cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

SQL injection and SQLFury

nosredna
New Here ,
Sep 30, 2009 Sep 30, 2009

We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:

- implemented the cfqueryparam tag on all applicable fields being entered in the form

- introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric

- consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)

However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.

I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?

Any assistance would be very much appreciated.

TOPICS
Database access
1.6K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 2 Replies 2
latest latest Jump to latest reply
ilssac
Valorous Hero ,
Sep 30, 2009 Sep 30, 2009

RIA Forge has a queryparam scanner that will search your code for missing queryparam oportuntites.

http://qpscanner.riaforge.org/

This is the number one way to prevent sql injection.  Once a variable has been turned into a paramter, the database will NEVER execute any SQL commands contained in the data, becase the database management system know it is data.

But it is important to seperate the completly seperate SQL injection attack where rogue SQL commands are run from the XSS Cross Scripting attack where rogue JavaScript is inserted into your database to be displayed and run on your site.

<cfqueryparam...> will prevent all SQL injection, it can do nothing about Cross Scripting, because data is data to a database.

Not saying you are confused about this, but many others maybe.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
nosredna
New Here ,
Oct 02, 2009 Oct 02, 2009
LATEST
In Response To ilssac

Ian:

Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.

Thanks again,

...Wes

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices