Useful checks to test for XSS attacks on your ColdFusion site
If you have a ColdFusion page that contains a form with text inputs or uses URL params, make sure you are not vulnerable to a XSS attack. I'm quite novice at this myself, but learning more about it recently.
Here are some inputs to try in your forms or URL param values, if they echo the value back to the user after the page submits/reloads. This is often done on forms with server side validation when 1 or more errors are found, you preserve the fields already typed by the user and give them an error message to try again.
"><blink>XSS</blink>
"><script>alert("XSS")</script><
FORM TEXTAREA
</textarea><script>alert("XSS vulnerability")</script><textarea
URL PARAM VALUES
"><script>alert("XSS")<%2Fscript><
"><img+src%3Dhttp%3A%2F%2Fintercodes.files.wordpress.com%2F2007%2F10%2Fhacked.jpg><"
"+onmouseover=alert("XSS")+
click%20here%22%20onmouseover=%22javasript:alert(%27XSS%27)%22
The solution is to wrap any value that echos back on the page in HtmlEditFormat(). For example:
or
#HtmlEditFormat(Form.company)#
Even Ray Camden's blog.cfc is vulnerable. To see what I mean, follow these steps:
1) Click here to the contact page
2) Enter the following in the Name field:
3) Click the Send Your Comments button
One thing that I always try to remind people of is to make sure you use the HTMLEditFormat() either before you put it into the database or after you retrieve it from the database, but not both. I personally prefer to use it after I retrieve info form the DB, I don;t like messing with my users' input.
Also, in defense of blogCFC, it is not really "vulnerable" to an XSS attack in the contact form, since the result of the contact form are not displayed on the site. Even if you view it in gmail after it is mailed to you, the script is escaped and does nto execute.
@Jason
You are right about it not echoing back but still an Adobe Guru should make sure that his stuff is airtight, or he will get bullied out of his milk money at the AdobeMax conference.
I don't mess with #HtmlEditFormat# though your intentions are good. I prefer to pull things out exactly via something along these lines:
<cfloop list="#FORM.FieldNames#" index="i">
<cfscript >
FORM[i] = replace(FORM[i],'<','<','ALL');
FORM[i] = replace(FORM[i],'>','>','ALL');
FORM[i] = replace(FORM[i],'"','"','ALL');
FORM[i] = replace(FORM[i],'''',' ','ALL');
</cfscript >
</cfloop>
no tags = no scripting
<cfif IsDefined('FORM.fieldnames')>
<cfloop list="#FORM.FieldNames#" index="i">
<cfscript>
FORM[i] = replace(FORM[i],"<","","ALL");
FORM[i] = replace(FORM[i],">","","ALL");
FORM[i] = replace(FORM[i],'"',"","ALL");
FORM[i] = replace(FORM[i],"'","","ALL");
</cfscript>
</cfloop>
</cfif>
<cfscript>
function NumbersOnly(str) {
return reReplace(str,"[^[:digit:]]","","all");
}
function StripXSS(str) {
str = replace(str,'<','<','ALL');
str = replace(str,'>','>','ALL');
str = replace(str,'(','&##x28','ALL');
str = replace(str,')','&##x29','ALL');
str = replace(str,'"','"','ALL');
return replace(str,"'",''','ALL');
}
someID=NumbersOnly(someID);
someString=StripXSS(someString);
</cfscript>