Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Securing ColdFusion Apps against SQL Injection & Cross Site Scripting
Author: Eric Dawson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#188157
good code.
cfabort in application.cfm?
I think I'll do the same.
----- Excess quoted text cut - see Original Post for more -----
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#188153
I just put the following in my application template to check all urls:
<cfscript>
tmp = urldecode(cgi.query_string);
// remove all opening and closing tags..
tmp = Replace(tmp, "<", "", "ALL");
tmp = Replace(tmp, ">", "", "ALL");
// remove other...
// [ and ] have to be handled seperately
other="[\(){}]";
tmp = REReplace(tmp,other,"","ALL");
tmp = Replace(tmp,"[","","ALL");
tmp = Replace(tmp,"]","","ALL");
tmp = Replace(tmp,"+","","ALL");
tmp = Replace(tmp,"*","","ALL");
tmp = ReplaceNoCase(tmp,"DROP","","ALL");
tmp = ReplaceNoCase(tmp,"DELETE","","ALL");
tmp = ReplaceNoCase(tmp,"exe","","ALL");
</cfscript>
<cfif CompareNoCase(cgi.query_string,tmp) GT 0>
<!--- cfmail tag can go here...... --->
<cfabort>
</cfif>
>Would you be willing to share your modded cf_codecleaner custom tag?
>
>Thanks!
>MAD
Author: Michael Dawson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#187934
Would you be willing to share your modded cf_codecleaner custom tag?
Thanks!
MAD
----- Excess quoted text cut - see Original Post for more -----
> other="[\(){}]";
> tmp = REReplace(tmp,other,"","ALL");
> tmp = Replace(tmp,"[","","ALL");
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#163289
> On IIS you can use the Microsoft tool URLScan for this,
> or the Aqtronix Web Knight. I believe this capability
> is built into IIS 6 on Win2K3, but I haven't used it
> yet to know for sure.
Yes, IIS 6 has an input filter, although it's not exactly the same as
URLScan.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Brandon Harper
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#163285
I'm jumping a little late into this discussion, but I see a couple of
things which haven't been discussed.
I think you need to do protection against XSS and SQL Injection in
multiple layers.
1.) Web Server / Application Server Layer
2.) Pre-Application Execution
3.) Post User Input / Pre Query
1:
On IIS you can use the Microsoft tool URLScan for this, or the Aqtronix
Web Knight. I believe this capability is built into IIS 6 on Win2K3,
but I haven't used it yet to know for sure.
For Apache, you should check into mod_security. I was pretty happy when
this was released, and use it on my site.
2:
I essentially wrote a custom app which checks various scopes for various
RegEx's related to XSS and SQL Injection which are ran from
Application.cfm, as well as the detection of buffer overflow
attempts, etc. If something is violated, we get an e-mail with the
details about it, and the user is redirected gracefully.
3:
Make sure you scrub all user input, including checking the Len(Trim)) of
each parameter to make sure it's not too long. Never trust anything which
is coming in via form, url, cookie, or client variables (such as
CGI.HTTP_USER_AGENT. And as others have mentioned, proper granular
security on databases.
This is a bit on the anal side, but the software I work with requires it.
Note that pretty much all of these solutions assume you have a decent
grasp of writing RegEx's, as well as know how the various exploits can be
performed.
Thanks,
- Brandon
http://devnulled.com
Author: Ian Vaughan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#163033
Such as using regex etc to stop html tags being added to the URL.
If you take a look at the article below on MSDN, you will see that they
suggest using regex, and using HTML encode all input when it is used as
output tp prevent cross site scripting, buffer overflows etc.
http://msdn.microsoft.com/security/understanding/overview/default.aspx?p
ull=/msdnmag/issues/02/09/securitytips/default.aspx
________________________________
Sent: 13 May 2004 10:42
To: CF-Talk
Subject: Re: Securing CF Apps against SQL Injection & Cross Site
Scripting
Ian Vaughan wrote:
> How could I prevent
>
> ?name=<script>alert('hi!');</script>
>
> this type of input being added to the URL in Coldfusion ??
You can never prevent a visitor from adding things to a URL, you
can only design your application to respond properly to what has
been added to a URL. That means you first have to define what a
proper response would be and after that we might be able to help
you code for it.
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
________________________________
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#163032
Ian Vaughan wrote:
> How could I prevent
>
> ?name=<script>alert('hi!');</script>
>
> this type of input being added to the URL in Coldfusion ??
You can never prevent a visitor from adding things to a URL, you
can only design your application to respond properly to what has
been added to a URL. That means you first have to define what a
proper response would be and after that we might be able to help
you code for it.
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
Author: Ian Vaughan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#163031
How could I prevent
?name=<script>alert('hi!');</script>
this type of input being added to the URL in Coldfusion ??
Any ideas on how to prevent this ??
________________________________
Sent: 07 May 2004 07:44
To: CF-Talk
Subject: RE: Securing CF Apps against SQL Injection & Cross Site
Scripting
good ideas, all. Thanks for sharing!
--------------------------------------------
Matt Robertson matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
--------------------------------------------
________________________________
Author: Thomas Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162509
> Works great in IE, but Mozilla Firebird ignores cfheader and displays the
*Really* ?!?
:tests
Bonkers.
I'd stick a cfabort in after the cfheader, just to be sure anyway.
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 834997
email: tom.chiverton@bluefinger.com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162505
good ideas, all. Thanks for sharing!
--------------------------------------------
Matt Robertson matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
--------------------------------------------
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162497
----- Excess quoted text cut - see Original Post for more -----
> Matt Robertson, matt@mysecretbase.com
> MSB Designs, Inc. http://mysecretbase.com
> -------------------------------------------
>
--
Yes, I did virtually the same except I modified cf_codecleaner to do the
CompareNoCase within the tag, email me the details and cflocation (I'm going to
make a "special" 500 page as I can't get cfheader to work with all browsers -
notably cfheader, and do away with cflocation). This keeps the application.cfm
less "cluttered" as I can then do all the business within one line of code in
application.cfm.
Also I use #urldecode(cgi.query_string)# as otherwise %3c (percent 3 c) will not
be scrubbed (also applies to all other HTML escaped encoding).
Within the script tags I also added:
// remove other...
// [ and ] have to be handled seperately
other="[\(){}]";
tmp = REReplace(tmp,other,"","ALL");
tmp = Replace(tmp,"[","","ALL");
tmp = Replace(tmp,"]","","ALL");
tmp = Replace(tmp,"+","","ALL");
tmp = Replace(tmp,"*","","ALL");
It's pretty consistant at around 15-16ms which is good.
regards,
Andrew.
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162492
Andrew Grosset wrote:
>Works great in IE, but Mozilla Firebird ignores cfheader and displays
>the page as normal...
I put in <cfabort> right afterwards :D
Here's the whole test I'm using. I put this into application.cfm and, as you
say, it only eats a max of 15ms.
<cfset variables.ThisURLVar=cgi.script_name&cgi.query_string>
<CF_CodeCleaner INPUT="#variables.thisurlvar#"><cfset
variables.Cleanurl=clean_code>
<cfif CompareNoCase(variables.thisurlvar,variables.Cleanurl)>
<cfheader statuscode="500" statustext="Server Error">
<cfabort>
</cfif>
--
-------------------------------------------
Matt Robertson, matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162491
Works great in IE, but Mozilla Firebird ignores cfheader and displays the page as
normal...
----- Excess quoted text cut - see Original Post for more -----
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162480
John wrote:
>what codecleaner does? and where do I find it?
http://tinyurl.com/2vo8k
--
-------------------------------------------
Matt Robertson, matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
Author: John Ho
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162478
what codecleaner does? and where do I find it?
----- Excess quoted text cut - see Original Post for more -----
> Matt Robertson, matt@mysecretbase.com
> MSB Designs, Inc. http://mysecretbase.com
> -------------------------------------------
>
--
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162472
>>Why not return a 500 (or other perment) HTTP error ?
>Yes, that would be a better solution.
My turn for a dumb question: Would this be all there is to it?
<cfif test condition not met>
<cfheader statuscode="500" statustext="Server Error">
</cfif>
--Matt Robertson--
MSB Designs, Inc.
http://mysecretbase.com
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162467
Jim wrote:
>How do I use it?
For just a form var its completely painless. CodeCleaner is just a custom tag,
so you either put it into the current folder or the custom tags folder. Then, on
a form post page you would validate all of your form fields with it. I do it in
a block like you see below. Each call takes only a smidgen of time:
<!--- check and clean the form vars --->
<CF_CodeCleaner INPUT="#form.FirstName#"><cfset
form.FirstName=clean_code>
<CF_CodeCleaner INPUT="#form.LastName#"><cfset
form.LastName=clean_code>
<CF_CodeCleaner INPUT="#form.EmailAddr#"><cfset
form.EmailAddr=clean_code>
<CF_CodeCleaner INPUT="#form.MailAddr#"><cfset
form.MailAddr=clean_code>
<CF_CodeCleaner INPUT="#form.MailCity#"><cfset
form.MailCity=clean_code>
<CF_CodeCleaner INPUT="#form.MailState#"><cfset
form.MailState=clean_code>
<CF_CodeCleaner INPUT="#form.MailZIP#"><cfset
form.MailZIP=clean_code>
--
-------------------------------------------
Matt Robertson, matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
Author: Jim Louis
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162451
Ok I know stupid answer is comming up for this question. I downloaded the
Codecleaner. How do I use it? Do I add it to my application.cfm? If so How do
I? and what is the tag line in the form?
Jim
----- Excess quoted text cut - see Original Post for more -----
> Matt Robertson, matt@mysecretbase.com
> MSB Designs, Inc. http://mysecretbase.com
> -------------------------------------------
>
--
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162424
When checking the query string I also decode it like this:
#urldecode(cgi.query_string)#
this is to escape any HTML escaped encoding....
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162420
Yes, that would be a better solution.
>Why not return a 500 (or other perment) HTTP error ?
>
>--
>Tom Chiverton
>Advanced ColdFusion Programmer
Author: Thomas Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162408
> same as the scrubbed result (tmp). If caller.check GT 0 then I email myself
> the details and throw them out to google!
Why not return a 500 (or other perment) HTTP error ?
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 834997
email: tom.chiverton@bluefinger.com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162381
I'm checking to see whether the original input (attributes.input) is the same as
the scrubbed result (tmp). If caller.check GT 0 then I email myself the details
and throw them out to google!
My theory being is if somebody is "playing" with the urls I don't want to show
them the scrubbed result (in case I've missed something) and for 99% of bona-fida
users the caller.check will always return "0" - in which case I do nothing.
<cfif attributes.compare_strings is "compare">
<cfset caller.check=CompareNoCase(attributes.input,tmp)>
</cfif>
----- Excess quoted text cut - see Original Post for more -----
> Matt Robertson, matt@mysecretbase.com
> MSB Designs, Inc. http://mysecretbase.com
> -------------------------------------------
>
--
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162379
CodeCleaner is an absolutely fantastic tag. Runs like lightning. I use
cfqueryparam but nonetheless I still scrub form inputs with it.
What did you need to modify in CodeCleaner to make it scrub urls? I glanced at
it very quickly and it seems like it'll take whatever you feed it.
--
-------------------------------------------
Matt Robertson, matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
-------------------------------------------
--
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162378
I would like to emphasise reading "Understanding the cause and effect of CSS
(XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html
as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after!
Besides the obvious dangers of unrestricted form input there is also inline
scripting where malicious code is used in the url.
One could pass all urls (#cgi.script_name##cgi.query_string#) through a tag like
CF_codecleaner (available at Macromedia.com). However all we need to establish is
whether there are "naughty bits" in the url so a quick
CompareNoCase(attributes.input,cleaned_input)
(to compare original url+query string with the cleansed url+querystring)
is all one needs. I roughed up a quick mod to cf_codecleaner to do this and it
takes 15 milliseconds to check the url. If the url is "unacceptable" you can then
email yourself the details and cflocation to google etc!
Author: Andrew Grosset
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162376
I would like to emphasise reading "Understanding the cause and effect of CSS
(XSS) Vulnerabilities " at http://www.technicalinfo.net/papers/CSS.html
as recommended previously by Dave Watts.
If you weren't paranoid about XSS before reading this article you might be after!
Besides the obvious dangers of unrestricted form input there is also inline
scripting where malicious code is used in the url.
One could pass all urls (#cgi.script_name##cgi.query_string#) through a tag like
CF_codecleaner (available at Macromedia.com). However all we need to establish is
whether there are "naughty bits" in the url so a quick
CompareNoCase(attributes.input,cleaned_input)
(to compare original url+query string with the cleansed url+querystring)
is all one needs. I roughed up a quick mod to cf_codecleaner to do this and it
takes 15 milliseconds to check the url. If the url is "unacceptable" you can then
email yourself the details and cflocation to google etc!
Author: Shaun Smalldridge
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162301
Thanks Dave and Dick.
----- Excess quoted text cut - see Original Post for more -----
Author: Dick Applebaum
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162075
On May 3, 2004, at 1:09 PM, Dave Watts wrote:
----- Excess quoted text cut - see Original Post for more -----
Another approach is to not allow any html to be directly entered.
Instead use a Pseudo language. For example I designed a classified ad
system where the public could add images, image links, links, mailtos,
etc. to the body of their ad. We called these Ad Extra's and charged
(extra) for each.
rather than open up the site to html entry we used something like the
following in a select box. When the user clicks on an "extra" it is
inserted into the current location in the textarea.
Much of the information in each "extra" was generated from the database
(Image Name, User.WebAddress, User.EmailAddress). There were system
supplied images, and the user could upload his own images and maintain
a private image library.
Here are the Ad Extras
Plain Image....[IMAGE::#Name#]
Image Link.....[IMAGE:LinkToURL:#Name#]
Plain Link.....[LINK:Visit Our Site!:#User.WebAddress#]
Plain MailTo...[MAILTO:eMail Us!:#User.EMailAddress#]
Note: Each image available to the user (system or private library) is
shown as an entry in the select box.
Most of the time the user could enter the extra without any typing. The
textarea was scrubbed of all html. The pseudo code was validated and
stored in the DB. When the ad was displayed alone or in a search list,
the pseudo code was converted to html.
HTH
Dick
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162049
> What does one do with the scrubbed input? If a legitimate
----- Excess quoted text cut - see Original Post for more -----
Unfortunately, there are no easy, universally sound answers to your
question. There are various approaches you might take when accepting HTML
entered within an HTML form. You might examine it on a per-element basis, to
ensure that there are no harmful elements. For example, you might allow
"<html>", but not "<script>" or "<object>" or "<embed>".
Alternatively, you
might reject all HTML markup except for an explicit list of elements - this
is a common approach, as usually you don't want to allow someone to use
<html>, <head> or <body> anyway, but just want to allow them to
format
things within the document body.
It's worth noting that, even with this approach, successful cross-site
scripting attacks may still be possible. You might find this to be a
worthwhile read:
http://www.technicalinfo.net/papers/CSS.html
Also, a friend pointed an MSDN article out to me today, which is
peripherally related to this - a way to prevent client-side scripting from
accessing cookie values. Unfortunately, it's specific to IE6 SP1, but might
be of interest to some of us anyway:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/htt
ponly_cookies.asp
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Shaun Smalldridge
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#162036
What does one do with the scrubbed input? If a legitimate user enters
a "<html>" value in a text box that must be written to a database, what
does the query write? "<html>" or "<html>"? If the database
needs to be searched, "<html>" should be written... but that means that
malicious code could be sitting in the database, waiting to be displayed
later. What approach do you suggest?
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161502
> I've never heard of cross-site scripting. Can someone point
> me to an information source?
The OWASP project is a good start:
http://www.owasp.org/
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Andy Ousterhout
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161498
Thanks. Very interesting.
Google
http://www.cgisecurity.com/articles/xss-faq.shtml#whatis
Scripting
I've never heard of cross-site scripting. Can someone point me to an
information source?
Andy
Scripting
> But CFQUERYPARAM will only protect you so much... It is not
> as simple as just using this tag and you are protected
> against all application attacks ???
>
> You will need to use server/client validation, removing the
> standard cf error messages with a site wide error handler etc..
>
> If a user enters the following in a form login
> Forename: jo'; drop table authors--
>
> Surname:
>
> It could drop tables etc...
While CFQUERYPARAM will not protect you against all application
attacks -
cross-site scripting, for example, isn't necessarily prevented by it -
it
will prevent SQL injection attacks.
That's not to say that you should just use CFQUERYPARAM and nothing
else. If
you do, an attacker may see the error messages generated by
CFQUERYPARAM,
which would be information leakage. Ideally, you should use error
handling,
and you should filter inputs to avoid other sorts of bad things like
cross-site scripting as mentioned above.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Greg Luce
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161494
Google
http://www.cgisecurity.com/articles/xss-faq.shtml#whatis
Scripting
I've never heard of cross-site scripting. Can someone point me to an
information source?
Andy
Scripting
> But CFQUERYPARAM will only protect you so much... It is not
> as simple as just using this tag and you are protected
> against all application attacks ???
>
> You will need to use server/client validation, removing the
> standard cf error messages with a site wide error handler etc..
>
> If a user enters the following in a form login
> Forename: jo'; drop table authors--
>
> Surname:
>
> It could drop tables etc...
While CFQUERYPARAM will not protect you against all application
attacks -
cross-site scripting, for example, isn't necessarily prevented by it -
it
will prevent SQL injection attacks.
That's not to say that you should just use CFQUERYPARAM and nothing
else. If
you do, an attacker may see the error messages generated by
CFQUERYPARAM,
which would be information leakage. Ideally, you should use error
handling,
and you should filter inputs to avoid other sorts of bad things like
cross-site scripting as mentioned above.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Andy Ousterhout
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161492
I've never heard of cross-site scripting. Can someone point me to an
information source?
Andy
> But CFQUERYPARAM will only protect you so much... It is not
> as simple as just using this tag and you are protected
> against all application attacks ???
>
> You will need to use server/client validation, removing the
> standard cf error messages with a site wide error handler etc..
>
> If a user enters the following in a form login
> Forename: jo'; drop table authors--
>
> Surname:
>
> It could drop tables etc...
While CFQUERYPARAM will not protect you against all application attacks -
cross-site scripting, for example, isn't necessarily prevented by it - it
will prevent SQL injection attacks.
That's not to say that you should just use CFQUERYPARAM and nothing else. If
you do, an attacker may see the error messages generated by CFQUERYPARAM,
which would be information leakage. Ideally, you should use error handling,
and you should filter inputs to avoid other sorts of bad things like
cross-site scripting as mentioned above.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Plunkett, Matt
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161421
For awhile, we would have ColdFusion log in to Oracle using an account with
no privileges on tables of its own. The account would just have execute
privileges on whatever packages it needed.
I go further than that and actually create an oracle user for each user.
That way you can use built in roles in the db, and there is no chance that
the user can do something outside the scope of their privileges.
Author: Heald, Tim
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161414
I go further than that and actually create an oracle user for each user. That
way you can use built in roles in the db, and there is no chance that the user
can do something outside the scope of their privileges.
--
Timothy Heald
Web Portfolio Manager
Diplomatic Security
U.S. Department of State
571.345.2319
The opinions expressed here do not necessarily reflect those of the U.S.
Department of State or any affiliated organization(s). Nor have these opinions
been approved or sanctioned by these organizations. This e-mail is unclassified
based on the definitions in E.O. 12958.
I definitely agree with this, I know I use to always have ColdFusion connect
to the db using the SA or ROOT account (and I'm sure many other people
have/still do also), that is just asking for trouble. Now I always create a
separate user for each database and make it for ColdFusion (or other web
services) and then only give it rights to use just what it needs and nothing
more. That is a sure fire way to make sure the user (or hacker) can't put
SQL code in to your forms to detroy your database. <cftry> is also very
important to guarantee that the user can't see the error messages if input
is incorrect since this often exposes sensitive information about the data
structure.
Bernd VanSkiver
bernd@vanskiver.com
801.520.5957
I would go farther than calling this a "good trick" - it's a minimal
requirement! The database logins used by your CF applications should have
only the minimal rights required by your application.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
Author: Bernd VanSkiver
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161411
I definitely agree with this, I know I use to always have ColdFusion connect
to the db using the SA or ROOT account (and I'm sure many other people
have/still do also), that is just asking for trouble. Now I always create a
separate user for each database and make it for ColdFusion (or other web
services) and then only give it rights to use just what it needs and nothing
more. That is a sure fire way to make sure the user (or hacker) can't put
SQL code in to your forms to detroy your database. <cftry> is also very
important to guarantee that the user can't see the error messages if input
is incorrect since this often exposes sensitive information about the data
structure.
Bernd VanSkiver
bernd@vanskiver.com
801.520.5957
I would go farther than calling this a "good trick" - it's a minimal
requirement! The database logins used by your CF applications should have
only the minimal rights required by your application.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161408
----- Excess quoted text cut - see Original Post for more -----
While CFQUERYPARAM will not protect you against all application attacks -
cross-site scripting, for example, isn't necessarily prevented by it - it
will prevent SQL injection attacks.
That's not to say that you should just use CFQUERYPARAM and nothing else. If
you do, an attacker may see the error messages generated by CFQUERYPARAM,
which would be information leakage. Ideally, you should use error handling,
and you should filter inputs to avoid other sorts of bad things like
cross-site scripting as mentioned above.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Whittingham, P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161405
I agree with Dave, that drop and create should mostly be done on the dba level.
To putting this type ability on the application, is asking for a problem.
TIA,
Patrick Whittingham
United Space Alliance
AES - Data Warehouse
> Another good trick to use to prevent this is have ColdFusion
> connect to the database with an account that doesn't have
> permissions to DROP, CREATE, etc tables. Then even if they
> try to run it it won't execute because they won't have
> permission to do so.
I would go farther than calling this a "good trick" - it's a minimal
requirement! The database logins used by your CF applications should have
only the minimal rights required by your application.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161403
> Another good trick to use to prevent this is have ColdFusion
> connect to the database with an account that doesn't have
> permissions to DROP, CREATE, etc tables. Then even if they
> try to run it it won't execute because they won't have
> permission to do so.
I would go farther than calling this a "good trick" - it's a minimal
requirement! The database logins used by your CF applications should have
only the minimal rights required by your application.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Philip Arnold
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161402
> From: Pascal Peters
>
> No, <cfqueryparam> will enter the string "jo'; drop table
> authors--" in the field.
Just be aware of the CFSQLTYPE used in the CFQUERYPARAM
If you specify CF_SQL_INTEGER and somebody enters "1;drop table
authors--" into the URL, then it will Throw an error
You'll need some sort of error catching around the queries, otherwise
they'll see the error thrown by the server
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161399
DOH. I said what Bernd said. Must have coffee.
What I meant was to also restrict those permissions in the CF odbc/jdbc
connection in Administrator.
--Matt--
Author: Matt Robertson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161397
Bernd vanSkiver wrote
>Another good trick to use to prevent this is have ColdFusion connect to
the
>database with an account that doesn't have permissions to DROP, CREATE,
etc
And behind that connect to your database with a user account that also
doesn't have these permissions.
In front of cfqueryparam I'm partial to a regex-based input scrubber
called CodeCleaner. Its free in the exchange, and takes up one line per
form field. Well worth the minimal trouble.
--------------------------------------------
Matt Robertson matt@mysecretbase.com
MSB Designs, Inc. http://mysecretbase.com
--------------------------------------------
Author: Bernd VanSkiver
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161395
Another good trick to use to prevent this is have ColdFusion connect to the
database with an account that doesn't have permissions to DROP, CREATE, etc
tables. Then even if they try to run it it won't execute because they won't
have permission to do so.
Bernd VanSkiver
bernd@vanskiver.com
801.520.5957
No, <cfqueryparam> will enter the string "jo'; drop table authors--" in the
field.
Pascal
----- Excess quoted text cut - see Original Post for more -----
Author: Paul Kenney
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161394
I've found that a layered application with serveral layers between the UI
and the database helps filter out most db issues. This is because each
layer tends to do its own implicit/explicit validation of the values is
passes. By the time you get to writing queries the values should be good,
or the errors are caught(and hopefully handled) beforehand.
Paul Kenney
paul@pjk.us
916-212-4359
----- Excess quoted text cut - see Original Post for more -----
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161392
No, <cfqueryparam> will enter the string "jo'; drop table authors--" in
the field.
Pascal
----- Excess quoted text cut - see Original Post for more -----
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161391
Ian Vaughan said:
> But CFQUERYPARAM will only protect you so much... It is not as
> simple as just using this tag and you are protected against all
> application attacks ???
No, but you will be protected against all SQL injection attacks.
> You will need to use server/client validation, removing the standard
> cf error messages with a site wide error handler etc..
Yes, but for reasons that were not in the original question.
> If a user enters the following in a form login
> Forename: jo'; drop table authors--
>
> Surname:
>
> It could drop tables etc...
Not if you use cfqueryparam.
Jochem
Author: Ian Vaughan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161390
But CFQUERYPARAM will only protect you so much... It is not as simple as
just using this tag and you are protected against all application
attacks ???
You will need to use server/client validation, removing the standard cf
error messages with a site wide error handler etc..
If a user enters the following in a form login
Forename: jo'; drop table authors--
Surname:
It could drop tables etc...
________________________________
Sent: 27 April 2004 09:29
To: CF-Talk
Subject: RE: Securing CF Apps against SQL Injection & Cross Site
Scripting
I think most people will be using CFQUERYPARAM, not only for securing
but
for also ensuring efficient DB transactions. Simple, but *VERY*
effective!
Jb.
Are any of the senior members of the list using any security techniques
in their application/coldfusion code to prevent/detect SQL injection and
Cross Site Scripting?
Such as
* Using Regular Expressions against SQL meta characters
* Server Side Validation
* Using CFQUERYPARAM etc
It would be interesting to hear your experiences / thoughts on this ?
Ian
________________________________
Author: John Beynon
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161389
I think most people will be using CFQUERYPARAM, not only for securing but
for also ensuring efficient DB transactions. Simple, but *VERY* effective!
Jb.
Are any of the senior members of the list using any security techniques
in their application/coldfusion code to prevent/detect SQL injection and
Cross Site Scripting?
Such as
* Using Regular Expressions against SQL meta characters
* Server Side Validation
* Using CFQUERYPARAM etc
It would be interesting to hear your experiences / thoughts on this ?
Ian
Author: d.a.collie
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161388
>> Are any of the senior members of the list using any security
techniques in their application/coldfusion code to prevent/detect SQL
injection and Cross Site Scripting?
I'm pretty junior :-)
cfqueryparam is a must at all times
imho should always validate *all* user input before using it. this
means that at least you can show a friendly error message instead of
just a generic 'Sorry, you have encountered an error'
cfqueryparam should sort out you first point if I understand you
correctly (ie SELECT * FROM TABLE WHERE ID = 1; DELETE FROM TABLE type
attacks)
--
dc
Author: Jochem van Dieten
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161387
Ian Vaughan said:
----- Excess quoted text cut - see Original Post for more -----
cfqueryparam against SQL injection (it is all you need, but you need
it everywhere) and HTMLEditFormat()/HTMLCodeFormat() or a custom regex
against cross site scripting.
Jochem
Author: Ian Vaughan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32164#161386
Are any of the senior members of the list using any security techniques
in their application/coldfusion code to prevent/detect SQL injection and
Cross Site Scripting?
Such as
* Using Regular Expressions against SQL meta characters
* Server Side Validation
* Using CFQUERYPARAM etc
It would be interesting to hear your experiences / thoughts on this ?
Ian
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
