Home > ColdFusion, Secure > ColdFusion – Cross Site Scripting

ColdFusion – Cross Site Scripting

I had to fix one site which was sharing server with other sites to be PCI compliant for Cross Site Scripting and DB Injections.

Here are the few things I did to accomplish this.

In Application.cfc, I have added following:

<cfset this.scriptProtect = “all” >

Note: If you are passing object/script or any html  etc tags in form or query variable, this will break your code

Make sure you have following section in your cfusion/lib/neo-security.xml:

<var name=”CrossSiteScriptPatterns”>
<struct type=”coldfusion.server.ConfigMap”><!– this one is for site scripting –>
<var name=”&lt;\s*(object|embed|script|applet|meta|iframe|style|img|form|xss|body|html|head|title|input|layer|br|bgsound|link|xml|frameset|table|div|hr|base|a%20href|a href)”>
<string>&lt;InvalidTag</string>
</var><!– following is for SQL injections –>
<var name=”;.*(select|insert|update|delete|drop|alter|create)”>
<string>SQL_INJECTION_ATTEMPT</string>
</var>
</struct>
</var>

Now all you need to do is find the respective string in your out-put and display the (send user to) appropriate error/ message page

Advertisements
Categories: ColdFusion, Secure
  1. March 17, 2011 at 5:06 am

    Web Consultant is unified with graphic design, high-end technical experts and marketing specialties to meet the targets with in bottom/top line. The streamlined business process automation and system integration support us to save our clients both time and money.
    These information is more valuable thanks for sharing thease information.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: