tmp, , , ALL);
// remove other...
// [ and ] have to be handled seperately
other=[\(){}];
tmp = REReplace(tmp,other,,ALL);
tmp = Replace(tmp,[,,ALL);
tmp = Replace(tmp,],,ALL);
tmp = Replace(tmp,+,,ALL);
tmp = Replace(tmp,*,,ALL);
tmp = ReplaceNoCase(tmp,DROP,,ALL);
tmp = ReplaceNoCase(tmp,DELETE,,ALL);
tmp = ReplaceNoCase(tmp,exe,,ALL);
/cfscript
cfif CompareNoCase(cgi.query_string,tmp) GT 0
!--- cfmail tag can go here.. ---
cfabort
/cfif
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188153
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing CF Apps against SQL Injection Cross Site Scripting
good code.
cfabort in application.cfm?
I think I'll do the same.
- Original Message -
From: Andrew Grosset [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Saturday, December 18, 2004 4:36 PM
Subject: Re: Securing CF Apps against SQL Injection Cross Site Scripting
I just put the following in my application template to check all urls:
cfscript
tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, , , ALL);
tmp = Replace(tmp, , , ALL);
// remove other...
// [ and ] have to be handled seperately
other=[\(){}];
tmp = REReplace(tmp,other,,ALL);
tmp = Replace(tmp,[,,ALL);
tmp = Replace(tmp,],,ALL);
tmp = Replace(tmp,+,,ALL);
tmp = Replace(tmp,*,,ALL);
tmp = ReplaceNoCase(tmp,DROP,,ALL);
tmp = ReplaceNoCase(tmp,DELETE,,ALL);
tmp = ReplaceNoCase(tmp,exe,,ALL);
/cfscript
cfif CompareNoCase(cgi.query_string,tmp) GT 0
!--- cfmail tag can go here.. ---
cfabort
/cfif
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188157
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing CF Apps against SQL Injection Cross Site Scripting
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
Yes, I did virtually the same except I modified cf_codecleaner to do
the CompareNoCase within the tag, email me the details and cflocation
(I'm going to make a special 500 page as I can't get cfheader to
work with all browsers - notably cfheader, and do away with
cflocation). This keeps the application.cfm less cluttered as I can
then do all the business within one line of code in application.cfm.
Also I use #urldecode(cgi.query_string)# as otherwise %3c (percent 3
c) will not be scrubbed (also applies to all other HTML escaped
encoding).
Within the script tags I also added:
// remove other...
// [ and ] have to be handled seperately
other=[\(){}];
tmp = REReplace(tmp,other,,ALL);
tmp = Replace(tmp,[,,ALL);
tmp = Replace(tmp,],,ALL);
tmp = Replace(tmp,+,,ALL);
tmp = Replace(tmp,*,,ALL);
It's pretty consistant at around 15-16ms which is good.
regards, Andrew.
~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:187934
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations Support: http://www.houseoffusion.com/tiny.cfm/54
sot: Guarding Against Cross-site Scripting Attacks
good article on preventing attacks on your site www.communitymx.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Cross Site Scripting
This was covered quite well in an earlier thread: http://www.listsearch.com/cf-talk.lasso?id=31210-session=listsearch_coldfusion:A3EA90500f040147C3sOm28F6DCB However, there's something I'd like clarification on. The custom tag CodeCleaner and the URLScan IIS security tool were both thrown out as options for scanning the request for invalid/malicious requests. Am I correct in that if I use URLScan to scan the incoming request I do not need to use CodeCleaner to do the same? In fact would using them both for this cause problems? I ask because from http://www.securityfocus.com/infocus/1755 it mentions under normaling the URL that one common reason for web apps to break once URLScan is implemented is it is known to break various web applications. The cause of this failure is typically because the application expects to receive encoded characters and tries to process regular characters as encoded characters. Why would one choose CodeCleaner over URLScan for scanning requests? Specifically for XSS (not its brother SQL Injection) what other measures should be taken besides URLScan? I was thinking form input validation, but wouldn't URLScan include those in it's scan once the user submits the form (even if it's a post submission)? What information in the request is not scanned by URL Scan? Since URLScan would need to be set to the weakest setting required for the application (e.g. - if some fields required the use of some special characters and others didn't URLScan would have to allow those specifical characters) I may have to do some additional checking in these types of circumstances (using CodeCleaner). However, assuming I can lockdown requests with URLScan without exceptions like these would URLScan provide the protection I need for XSS? If not, what else should I be looking at? I found the notification for the following XSS vulnerability: http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html . Does URLScan not include scans of these aspects so we need to make sure we don't use these (or scan them with CodeCleaner)? I'm working on a CF5 box with IIS5. Eventually I'll need to lock down CF MX with IIS6 at which point UrlScan won't do as much since IIS6 includes a lot (http://www.microsoft.com/technet/security/tools/urlscan.mspx?#XSLTsection123121120120) Any thoughts would be appreciated. Thanks, Bob [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Cross Site Scripting
Bob Jacoby wrote: Why would one choose CodeCleaner over URLScan for scanning requests? I would feel very jittery about giving up urlscan.Its a powerful tool.I suppose if you pass a lot of urlencoded data via the url you could eventually hit a snag.However I try to minimize what I expose over a url so this may be part of why I've never experienced a problem.As a result of the thread you mentioned I expanded my use of CodeCleaner to scrub url strings with no ill effects. wouldn't URLScan include those in it's scan once the user submits the form (even if it's a post submission)? a POST-type form variable isn't passed via the url, so I would think URLScan would miss it completely... unless there's something in URLScan that I'm unaware of that scrubs POST (non-url) form vars? Haven't read the docs on that in quite awhile. What information in the request is not scanned by URL Scan? Anything that isn't in the url, subject to the above caveat, but I'm pretty sure URLScan does exactly -- and only -- what its name implies. -- --Matt Robertson-- MSB Designs, Inc. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Securing CF Apps against SQL Injection Cross Site Scripting
I'm jumping a little late into this discussion, but I see a couple of things which haven't been discussed. I think you need to do protection against XSS and SQL Injection in multiple layers. 1.) Web Server / Application Server Layer 2.) Pre-Application Execution 3.) Post User Input / Pre Query 1: On IIS you can use the Microsoft tool URLScan for this, or the Aqtronix Web Knight.I believe this capability is built into IIS 6 on Win2K3, but I haven't used it yet to know for sure. For Apache, you should check into mod_security.I was pretty happy when this was released, and use it on my site. 2: I essentially wrote a custom app which checks various scopes for various RegEx's related to XSS and SQL Injection which are ran from Application.cfm, as well as the detection of buffer overflow attempts, etc.If something is violated, we get an e-mail with the details about it, and the user is redirected gracefully. 3: Make sure you scrub all user input, including checking the Len(Trim)) of each parameter to make sure it's not too long.Never trust anything which is coming in via form, url, cookie, or client variables (such as CGI.HTTP_USER_AGENT.And as others have mentioned, proper granular security on databases. This is a bit on the anal side, but the software I work with requires it. Note that pretty much all of these solutions assume you have a decent grasp of writing RegEx's, as well as know how the various exploits can be performed. Thanks, - Brandon http://devnulled.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
