Skip navigation
eliza_mfs
Currently Being Moderated

How to protect ColdFusion CFM templates from Cross Site Scripting attacks

Aug 17, 2010 3:36 PM

Restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>

<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

<cfabort>

</cfif>

Do NOTE that we have used two ColdFusion CGI variables here -

CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

 

CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

 

This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.

 

Hope this tip would be useful.Any suggestions are welcomed.

 

thanks

Eliza

 
Replies
  • Currently Being Moderated
    Aug 17, 2010 3:36 PM   in reply to eliza_mfs
    However, restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
    <cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>

    <cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

    <cfabort>

    </cfif>

    Do NOTE that we have used two ColdFusion CGI variables here -

    CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

     

    CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

     

    This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

    Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.

     

    Eliza

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points