Release Date: 4/23/2008
Last Update: 1/16/2010
License: Apache License, Version 2
Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS scripting attacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit.
This project has been inspired by Shawn Gorrel's popular cf_xssblock tag http://www.illumineti.com/documents/xssblock.txt.
WARNING: URL, SQL Injection and XSS attacks are ever evolving threats. Though this CFC will filter many types of attacks. There are no warranties, expressed or implied, with using this filter. It is YOUR responsibility to monitor/modify/update/alter this code to properly protect your application now and in the future. It is also highly encourage to implement a hardware Web Application Firewall (WAF) to obtain the best protection. In fact in many cases, PCI-DSS standards will require WAF when handling credit card information.
1.0.2 (4/23/2008) - First public release
1.0.3 (5/10/2008) - Added CRLF defense, HttpOnly for cookies, function to remove individual IPs from the log and a new escapeChars function that replaces the htmlEditFormat()
1.0.4 (6/19/2008) - Fixed item naming with a regex scan that allows only alphanumeric and underscore characters
1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII injection attack. Also, fixed a bug reported if ampersands are in the url string it sometimes mixes up the variable naming
1.0.6 (8/26/2008) - Exception field corrections, fixed a couple missing var scopes, querynew bug in CF6, bug fix for checkReferer
1.0.7 (6/10/2009) - Added to sql and word filters, modified MSWord smart quotes filter
2.0.0 (1/4/2010) - Additions to the keyword list, accessors, context aware sql command words search
2.0.1 (1/16/2010) - New isDetected() method and verification of valid variable names in accordance with the cf variable naming rules
How to use Portcullis
There are a number of settings in the CFC itself. Located at the top in the pseudo constructor area. These settings have notes which explain their purpose.
Typically in your application.cfm or application.cfc page, you can load Portcullis into a shared scope as a singleton.
<cfif isdefined("application.Portcullis") eq false>
<cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init()/>
You can also configure Portcullis through the init method. Look at the last section of this howto.
Now, we can scan scope variables coming into the application..
If we have blocking on, then we can call Portcullis to determine if a request should be blocked..
<cfif application.Portcullis.isBlocked(cgi.remote_addr) eq true>
Sorry, there was an error detected.
subject="Portcullis: User Blocked" type="html">
You can also detect on-the-fly if Portcullis caught an attack with the current request via the isDetected() function..
If you need to read the list of IP's that are blocked are have tried to do attacks..
You can remove an IP from the blocked log..
You can configure Portcullis via its accessors functions (either init or setSettings).
<cfset settings = StructNew()/>
<cfset settings.log = true/>
<cfset settings.ipBlock = true/>
<cfset application.Portcullis = createObject("component","com.fusionlink.Portcullis").init(settings)/>
This will override the default settings within the component and allow you to dynamically use Portcullis in different modes as needed.
Just refer to the top of the cfc to see the various default settings and their naming.
You can view current Portcullis settings with the getSettings() function..