1 Reply Latest reply: Aug 17, 2010 3:36 PM by eliza004 RSS

    How to protect ColdFusion CFM templates from Cross Site Scripting attacks

    eliza_mfs Community Member
      Restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
      <cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>

      <cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

      <cfabort>

      </cfif>

      Do NOTE that we have used two ColdFusion CGI variables here -

      CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

       

      CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

       

      This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

      Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.

       

      Hope this tip would be useful.Any suggestions are welcomed.

       

      thanks

      Eliza

        • 1. Re: How to protect ColdFusion CFM templates from Cross Site Scripting attacks
          eliza004
          However, restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
          <cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>

          <cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

          <cfabort>

          </cfif>

          Do NOTE that we have used two ColdFusion CGI variables here -

          CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

           

          CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

           

          This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

          Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.

           

          Eliza