I just put the following in my application template to check all urls:
cfscript
tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, , , ALL);
tmp = Replace(tmp, , , ALL);
// remove other...
good code.
cfabort in application.cfm?
I think I'll do the same.
- Original Message -
From: Andrew Grosset [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Saturday, December 18, 2004 4:36 PM
Subject: Re: Securing CF Apps against SQL Injection Cross Site Scripting
I just put
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
Yes, I did virtually the same except I modified cf_codecleaner to do
the CompareNoCase within the tag, email me the details and cflocation
(I'm going to make a special 500 page as I can't get cfheader to
work
I'm jumping a little late into this discussion, but I see a couple of
things which haven't been discussed.
I think you need to do protection against XSS and SQL Injection in
multiple layers.
1.) Web Server / Application Server Layer
2.) Pre-Application Execution
3.) Post User Input / Pre Query
On IIS you can use the Microsoft tool URLScan for this,
or the Aqtronix Web Knight. I believe this capability
is built into IIS 6 on Win2K3, but I haven't used it
yet to know for sure.
Yes, IIS 6 has an input filter, although it's not exactly the same as
URLScan.
Dave Watts, CTO, Fig Leaf
CF Apps against SQL Injection Cross Site
Scripting
good ideas, all.Thanks for sharing!
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc.http://mysecretbase.com
[Todays
Ian Vaughan wrote:
How could I prevent
?name=scriptalert('hi!');/script
this type of input being added to the URL in Coldfusion ??
You can never prevent a visitor from adding things to a URL, you
can only design your application to respond properly to what has
been added to a URL. That
://msdn.microsoft.com/security/understanding/overview/default.aspx?p
ull=/msdnmag/issues/02/09/securitytips/default.aspx
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: 13 May 2004 10:42
To: CF-Talk
Subject: Re: Securing CF Apps against SQL Injection Cross Site
Scripting
good ideas, all.Thanks for sharing!
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc.http://mysecretbase.com
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
On Friday 07 May 2004 00:01 am, Andrew Grosset wrote:
Works great in IE, but Mozilla Firebird ignores cfheader and displays the
*Really* ?!?
:tests
Bonkers.
I'd stick a cfabort in after the cfheader, just to be sure anyway.
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749
On Thursday 06 May 2004 01:29 am, Andrew Grosset wrote:
same as the scrubbed result (tmp). If caller.check GT 0 then I email myself
the details and throw them out to google!
Why not return a 500 (or other perment) HTTP error ?
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749
Yes, that would be a better solution.
Why not return a 500 (or other perment) HTTP error ?
--
Tom Chiverton
Advanced ColdFusion Programmer
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
When checking the query string I also decode it like this:
#urldecode(cgi.query_string)#
this is to escape any HTML escaped encoding
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
Ok I know stupid answer is comming up for this question.I downloaded the Codecleaner.How do I use it?Do I add it to my application.cfm? If so How do I?and what is the tag line in the form?
Jim
CodeCleaner is an absolutely fantastic tag.Runs like lightning.I
use cfqueryparam but nonetheless I
Jim wrote:
How do I use it?
For just a form var its completely painless.CodeCleaner is just a custom tag, so you either put it into the current folder or the custom tags folder.Then, on a form post page you would validate all of your form fields with it.I do it in a block like you see below.Each
Why not return a 500 (or other perment) HTTP error ?
Yes, that would be a better solution.
My turn for a dumb question:Would this be all there is to it?
cfif test condition not met
cfheader statuscode=500 statustext=Server Error
/cfif
--Matt Robertson--
MSB Designs, Inc.
http://mysecretbase.com
what codecleaner does? and where do I find it?
Jim wrote:
How do I use it?
For just a form var its completely painless.CodeCleaner is just a
custom tag, so you either put it into the current folder or the custom
tags folder.Then, on a form post page you would validate all of your
form
John wrote:
what codecleaner does? and where do I find it?
http://tinyurl.com/2vo8k
--
---
Matt Robertson,[EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
---
--
[Todays Threads]
[This Message]
Works great in IE, but Mozilla Firebird ignores cfheader and displays the page as normal...
My turn for a dumb question:Would this be all there is to it?
cfif test condition not met
cfheader statuscode=500 statustext=Server Error
/cfif
--Matt Robertson--
MSB Designs, Inc.
Andrew Grosset wrote:
Works great in IE, but Mozilla Firebird ignores cfheader and displays
the page as normal...
I put in cfabort right afterwards :D
Here's the whole test I'm using.I put this into application.cfm and, as you say, it only eats a max of 15ms.
cfset
Andrew Grosset wrote:
Works great in IE, but Mozilla Firebird ignores cfheader and displays
the page as normal...
I put in cfabort right afterwards :D
Here's the whole test I'm using.I put this into application.cfm and,
as you say, it only eats a max of 15ms.
cfset
I would like to emphasise reading Understanding the cause and effect of CSS (XSS) Vulnerabilities at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious dangers
I would like to emphasise reading Understanding the cause and effect of CSS (XSS) Vulnerabilities at http://www.technicalinfo.net/papers/CSS.html as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious dangers
CodeCleaner is an absolutely fantastic tag.Runs like lightning.I use cfqueryparam but nonetheless I still scrub form inputs with it.
What did you need to modify in CodeCleaner to make it scrub urls?I glanced at it very quickly and it seems like it'll take whatever you feed it.
--
I'm checking to see whether the original input (attributes.input) is the same as the scrubbed result (tmp). If caller.check GT 0 then I email myself the details and throw them out to google!
My theory being is if somebody is playing with the urls I don't want to show them the scrubbed result (in
25 matches
Mail list logo