Skip to main content
A
Anonymous
April 15, 2010
Question

Cross site scripting and SQL injection

  • April 15, 2010
  • 1 reply
  • 3521 views

We have developed an application in coldfusion 6.1 . Recently we have found that our application is vulnerable to cross site scipting and SQL injection. So can any one help me out to solve this problem .

And also suggest if need to install any hotfixes or any component available .

    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 15, 2010

    Coldfusion has built-in defence against cross-site scripting and injection attacks. That is the scriptprotect attribute of the cfapplication tag. However, it was only included from Coldfusion MX7.x onwards. Have you thought about migrating to Coldfusion 8? You will get many other benefits besides.

    Luckily, there is another handy device against cross-site scripting and injection attacks, namely, the cfqueryparam tag.  It was already present in MX 6.1.

    SQL injection usually happens where user data enters a query. So, you will have to do an extended search for all the queries in your application. Identify where form variables and URL variables enter queries.

    Do some validation for those variables just before a query. For example, a simple test for numbers using isNumeric() may be all that  is required. If a value fails validation, reject it, throw an exception, and abort.

    Use cfqueryparam in each case to enter form and URL variables into a query. Beware of variables in other scopes, such as session.userID, that originally entered the application as form or URL variables. They too have to be sanitized using cfqueryparam.

    Last but, certainly, not least, the psychological part of the defence. Remember there is someone at the other end, trying to cause mischief to your application. It might even be a customer, a colleague or an acquaintance of yours, or an ex-customer or ex-colleague. Realize it could be someone in the same building or even in the same room as you.

    Take the war to them. Try to identify IP addresses. Look for clues and patterns in the attacker's behaviour. Frequency, times of day, parts of the application attacked, and so on. Study the data an attacker enters. Attackers often get carried away and unintentionally leak out details about themselves.

    Build a dossier. In most countries, certainly in all Western countries, cross-site scripting and injection attacks, particularly concerted attacks, count as a crime  nowadays.

    ilssac
    ilssac
    Inspiring
    April 15, 2010

    I think it might be important to know what the difference between SQL injection and Cross Scripting attacks are and what protects one for each type.

    SQL injection is where a hacker puts SQL code into data he is sending from his client to the server so that when that data is used in database queies his SQL code is executed by the databse.

    The protection for SQL injection is the <cfqueryparam...> tag.  This tag tells the database that this part of the SQL statement is data, and no matter what do not run any SQL code that may or may not be in the data.

    Cross Scripting is where the hacker puts JavaScript or other browser scripting code into the data being sent from his client to the server.  This code is stored as data in the database so that the next user that comes along and requests a page that uses the data from the database, the hackers code is sent to their browser and is executed by it.

    <cfqueryparam....> will not help with Cross Scripting.  JavaScript is valid data and if your database is acepting string input form users it is not going to know a JavaScript function form the users favorite color.

    ColdFusion has server settings that can be used to help prevent Cross Scripting, but the best solution is to just escape any data received from users for storage into a database.  The htmlEditFormat() and htmlCodeFormat() functions will do this quite easily.  When the data is escaped all the special characters that would allow a script to run in a browser are turned into html entities and all that would happen is the script code would be displayed by the browser, but never executed.

    HTH

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 15, 2010

    Quite right, Ian. On rereading my piece after yours, I find that I was indeed ambiguous in distinguishing between  cross-site scripting and SQL injection. I had focussed more on forensics and evidence collection in a site that is already under attack, than on a cure. Even so, cfqueryparam wont stop a cross-site script from running. I didn't say that well.

    However, my point about validation was on the right track. One should indeed use htmleditformat(), htmlcodeformat() or xmlformat() to disable any tag symbols < or > that may occur in input data. Moreover, the type of data to defang in this way are CGI, URL, form and cookie variables. Again, if your site is already under attack, then log all of these variables, including dates and times, at least, until you have things under control.

    I bear even better news. There is in fact a hot fix available to prevent cross-site scripting in forms in MX 6.1.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices