Perhaps the easiest attack that is possible on a web page is Cross Site Scripting attack. Attackers can easily “view source” the web page and save it on local box. They can easily manipulate the page content, change the POST ACTION link and can easily penetrate into your CFM templates.
However, restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>
<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>
Do NOTE that we have used two ColdFusion CGI variables here –
CGI.HTTP_REFERER: Full URL of the template which posts the data to another template
CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.
This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.
Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.