Funny been working on exactly the same thing today,...
specifically for script injection/remote command execution....
here is what I did:
1] Called from the application.cfm
<cfinclude
template="#application.ServerRoot#/cfmx/sanitize.cfm">
<!--- xss protection/input sanitisation --->
<cfscript>sanitize();</cfscript>
2] the function.
<cfscript>
function sanitize() {
// This function detects and prevents sql/script injection
type attacks and remote command execution
// we just need to clean up the regex statements
attack = 0;
email = '';
if (IsDefined('form')) {
for (key in form) {
if (ReFindNoCase('<script',form[key],'1','false') gt 0
){attack=1;email = email&"<br />FORM STRING FOUND";}
}
if (ReFindNoCase('script',cgi.QUERY_STRING,'1','false') gt 0
){attack=1;email = email&"<br />ILLEGAL URL STRING
FOUND";}
}
if (attack eq 1) {
//populate vars
email = email&"<br />";
email = email&"<br />";
email = email&"<br />cgi.http_referer =
"&cgi.http_referer;
email = email&"<br />cgi.http_user_agent =
"&cgi.http_user_agent;
email = email&"<br />cgi.path_info =
"&cgi.path_info;
email = email&"<br />cgi.path_translated =
"&cgi.path_translated;
email = email&"<br />cgi.query_string =
"&cgi.query_string;
email = email&"<br />cgi.remote_Addr =
"&cgi.remote_Addr;
email = email&"<br />cgi.remote_host =
"&cgi.remote_host;
email = email&"<br />cgi.remote_user =
"&cgi.remote_user;
email = email&"<br />cgi.request_method =
"&cgi.request_method;
//send mail
cfmail("application.adminmail","A possible web attack has
been detected",email,"html");
//getPageContext().forward("/denied.cfm");
cflocation("/denied.htm","no");
}
}
</cfscript>
- yep, it's not finished, the regex's need to be written....
and yep every form, every request parses through = ++
overhead,...
but it works..
and it should be easy to add some rewrite rules to form
values:
REReplaceNoCase(tmp,
"(</?(APPLET|EMBED|FRAME|FRAMESET|IFRAME|ILAYER|LAYER|META|OBJECT|PARAM|SERVER)[^>]*>)",
"", "ALL");
-regards
-sean