2

I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.

Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.

Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.

For example this was attached to a url:

?’A<style > a(font0family:expression(alert(2424)))</style>

Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
user3067236
  • 21
  • 1
  • Are you using any URL parameters in your ColdFusion application? If not then you could do something like clearing out the entire URL scope in your application.cfm file before any CF pages are processed. Something like `` – Miguel-F Dec 04 '13 at 21:44
  • Which version of ColdFusion are you running on? – James A Mohler Dec 05 '13 at 04:57
  • i'm running coldfsuion 901 i believe .... – user3067236 Dec 05 '13 at 19:43
  • HI Miguel .. so i would just have to add this to my Application.cfm file and it will clear the url of hazardous charachters?? – user3067236 Dec 05 '13 at 19:45
  • HI Miguel .. i placed the code you suggested in my .cfm file and it seems to work ... but the only problem is that now my queries don't work .... – user3067236 Dec 05 '13 at 19:55
  • but thank you for sending me on the right track ... i'll investigate this function ... maybe have to rewrite my code to accoutn for this? – user3067236 Dec 05 '13 at 20:01

1 Answers1

2

There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.

The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:

<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">

On a script-based query this would be accomplished by:

<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');        
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>

The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.

If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.

JClausen
  • 321
  • 2
  • 2
  • Also, never output user provided input to the screen without scrubbing it with functions such as `htmlEditFormat()` – Scott Stroz Dec 05 '13 at 00:27
  • Thank you for your resposne! .....yes i'm currently doing input validation ... my problem right now is when the script is in the url ... i was wondering about how to detect it at the url level ... someone told me about URLencode but i don't seem to know how to use it ... i was thinking that it would be in my Application.cfm file ... where i can validate URL – user3067236 Dec 05 '13 at 19:47
  • The above should basically eliminate the danger of SQL injection or XSS, but maybe I'm not understanding the crux of the matter. Could you explain how those URL strings are causing problems in your app, once the above are taken care of? If you want a quick fix, you can always over the URL structure in your Application.cfm and use HTMLEditFormat() to santize the variable. – JClausen Dec 06 '13 at 02:21
  • yes my problem is when extra hazardous charachter are attached the url ... so i want to catch it in the application.cfm file and inspect the url ... i don't seem to see the command to capture the url .....do you have an example on how to use that and to look over the URL strcuture in the application.cfm while utilizing the HTMLEditFormat ? – user3067236 Dec 07 '13 at 22:27
  • Sure: (sorry, formatting doesn't work in comments) – JClausen Dec 07 '13 at 23:38