Preventing XSS (Cross-Site Scripting) Attacks in ColdFusion

With the recent issues Twitter has faced in recent days, I thought it would be important to show how you can prevent XSS attacks in ColdFusion. For a detailed explanation of what XSS is you can read a good summary here. So how can you protect against this type of attack?

ColdFusion has some built in functionality to make this really easy. These are the steps I would recommend you take to help prevent XSS attacks:

  1. You can enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc. You can set this to automatically add some protection to your form, URL, CGI and cookie variables. You can also pass in a column delimited list of the scopes you wish to add the default protection to.
  2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings is a checkbox to Enable Global Script Protection. This will default every application on the server to use script protection by default.
  3. Use HTMLEditFormat around ANY variables that contain user submitted input. This function will convert any submitted HTML tags into their HTML character entity. This can help to stop malicious Javascript code for example from being served to the browser.
  4. The sure fire way to prevent this type of attack is to simply search and replace any maliciuous data. In other words, replace script tags, etc… with nothing.
  5. Validate user submitted input on the server side. If you are expecting a numeric value in a field, make sure it’s numeric. Also validate maximum lengths. If you have a state field that is only 2 characters in length, validate it to make sure it’s no bigger.

As you can see ColdFusion provides many features and functions to aid you in preventing an XSS attack on your site. It’s up to you to put these practices in place!


comments powered by Disqus