Since nobody else seems to have responded, I'll give it a quick pass. Data from forms needs to be validated. Regular expressions on the server side do this nicely (including dealing with sql insertion attack), if you construct them carefully. You can also check for the referring page to be sure it comes from your server. Yes, that means one set of validating scripts for the client before submission and another on the action page to filter attacks. Slower? A little. Safer? Oh yes!
Javascript is indeed generally safe in and of itself. Most of the egregious security holes have long since been patched. But that doesn't mean proprietary implementations won't open new holes. The major holes now are in html email. Attacks through forms don't usually use javascript, other scripts or commands are sent thru the forms. For a quick fix you might yu might look at "Hack Proofing Your Web Application", Jeff Forristal and Julie Traxler, Syngress Press. And for hacking itself, the old reliable "Hacking Exposed" which may now be in a 3 edition from Osborne. Lots of good web references as well, but watch the source. andy -----Original Message----- From: Cornillon, Matthieu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 4:09 PM To: CF-Talk Subject: security: attacks through submission of script Hi. I am evaluating the security of my application as regards malicious attack via manipulation of the Cookie, URL, or Form variables. I know about the business with submission of unauthorized SQL statements, and have already screened for it. But then there is the issue of unauthorized script insertion. For example, if a form asks for a value (FormVar) and the action page displays that value (<CFOUTPUT>#Form.FormVar#</CFOUTPUT>), the educated user can submit things other than those intended, causing interesting results. If they enter <font color="red">Check this out!</font>, the next page will display Check this out! in red letters. I have also successfully passed JavaScript like this. Going on my basic (and hopefully correct) assumption that JavaScript is set up so that it cannot (a) harm the user's machine or (b) harm the server, I am not going to worry about this, since the worst a user will do is pass themselves a JavaScript routine that produces an error. That is fine for client-side scripting, but I am worried about server-side scripting. Submission of ColdFusion code through these variables shouldn't matter, since it won't appear in the template until after ColdFusion processing has occurred, meaning that the inserted code itself will not be processed. Are there any other scripting languages, though, that would be evaluated on the server side AFTER the CFAS processes the template? Thanks, Matthieu ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
