Comments on: Preventing XSS (Cross-Site Scripting) Attacks in ColdFusion http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/ Technology and Programming Blog Fri, 16 Dec 2011 16:12:12 +0000 hourly 1 http://wordpress.org/?v=3.1.3 By: Sandro http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/#comment-107 Sandro Mon, 26 Jul 2010 12:48:14 +0000 http://www.thedevshack.com/?p=161#comment-107 Hi - thanks for the article. It's great to see such articles targeted at solutions for developers! Regarding number 4: The sure fire way to prevent this type of attack is to simply search and replace any maliciuous data. In other words, replace script tags, etc… with nothing. .... It is not "sure fire". The suggestion to use blacklists usually leads to bad security solutions. Blacklists tend to be bypassable especially when custom-built. They are also tricky to get right. There are a number of arguments that explain why this is a bad idea. Google is a good starting point :-) The xss cheatsheet will give you clear examples of why this is a bad idea. For most cases, encoding html is a much better solution. So I vote for point number 3 over 4. - sandro Hi –

thanks for the article. It’s great to see such articles targeted at solutions for developers!

Regarding number 4: The sure fire way to prevent this type of attack is to simply search and replace any maliciuous data. In other words, replace script tags, etc… with nothing.
….

It is not “sure fire”. The suggestion to use blacklists usually leads to bad security solutions. Blacklists tend to be bypassable especially when custom-built. They are also tricky to get right. There are a number of arguments that explain why this is a bad idea. Google is a good starting point :-) The xss cheatsheet will give you clear examples of why this is a bad idea.

For most cases, encoding html is a much better solution. So I vote for point number 3 over 4.

- sandro

]]> By: PukMype http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/#comment-106 PukMype Mon, 03 May 2010 13:15:15 +0000 http://www.thedevshack.com/?p=161#comment-106 Nikscymn say: I consider, that you are not right. Let's discuss it. Write to me in PM, we will communicate. _____________ <a href="http://livitra.rx-tadacip.info/site_map.html" rel="nofollow">livitra attorneys 7</a> Nikscymn say: I consider, that you are not right. Let’s discuss it. Write to me in PM, we will communicate.

_____________
livitra
attorneys
7

]]> By: complyordie http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/#comment-105 complyordie Tue, 14 Apr 2009 14:51:54 +0000 http://www.thedevshack.com/?p=161#comment-105 It's also worth remembering that IE6 will execute javascript: URI's in the src of an IMG tag. It’s also worth remembering that IE6 will execute javascript: URI’s in the src of an IMG tag.

]]> By: RyanTJ http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/#comment-104 RyanTJ Tue, 14 Apr 2009 12:59:42 +0000 http://www.thedevshack.com/?p=161#comment-104 One set of variables people tend to forget about cleaning are cgi variables. cgi.script_name, cgi.query_string, etc.. Keep in mind also that its not just fields a user can enter text in, any field, including hidden, submit buttons, drop downs can be tampered with. FireFox has a plugin called Tamper that is nice to see just what can be tampered with. One set of variables people tend to forget about cleaning are cgi variables. cgi.script_name, cgi.query_string, etc..
Keep in mind also that its not just fields a user can enter text in, any field, including hidden, submit buttons, drop downs can be tampered with. FireFox has a plugin called Tamper that is nice to see just what can be tampered with.

]]>