ColdFusion has some very smart feature one of them is script-protect. It will help you protect your script from cross-site scripting(XSS attack). Let me show you how easy it is.
If you are using Application.cfm then you need to do the following steps.
1. Open Application.cfm file
2. Add “” in cfapplication tag.
If you are using Application.cfc then perform the following step.
1.Open Application.cfc file.
2.Add “This.scriptprotect=”all”” in Application.cfc file.
Now ColdFusion will protect your application from being infected by injection of code in Form, URL, CGI, and Cookie scope. It will protect your application from object|embed|script|applet|meta tags.
But this protection is not enough. Let me show how it works.
Guess you have a page which which takes parameter from URL and display it in page like following
Page Name:-testProtection.cfm Hello #url.name#
It should stop attack :
testProtection.cfm?name=
ColdFusion will change “” to “” and the output will be as below.
Hellolocation.href='http://www.google.co.in'
A very common way of XSS attack is injection of .
If you try
testProtection.cfm? name=, he/she will get the success.
Working Formula Of ColdFusion:
ColdFusion use pattern matching to protect XSS attack. It has one file named “neo-security.xml” inside “\ColdFusion9\lib\” directory. If you search this file you will get this snippet
<InvalidTag
Now you can understand why ColdFusion only protects object, embed, script, applet, meta tags. If you want to protect your application from iframe then you just need to add iframe in name attribute of var tag.
<InvalidTag
Now ColdFusion can protect your application from iframe. You can add your own expression like the following.
<InvalidTag <InvalidTag
But your application is not protected from bit advanced type of XSS attack
ScriptProtectTest.cfm? name=Invaded
ColdFusion will not be able to protect this one.
Conclusion:
Though ColdFusion can help in securing attacks by adding some inbuilt security feature, you need to enable them to get the benefit. For most other attacks perform your own validation do not rely on these always.