Using urlencode in application.cfm to detect XSS in url ColdFusion

2
votes

I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.

Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.

Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.

For example this was attached to a url:

?’A<style > a(font0family:expression(alert(2424)))</style>

Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?

1
coldfusionxssurlencodeapplication.cfm
Are you using any URL parameters in your ColdFusion application? If not then you could do something like clearing out the entire URL scope in your application.cfm file before any CF pages are processed. Something like <cfset rv = StructClear(URL) />Miguel-F
Which version of ColdFusion are you running on?James A Mohler
i'm running coldfsuion 901 i believe ....user3067236
HI Miguel .. so i would just have to add this <cfset rv = StructClear(URL) /> to my Application.cfm file and it will clear the url of hazardous charachters??user3067236
HI Miguel .. i placed the code you suggested in my .cfm file and it seems to work ... but the only problem is that now my queries don't work ....user3067236

1 Answers

2
votes

There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.

The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:

<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">

On a script-based query this would be accomplished by:

<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');        
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>

The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.

If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.