EasyCFM.COM ColdFusion Forums / Work Showcase! / CF Protection 1.0!

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: CF Protection 1.0!

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

JJfutbol
11-30-2005 @ 9:27 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1250
Joined: Nov 2004

This is something brand new I had developed for someone here on easycfm as a new CF user had requested it. I apologize I do not remember his name but hopefully he will catch this topic and post here to introduce himself. Wink  In the meantime I'll see if I can find the original topic where this came to be.

CF Protection consists of a simple function in the application.cfm that is very flexible and reusable. Its goal is to test for any type of SQL or hack attempt. You simply pass it a parameter and it will test to see if its a structure (form, URL, custom, etc.), an array or a single variable.

...For those of you anxious and don't want to read this post (as I later realized I talk to much Frown ) then here is a demo. Enjoy!
http://www.javier-julio.com/test/protection/

Once it knows what variable type its dealing with it will test the value of that variable against a special regular expression to make sure there is no malicious code (also known as Cross Site Scripting). The user asked for this to run on every request, thus I have the function in application.cfm and also being called there as well. You can place it and use it anywhere you please, it does not have to be there.

If there is malicious code found the function returns a boolean value of true. What I have it do currently is pass both the URL and Form structure and if malicious code is spotted it will redirect the user to error.cfm with a friendly message (also lets you know if the RE is working properly) but mainly the redirection was done so that no Replace function would be needed. That way the URL and Form structure is cleared by sending the user to a new page.

For those of you who want a sample of how easy it is to use this function here is how I call it in the application.cfm file:

<!--- Test to make sure data is not any type of malicious code (XSS, Injection, Hack) --->
<cfif isHackAttempt(URL) EQ True OR isHackAttempt(Form) EQ True>
     <cflocation url="error.cfm" addtoken="no">
</cfif>

You can easily pass just a single variable if you please to isHackAttempt so you can use it in form validation, although I have a function (isXSS) that does the same if not more for you in my CFC Validator. Please let me know of any questions or suggestions you have. I'm always looking to improve my work so you all can use it as you like. Smile  Enjoy!

Try out the online demo:
http://www.javier-julio.com/test/protection/

----------------------------------------------------
Need FREE CF applications?? Then my site has it all, http://www.javier-julio.com/development/coldfusion/downloads/ In time I will be including many more free CF apps and ASP ones as well. Currently working on a fully accessible Forum, which validates as full CSS and XHTML 1.0 Strict. It will be open source and available to all.

jfill
01-09-2006 @ 1:16 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 446
Joined: Apr 2004

JJ,

You have been a busy boy Smile !  I just took a look at this, looks nice, very practical and easy to implement.  I shall be implementing it into many of my applications Smile .

Thanks for the work.

jfill

JJfutbol
01-09-2006 @ 9:35 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1250
Joined: Nov 2004

Jason! Me busy? Please I don't ever work hard enough. Wink  I need to start busting out that forums I keep talking about. I got sidetracked by learning all I could about cfform flash at work. Thanks I'm real glad you like it. I was wondering if anyone was using this. I had a member ask me about creating something like this here on the forums so I thought I'd give it a shot. Smile  I've never needed it as CF now is very protective unless you code terribly but this works great on older versions (I'm assuming that as I have not tested) but the code I use is compatible I believe all the way back to CF5. But please note that the RE's I use for testing in the URL and Form scope users might enter without knowing its know as XSS so be careful. Wink  If you have any questions let me know. Also let me know how it works, any problems you discover and what I can do to make it better. Ease of implementation is my business. Smile  Always glad to help out!

----------------------------------------------------
Need FREE CF applications?? Then my site has it all, http://www.javier-julio.com/development/coldfusion/downloads/ In time I will be including many more free CF apps and ASP ones as well. Currently working on a fully accessible Forum, which validates as full CSS and XHTML 1.0 Strict. It will be open source and available to all.

jfill
01-09-2006 @ 9:48 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 446
Joined: Apr 2004

Yeah, my code is well protected and written, however I am looking at this like, why not implement this as well.  I do not see the hurt, unless of course it is kicking out things it should not be.  I will play with it and let you know.

jfill

JJfutbol
01-09-2006 @ 10:14 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1250
Joined: Nov 2004

Aye that is as I know from working with you but I'm sure this will make you even feel more confident about protecting your apps as I know you work with some large stuff. It does block out hack attempts from what I know as of now (feel free to let me know of keywords I've missed) but the important thing is to realize that to the average user those words are also common. For example, a user might say select, update, even drop so you have to be a bit careful. But let me know how it works out for you. It could sure you some live testing. Smile

----------------------------------------------------
Need FREE CF applications?? Then my site has it all, http://www.javier-julio.com/development/coldfusion/downloads/ In time I will be including many more free CF apps and ASP ones as well. Currently working on a fully accessible Forum, which validates as full CSS and XHTML 1.0 Strict. It will be open source and available to all.


Website Designed and Developed by Pablo Varando.