问题
What is the best way to stop Cross-Site Scripting for ColdFusion?
Is there a setting to set in the CF Admin or is their code in you can put in Application.cfc?
Example Code:
http://test.com/file.cfm?center=fisCenter')" onmouseover="alert('Insert Hax Here.')" style="display:block;position:absolute;top:0;left:0;width:10000px;height:10000px;z-index:100">
回答1:
First things first: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. OWASP has tons of resources to help devs better understand the problem. XSS isn't a CF problem, but a webdev problem.
That said, which version of CF are you working with? It's more difficult to deal with in CF9 or lower. Those versions have limited built-in functionality and may require falling back into Java methods, if able. But CF10 added a bunch of functionality.
HTTPOnly Cookies - while "available" well before CF10, CF10 added it as a setting in CF Administrator or by using this.sessioncookie.httponly=true in Application.cfc. You can still accomplish this in older versions through JVM settings or content headers. (https://www.petefreitag.com/item/764.cfm)
Content Secruity Policy - (https://content-security-policy.com/) I will admit that I'm not as familiar with CSP as I should be. It's not really CF, but it's still something to know about. It lets you establish the approved origin of the content in your site, which should hopefully prevent someone from injecting content that redirects a user's action to somewhere else. But be warned that it is browser-dependent.
scriptProtect is a CF Admin or Application.cfc setting. (http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7d69.html) will help with a lot of XSS, but not all. It's a simple pattern-matching blacklist method instead of a whitelist (it pretty much looks only for object, embed, script, applet, and meta), so there are many ways to get around it. It should be used but not relied upon or expected to be 100% safe.
encodeFor*() - (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/encodeforhtml.html). These have been much improved since the HTMLEditFormat() days. Make sure you use the appropriate encoding method.
Canonicalize() - (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html) This function is great, but I believe there was a minor change between 10 and 11 that adds a little better handling. With the additional CF11 throwOnError flag, when you check for both multi- and mixed encoding, you can throw/catch an error if either are detected and log/block that user. There is pretty much no reason any legitimate user would ever hit those flags, so logging/blocking isn't a bad idea.
Also see Dave Epler's excellent writeup in http://learncfinaweek.com/week1/Cross_Site_Scripting__XSS_/. That will give you some good info on XSS in ColdFusion.
And finally, as you can see from some of my earlier links, Pete Freitag has some the best security resources I've found (https://www.petefreitag.com), and he tends to be the expert I trust for information about ColdFusion application security. Pete's Bank of Insecurity app (https://github.com/foundeo/cfml-security-training) will give you some great examples of how CF can be exploited.
The moral of my story is one of basic Defense In Depth, even for a single type of exploit. Some of my examples above involve code you write, some are page headers (not quite the same kind of code) and some are Server Administrator functions or settings. You can never be 100% safe, but it's a good idea to throw multiple roadblocks up in the way of a malicious user.
回答2:
This seems to be the answer I was looking for so far.
<!--- In Application.cfc --->
<cfscript>
this.scriptprotect = "all";
</cfscript>
<!--- In OnRequestStart in Application.cfc --->
<cfscript>
sanitizeScope(url);
</cfscript>
<!--- CF10 Canonicalize --->
<cfscript>
/* This function decodes any particular scope values */
public void function sanitizeScope( struct scope )
{
for( var key in scope )
{
scope[key] = canonicalize(scope[key], false, false);
}
}
</cfscript>
来源:https://stackoverflow.com/questions/45597947/in-coldfusion-how-to-eliminate-vulnerable-for-cross-site-script