EasyCFM.COM ColdFusion Forums / Good Coding Tips! / Light Safety from Malicious Code

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: Light Safety from Malicious Code

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

ktaisia
08-11-2006 @ 5:53 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Junior Member
Posts: 146
Joined: Jun 2005

This is not an official documentation and should only be used for tests ok..

Make a page called referer.cfm and inside it paste this code

<cfscript>
domain = "http://localhost/";
domaincount = 17;
</cfscript>


<cfoutput>
<cfif Left(#CGI.HTTP_REFERER#,#domaincount#) NEQ #domain#>
     <cflocation url="#domain#" addtoken="no">
     <cfabort>
</cfif>
</cfoutput>

Then number is the length of the domain name including http and slashes as you might have noticed.

Just include this page right ontop of the page you want to secure.
<cfinclude template="referer.cfm">

This will check what domain is calling this page. If someone typed into the address bar, they will be redirected to the domain home http://localhost/ (with slash). For obvious reasons, do not include this page in the main homepage.

If you want to use a longer domain or a subfolder then modify the code to reflect. Example
http://localhost:8080/ must have 22
And
http://localhost/mytestfolder/ must have 30 etc..

This is not a security measure to be used live but it is for training purposes and quick tests if you don't yet have security code ready.

Have fun.

JJfutbol
08-11-2006 @ 9:08 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1250
Joined: Nov 2004

My only concerns with code like this, if you do want to use it in a live environment to secure your web applications, is it wise to rely and assume that a HTTP_REFERER is defined?? That data comes from the browser and its a setting you can choose to turn off. Just something I wanted to point out. Nonetheless, a great example and will prove useful for training. Thanks for sharing.

----------------------------------------------------
Some free CF applications available at my site, such as the popular CFC Validator www.javier-julio.com Currently working on a site redesign to include some new content, and also working on a fully accessible Forum, which validates as full CSS and XHTML 1.0 Strict.

SirRawlins
08-12-2006 @ 5:08 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 951
Joined: Mar 2006

Yes thanks for sharing that code buddy.

How does this work in comparison in comparison to the XSS protection you developed JJfutbol? I've implemented that into my application but i'm yet to give it a proper run through.

Rob


Website Designed and Developed by Pablo Varando.