Using urlencode in application.cfm to detect XSS in url ColdFusion

Question

I inherited some legacy ColdFusion code and about a year ago my site was hit with XSS and SQL injection.

Which cause me to validate inputs coming in as well as including a setting of ScriptProtect="all" in my application.cfm file. I got it scan and it came up clean.

Recently I had it scanned again and it came up with many vulnerabilities in particular one where it embedded a script in the url.

For example this was attached to a url:

?’A<style > a(font0family:expression(alert(2424)))</style>

Which embedded a hidden JavaScript. How would one use a ColdFusion function such as URLencode() in the application.cfm file to detect/prevent these sort of XSS attacks?

Answer 1

There are a few specific things you can do, depending on the nature of the attacks and the type of application. The following are what I would consider to be "the big three". The first item is to enable the "Enable Global Script Protection" in the "Settings" area of the Coldfusion administrator.

The second, and this is extremely important for SQL injection, is to use <cfqueryparam> with strict typing on any variable used in your queries. For example:

<cfqueryparam cfsqltype="cf_sql_integer" value="#my_integer#">

On a script-based query this would be accomplished by:

<cfscript>
qget = new query(datasource=my_datasource);
qget.addParam(name='my_integer',value=url.my_id,cfsqltype='cf_sql_integer');        
qresult = qget.execute(sql='
SELECT * from my_table
WHERE id = :my_integer
').getResult();
</cfscript>

The third, is dependent on whether you are using JSON from your application via an API or internal call. Enabling the "Prefix Serialized JSON" setting in the CF Administrator with a prefix of your choice can help with cross-site scripting attacks as well.

If you're not on a Adobe CF server, no worries. Both Railo and Blue Dragon have equivalent features.