ColdFusion

 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me



Go Back   Tutorialized ForumsWeb Design & DevelopmentColdFusion

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Tutorialized Forums Sponsor:
  #1  
Old February 11th, 2010, 05:09 AM
suryakantb suryakantb is offline
Registered User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Dec 2009
Posts: 2 suryakantb User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 27 m 29 sec
Reputation Power: 0
How to protect ColdFusion CFM templates from Cross Site Scripting attacks?

Hi all,
I am sharing a tip with you all.Hope it is useful.Any suggestions are welcomed.
Perhaps the easiest attack that is possible on a web page is Cross Site Scripting attack. Attackers can easily "view source" the web page and save it on local box. They can easily manipulate the page content, change the POST ACTION link and can easily penetrate into your CFM templates.
However, restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.

<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>
<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

<cfabort>

</cfif>

Do NOTE that we have used two ColdFusion CGI variables here -

CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.

Reply With Quote
  #2  
Old January 31st, 2017, 06:43 AM
dishagandhi dishagandhi is offline
Registered User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Dec 2016
Location: Ahmedabad
Posts: 52 dishagandhi User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 17 h 40 m 42 sec
Reputation Power: 1
Restricting Cross Site Scripting attacks

Restricting Cross Site Scripting attacks while working in ColdFusion is not difficult. Add the following lines of code in your ColdFusion files to ward off these attacks.

<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>
<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>
<cfabort>
</cfif>


This code simply check for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any mismatch then aborts.

Reply With Quote
Reply

Viewing: Tutorialized ForumsWeb Design & DevelopmentColdFusion > How to protect ColdFusion CFM templates from Cross Site Scripting attacks?


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 

Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.

© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap