如何在Coldfusion 2016中防止表单字段上的跨站点脚本攻击?

huangapple go评论69阅读模式
英文:

How to prevent Cross-Site Scripting on form fields in Coldfusion 2016?

问题

项目使用Coldfusion 2016具有基本的关键字搜索功能。安全扫描产生了一个'跨站脚本攻击: 反射'的关键漏洞。'黑客'可能通过表单字段(例如:<aUdIo SrC=x OnErRoR=alert(74358)>)将脚本注入到结果页面中。

表单验证应该在表单页面上通过JavaScript进行吗?还是在提交后,剥离输入中的任何特殊字符,如<>等?我需要修改代码以通过这个安全扫描。

代码:

<input type="text" name="keyword" value="search by keyword" onfocus="clearThis(this)" />

结果页面代码:

<cfset input = "#form.keyword#">
<cfset keyword = rereplace(input, "[^A-Za-z0-9-]", " ", "all") />

提前感谢-
HeatherG

英文:

Project using Coldfusion 2016 has a basic keyword search feature. Security scan produced a 'Cross-Site Scripting: Reflected' critical vulnerability. 'Hacker' could potentially inject scripts into the results page (ie: <aUdIo SrC=x OnErRoR=alert(74358)>) via the form field.

Should the form validation happen via javascript on the form page? Or once submitted, strip the input of any special characters like <>, etc? I need to modify the code for it to pass this security scan.

code:

&lt;input type=&quot;text&quot; name=&quot;keyword&quot; value=&quot;search by keyword&quot; onfocus=&quot;clearThis(this)&quot; /&gt;

results page code:

&lt;cfset input = &quot;#form.keyword#&quot;&gt;
&lt;cfset keyword = rereplace(input,&quot;[^A-Za-z0-9-]&quot;,&quot; &quot;,&quot;all&quot;) /&gt;

Thanks in advance-
HeatherG

答案1

得分: 1

AntiSamy Filter

首先,您必须使用AntiSamy过滤器清理所有用户输入。ColdFusion附带了一个默认配置文件,但我找不到相关引用。我建议从这里找到的antisamy-slashdot.xml文件开始。

Application.cfc中加载特定的配置文件(引用文件时应位于应用程序的Web根目录之外)。

<cfset this.security.antisamypolicy = "antisamy-slashdot.xml">

现在,您可以使用本机的ColdFusion函数getSafeHTML()

<cfset SafeHTML = getSafeHTML(inputHTML, "", true)>

参数如下:

  1. 要清理的字符串。
  2. 指定的配置文件。空字符串引用默认配置文件或应用程序定义的文件。
  3. true引发错误,false返回空字符串。

当我实施这个功能时,我创建了一个简单的函数来循环遍历struct并清理所有字符串,然后将其添加到我的Application.cfc中。

<cffunction name="getCleanStructData" access="public" output="false" returntype="void">
    <cfargument name="data" type="struct" required="true" hint="Form struct">
    <cfloop collection="#arguments.data#" item="local.x">
        <cfif isSimpleValue(arguments.data[local.x])>
            <cfset arguments.data[local.x] = trim(getSafeHTML(arguments.data[local.x], "", ))>
        </cfif>
    </cfloop>
</cffunction>

最后,我在onRequestStart()中添加了对该函数的调用:

<cfset getCleanStructData(form)>
<cfset getCleanStructData(URL)>

现在,根据AntiSamy配置文件中定义的规则,所有用户输入数据都已经被清理。您可以安全地处理这些数据,如您所需。

编码用户输入

为了进一步确保您的输出是安全的,当输出用户生成的数据时,您必须有条件地调用ESAPI编码函数之一。

旧版的ColdFusion只有htmlEditFormatJSStringFormat。从ColdFusion 10开始,有一些新的函数,如encodeForHTML()encodeForJavaScript(),可以转义更大的UTF-8字符集。这将把字符串转换为适当的HTML实体,以在网页上显示。例如:

#encodeForHTML('<script>')#

将呈现为:

&amp;lt;script&amp;gt;

更多信息和示例请参阅这里:https://owasp.org/www-community/attacks/xss/

Samy是我的英雄

附加信息:如果您不是在这个蠕虫肆虐MySpace的时代开始开发的,这是我们了解XSS攻击的方式

英文:

AntiSamy Filter

First, you have to scrub all user input using an AntiSamy filter. CF ships with a default configuration file, but I can't find a reference to which it is. I recommend starting with the antisamy-slashdot.xml file found here.

Load a specific config file in Application.cfc (reference the file from outside of the application's web root folder).

&lt;cfset this.security.antisamypolicy = &quot;antisamy-slashdot.xml&quot;&gt;

Now you can use the native CF function getSafeHTML().

&lt;cfset SafeHTML = getSafeHTML(inputHTML, &quot;&quot;, true)&gt;

The parameters are

  1. The string to clean.
  2. A specific config file. An empty string references the default or application-defined file.
  3. true throws an error, false returns an empty string.

When I implemented this, I created a simple function to loop through a struct and clean all strings, then added it to my Application.cfc.

&lt;cffunction name=&quot;getCleanStructData&quot; access=&quot;public&quot; output=&quot;false&quot; returntype=&quot;void&quot;&gt;
    &lt;cfargument name=&quot;data&quot; type=&quot;struct&quot; required=&quot;true&quot; hint=&quot;Form struct&quot;&gt;
        &lt;cfloop collection=&quot;#arguments.data#&quot; item=&quot;local.x&quot;&gt;
            &lt;cfif isSimpleValue(arguments.data[local.x])&gt;
                &lt;cfset arguments.data[local.x]=trim(getSafeHTML(arguments.data[local.x], &quot;&quot;, ))&gt;
            &lt;/cfif&gt;
        &lt;/cfloop&gt;
&lt;/cffunction&gt;

Finally, I added calls to that function in onRequestStart():

&lt;cfset getCleanStructData(form)&gt;
&lt;cfset getCleanStructData(URL)&gt;

Now all user input data is cleaned according to the rules defined in the AntiSamy config file. You should be able to safely process this data as you see fit.

Encoding User Input

To further ensure your output is safe, you have to contextually call one of the ESAPI Encoding Functions when outputting user-generated data.

Old school CF only had htmlEditFormat and JSStringFormat. Since CF 10, there are newer functions like encodeForHTML() and encodeForJavaScript() that can escape the larger set of UTF-8 characters. This will convert strings into the appropriate HTML entities to display on a web page. For example:

#encodeForHTML(&#39;&lt;script&gt;&#39;)#

will render like this, stopping the linked file from being executed.

&amp;lt;script&amp;gt;

More info and examples here: https://owasp.org/www-community/attacks/xss/

Samy is My Hero

Bonus: If you weren't in dev back when this worm ravaged MySpace, here's how we learned XSS was a thing.

huangapple
  • 本文由 发表于 2023年6月1日 23:28:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/76383500.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定