What security scripts/code do you add to your application.cfm?

Question

I am working on redoing our company's code, and I want to have a clear, easy to read, and reasonably secure application.cfm.

And no, we are not using application.cfc. So let's not discuss that please.

Just want to know what scripts you would add for security.

I am using coldfusion 8 standard, sql 2008.

Here is one of the scripts I am currently using, but I want to hear from some other coldfusion programmers.

<cfset temp = cleanScopes('form,url') />

<!--- another method to clean url/form data from http://www.garyrgilbert.com/tools/coldfusion/cleanScopes.cfm.txt --->
<cffunction name="cleanScopes" access="public" returntype="void">
    <cfargument name="scopesToClean" type="string" required="yes">
    <cfargument name="charlist" type="string" required="no" default="">
    <cfscript>
        reTags ="<[^/>]*>|</.*>";
    </cfscript>
    <cfloop list="#scopestoClean#" index="scopeName">
    <cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)>
        <cfscript>
            s=Evaluate(scopeName);
            for(field in s)
                if (isSimpleValue(s[field])){
                    if(reTags neq '')
                        do { prev=s[field];
                                s[field]=REReplaceNoCase(s[field],reTags,"","ALL");
                            } while (prev NEQ s[field]);
                        structUpdate(s,field,prev);
                        if (charlist neq '')
                            s[field] = replacelist(s[field],charlist,'');
                }
        </cfscript>
    </cfif>
    </cfloop>
    <cfreturn>
</cffunction>

Thank you for your time.

Answer 1

Personally, I'm not really sure this "global" approach is the best. I check all incoming data in all models that accept external data, with specific validation rules for each situation. So additional layer looks overkill.

Such scripts wont protect you from putting string into the numeric id passed into the URL -- you have to check it any way. You have to use HTMLEditFormat/XMLFormat in the views any way, and so on.

P.S. List loop for CFScript:

for (i=1; i LTE ListLen(scopestoClean); i++) {
    scopeName = ListGetAt(scopestoClean,i);
    //... following code
}

Answer 2

I would advise against attempting to catch everything in a global fashion. There will inevitably be a few things that slip through the cracks, no matter how complex and convoluted your global protection code gets.

Instead, the "correct" (for what it's worth) method is to sanitize all content being presented on a page (or in an email, etc) -- during output -- that began its life as user input.

That said, take a look at OWASP. They have excellent libraries for protecting from all kinds of attacks, including the various ones you mention (sqli, xss, crlf). A coworker of mine recently wrapped up some of those libraries into a CFC that we can use in our applications, and explained how to use it on our developers blog:

AntiSamy

If your application accepts user generated HTML, say blog comments for example, you need to make sure you sanitize your input to prevent XSS attacks. You wouldn’t want someone to be able to enter malicious code in your blog comments so you need some way to filter the input. Enter AntiSamy. AntiSamy allows you to easily filter user generated HTML according to what it terms policies. AntiSamy is a Java project, so I have packaged it into a CFC for easy use from ColdFusion.

The simplist way to use AntiSamy is to create an instance of the AntiSamy component (cfc.owasp.AntiSamy) and call the getCleanHTML() method on the input.

<cfset antisamy = CreateObject("component","cfc.owasp.antisamy") />
<cfset cleanHTML = antisamy.scan(form.someInput) />

This will run AntiSamy with the default (fairly permissive) policy file and return the clean HTML markup.

ESAPI Encoder

The next library I’ve brought over from the OWASP project is the ESAPI Encoder. Again this is a Java project which I have wrapped in a CFC for easier use. The encoder provides several methods for encoding beyond those included with ColdFusion. Some of the more useful methods include encodeForJavaScript(), encodeForHTMLAttribute(), and encodeForCSS(). Using the component is pretty straight forward, just instantiate it and call the appropriate method.

<cfset encoder = CreateObject("component","cfc.owasp.Encoder") />
<cfset html = encoder.encodeForHTML("<body onload=""alert('XSS')"">Test</body>") />

One very useful method this library provides is the canonicalize method. The documentation from the beta version of the ESAPI Encoder gives a good description of what this method does.

However, if you insist on a global solution, why reinvent the wheel? Why not try out something like FuseGuard. The price is probably less than the cost of the development-hours that would be spent cobbling together, debugging, and dealing with security problems that break through your home-grown system.