Here's something I've written. It scans incoming form variables for SQL
Injection code. It has a couple shortcomings, but it's a start, anyway.
One shortcoming is that if you legitimately have something like "John has run
to the store; selecting the pigs was most difficult", that will trigger the
alarm as there is a "select" after a semi-colon.
Also, if your site is hit you could receive 5,000 emails in 10 minutes which
would kinda suck (it's happened) but hey at least you'd know there's a worm
hitting your site.
- Andrew.
<!--- function antiSQLInjection() --->
<cffunction name="antiSQLInjection" hint="Looks for suspicious SQL
injection-like behaviour. Optionally sends an email and/or displays the
information on screen, then cfaborts if this behaviour is found.">
<cfargument name="emailTo" type="string" default=""
required="false" hint="email address if we want to email issues" />
<cfargument name="showMessage" type="boolean" default="false"
required="false" hint="set to true if we want to show a message to the end
user." />
<cfargument name="sendEmail" type="boolean" default="true"
required="false" hint="set to true if we want to send an email to
#emailTo_local#." />
<cfargument name="log" type="boolean" default="true"
required="false" hint="set to true if we want to log issues." />
<cfscript>
var hackAttempted = false;
var hackAttempted_form = "";
var tempVal = "";
var emailTo_local = emailTo;
var mailBody = "";
if ((emailTo is "") and sendEmail and
isDefined("REQUEST.config.FailToEmail") and (request.config.failToEmail is not
"")) emailTo_local = request.config.failToEmail; // Use
request.config.FailToEmail as the default email address
if (sendEmail and (emailTo_local is "")) sendEmail =
false; // Don't try to send an email if we don't have a valid "to" address.
</cfscript>
<cftry>
<!--- Check URL --->
<cfif isDefined("cgi.query_string") and (not
isStringClean(cgi.query_string))>
<cfset hackAttempted = true />
</cfif> <!--- isDefined("cgi.query_string") and (not
isStringClean(cgi.query_string)) --->
<cfif (not hackAttempted) and isDefined("form")>
<cfloop collection="#form#" item="varName">
<cfif not isStringClean(form[varName])>
<cfset hackAttempted = true />
<cfset hackAttempted_form =
varName /> <!--- so we know which form variable was bad --->
<cfbreak />
</cfif> <!--- not
isStringClean(form[varName]) --->
</cfloop> <!--- collection="#form#"
item="varName" --->
</cfif> <!--- isDefined("#i_struct#") --->
<cfif hackAttempted>
<cfif arguments.log>
<cflog application="true"
file="antiSQLInjection" type="warning" text="#remote_addr#
#script_name#&#query_string# hackattempted_form: #hackattempted_form#" />
</cfif>
<cfif arguments.showMessage or
arguments.sendEmail>
<cfsavecontent variable="mailBody">
<cfoutput>
<h1>HACK ATTEMPT RECORDED FROM
IP: #remote_addr#</h1>
#DateFormat(Now(),
"MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#<br />
#script_name#&#query_string#<br
/>
<cfif hackAttempted_form is not
"">
Form variable
#hackAttempted_form# compromised.<br />
</cfif>
<cfif
isDefined("cgi.http_referer")>HTTP_REFERER: #cgi.http_referer#<br /></cfif>
</cfoutput>
</cfsavecontent>
</cfif>
<cfif arguments.showMessage>
<cfoutput>#mailBody#</cfoutput>
</cfif> <!--- arguments.showMessage --->
<cfif arguments.sendEmail>
<cfif structKeyExists(request,
"email_SMTPServer") and (request.email_SMTPServer is not "")>
<cfmail to="#emailTo_local#"
from="#emailTo_local#" server="#request.email_SMTPServer#" subject="HACK
ATTEMPT FROM IP: #remote_addr#" type="HTML">
#mailBody#
</cfmail>
<cfelse>
<cfmail to="#emailTo_local#"
from="#emailTo_local#" subject="HACK ATTEMPT FROM IP: #remote_addr#"
type="HTML">
#mailBody#
</cfmail>
</cfif> <!---
isDefined("request.email_SMTPServer") and (request.email_SMTPServer is not "")
--->
</cfif> <!--- arguments.sendEmail --->
<cfabort />
</cfif> <!--- hackAttempted --->
<cfcatch type="any">
<!--Security.antiSQLInjection() error-->
<cfset request.logger.handleError(cfcatch) />
</cfcatch>
</cftry>
</cffunction> <!--- antiSQLInjection() --->
<!--- function isStringClean() --->
<cffunction name="isStringClean" access="public" returnType="boolean"
hint="Takes in a string and returns true if it appears clean, false otherwise.">
<cfargument name="stringIn" type="string" required="false"
default="" hint="String to check" />
<cfscript>
var stringIsClean = true;
var i_semicolon = find(";", stringIn);
if (i_semicolon and
REFindNoCase("(select)|(execute)|(declare)|(varchar)|(convert)|(update)|(delete)|(drop)",
stringIn, i_semicolon)) stringIsClean = false;
if (stringIsClean and findNoCase("<script", stringIn))
stringIsClean = false; // Check for cross-site scripting
return stringIsClean;
</cfscript>
</cffunction> <!--- isStringClean() --->
On 2010-07-24, at 07:00, Will Tomlinson wrote:
>
> I'm building a form cleaner utility method that might help thwart some XSS,
> clean my fields up, etc. Know I can't stop it all. Didnt see anything on
> riaforge exactly like what I'm lookin for here.
>
> Here's what I've got so far. Anyone have anything to add?
>
> <cffunction name="cleanFormFields" access="public" output="false"
> returntype="struct">
> <cfargument name="formStruct">
> <cfset var form = "">
> <cfset var thisField = "">
> <cfloop list="#arguments.formStruct.fieldnames#" index="thisField">
> <cfset form[thisField] = trim(form[thisField])>
> <cfset form[thisField] = htmlEditFormat(form[thisField])>
> </cfloop>
>
> <cfdump var="#form#"><cfabort>
>
> <cfreturn form>
> </cffunction>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335692
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
