All geek questions in one place

SQL Injection Protection in ColdFusion

I am trying to improve my application security. Whenever I receive data from a user (via POST or GET), which should be an integer, I check it accordingly. But often VARCHAR data can sometimes contain HTML.

How do I protect my DB from SQL injection in this case?

Does <cfqueryparam value="#form.textInput#" cfsqltype="cf_sql_varchar"> query from sending a malicious SQL statement inside the VARCHAR value?

+6
source share
2 answers

The short answer to your question is yes.

I block hacking attempts using three methods.

  • I use cfqueryparam in all queries of my database. I will use cfparam at the top of the template / cfm files for url scope variables.

  • I used Portcullis or its variants. You can get it from http://portcullis.riaforge.org/ . Portcullis will also defend itself against some attack scenarios on different sites.

  • I am using Windows IIS 7.5 (Windows Server 2008 R2). I use the Rewrite URL feature to block most URL-based attacks. You can do similar things with Apache and rewrite that it supports. Here are my rules for rewriting an IIS URL:

     <?xml version="1.0" encoding="UTF-8"?> <appcmd> <CONFIG CONFIG.SECTION="system.webServer/rewrite/globalRules" path="MACHINE/WEBROOT/APPHOST" overrideMode="Inherit" locked="false"> <system.webServer-rewrite-globalRules> <rule name="SQL Injection - EXEC - SCRIPT_NAME" stopProcessing="true"> <match url="^.*EXEC\s*[\(|%28].*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - EXEC - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*EXEC\s*[\(|%28].*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - CAST - SCRIPT_NAME" stopProcessing="true"> <match url="^.*CAST\s*[\(|%28].*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - CAST - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*CAST\s*[\(|%28].*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - DECLARE - SCRIPT_NAME" stopProcessing="true"> <match url="^.*DECLARE.*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - DECLARE - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*DECLARE.*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - NVARCHAR - SCRIPT_NAME" stopProcessing="true"> <match url="^.*CHAR\s*[\(|%28].*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - NVARCHAR - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*CHAR\s*[\(|%28].*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - sp_password - SCRIPT_NAME" stopProcessing="true"> <match url="^.*sp_password.*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - sp_password - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*sp_password.*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - xp - SCRIPT_NAME" stopProcessing="true"> <match url="^.*%20xp_.*$" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> <rule name="SQL Injection - xp - QS" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{QUERY_STRING}" pattern="^.*%20xp_.*$" /> </conditions> <serverVariables> </serverVariables> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule> </system.webServer-rewrite-globalRules> </CONFIG> </appcmd>

These rules are added to the C: \ Windows \ System32 \ inetsrv \ config \ applicationHost.config file for IIS. However, I DO NOT **** **** recommend that you directly edit this file. One error and IIS will not load. Instead, copy and paste the above rules and save them as "iis-global-rewrite.xml". Then run the following batch file to add the rules to your IIS server:

 C:\Windows\System32\inetsrv\appcmd.exe set config -in < iis-global-rewrite.xml

IIS rewrite rules should work with IIS 7.0 (Windows Server 2008), but I have not tested it.

These rules can also apply to a single site using the web.config file if you do not have access to the server.

Why am I using three different methods of protection? Because not one of them covers all the bases. IIS rewriting rules only protect against URL-based attacks. Hackers can also use form submission attacks that do the same. I prefer the IIS rules as the first line of defense, because it will work with all sites on the server, including PHP, ASP, etc. Portcullis is a good second line of defense for ColdFusion because it will capture forms-based attacks and some cross-site attack scripts. The last line of defense is the cfqueryparam / cfparam code, which protects against SQL injection attacks based on URL / forms.

If all three of these methods are used, the server / site should be very secure. Anyway, I advise you to periodically check the server logs, as attacks develop and improve.

+5
source

The short answer is yes.

cfqueryparam will stop some attacks on SQL injection.

There are other attack variables that you can use, so be careful, but a well-written coldfusion can be very safe.

Be wary of Cross Site scripting attacks, if you save and then display the input html, be especially careful with javascript tags.

+6
source

Source: https://habr.com/ru/post/913189/

More articles:


All Articles