Portcullis - Protect against SQL Injection and XSS
I recently released a public version of a CFC filter called Portcullis that can help protect your applications from SQL Injection and Cross site scripting attacks. It attempts to cover the areas that ColdFusion's script protect feature does not cover adequately.
SQL Injection and XSS attacks have been the attacks du jour for hackers. They have also been in the OWASP's Top 10 most serious web application vulnerabilities for several years now (http://www.owasp.org/index.php/Top_10_2007). In fact, XSS (cross-site scripting) and injection attacks are ranked first and second respectively on the list.
Now since ColdFusion 7, we have had a functionality called "scriptprotect" that you can set in the cfapplication tag or in the application.cfc. There are several problems with this feature and to be honest I wish that Adobe rework their logic or make it very clear in the CFAdmin and documentation that this does not do very much. I see too many people turning this feature on and thinking their work is done.
If you do use ColdFusion's script protection, keep in mind a few things. Saying scriptprotect=true does NOT properly turn on script protection. It also does NOT error out, which it should due to the nature of this attribute. The setting should instead be a list of scopes you wish to protect. For example, scriptprotect="form,url,cookie" or scriptprotect="all". Secondly, the script protect feature is more geared towards XSS attacks. The thought being, I guess, that cfqueryparam and cfstoredproc will cover all the SQL injections? This is also a very bad assumption.
Unfortunately, their list of tags to strip is very easy for a hacker to walk around. To view and modify the settings for this, simply go to your neo-security.xml in the CFInstallDirectory\lib\..
At the bottom you will see..
So ColdFusion's scriptprotect looks for tags in this list and replaces the bad tag with InvalidTag. Again this list is not very good. You should also include at the very least "frame,iframe,frameset,layer,ilayer,form,input" to this list.
Another bad aspect to ColdFusion's script protect feature is that you have no log of the attacks or a methodology of stopping the attacker. There should be a method of logging these attacks and also to block the attacker's future requests. Hopefully, these items could appear in the next release of ColdFusion :)
Portcullis attempts to fill in these problems. With a more robust list of tags, keywords and SQL commands to filter out. It also logs the attempts and can temporarily block an IP that is sending the attacks.
Portcullis will work for ColdFusion versions 6 to 8. If you are using an older version of ColdFusion, I highly encourage you to use Shawn Gorrell's cf_xssblock tag. To be completely honest, Shawn's tag inspired Portcullis and he hits many of the same areas. You can find it at, http://www.illumineti.com/documents/xssblock.txt
If you are dealing with Ecommerce applications, bare in mind that PCI-DSS's requirement 6.6 is coming due on June 30th. You must have either a complete code review by a third-party that specializes in application security or have a Web Application Firewall (WAF) in place to protect your web-facing applications. Both are good, but in light of SQL Injection and XSS, having an application layer firewall provides another system to help filter and block these attacks and is highly encourage. FusionLink does provide WAF protection with their hosting.