I'm overly concerned about XSS attempts on my sites. I cannot seem to find a decent solution.
I know that as far as using URL parameters on server-side processing, you should use canonicalize() to reduce encoded script to what a potential bad actor intended to run on the server, and sanitize from there. Apparently, whitelisting is a very effective method. But, what about when whitelisting isn't an option (like, for example, input into a database, or used as a conditional for database processing)?
PS: It's the day before Thanksgiving Day, in the USA, so I won't be on much between now and Monday. Happy Thanksgiving Day to all American users!
@Wolfshade, you can never overthink security risks. I share your concerns.
Infact I, too, spent some time last year, looking into this very issue for our own sites. I found, a bit to my dismay, that the attacker could strike from many fronts. It means you have to defend on many fronts.
I drew up a check-list. It contained, among others, url-encode, canonicalize, ScriptProtect, code to detect simultaneous logins, HTTPOnly cookies and Content Security Policy. When I was drawing up the list, I found these two sites useful
My team has been working on tightening up XSS vulnerabilities on our old code.
One of the things you said really bothered me: " like, for example, input into a database, or used as a conditional for database processing"
I really, really hope you are not just taking URL vars and using them in your queries. THAT is an XSS problem.
So, just a few tips we've put together during our project
1. Don't use URL variables unless you have to (framework?)
2. move URL vars to client (presumes client vars are db stored on server side - Cookies can be hacked).
3. Use <cfsqlqueryparam ... > in all queries
4. You can whitelist url vars, but you also have to validate accepted values. (e.g., "id" must be integer, "name" is alpha, with a max length ...)
5. No hidden form values (these can be spoofed)
6. Use CreateUUID() for unique identifiers and validate always
7. NEVER EVER display user input back to the screen.
just a few off the top of my head.