Reputation: 5935
XSS code review tool for ColdFusion
Do any tools exists that will scan ColdFusion source code and locate XSS vulnerabilities?
Say for example a programmer wrote something like this:
<cfoutput> This is a #url.cat#. </cfoutput>
The tool would need to locate un-sanitized code.
Update:
While all of the answers and feedback so far are accurate, none point to a tool which can be run against the source code directly.
I personally know how to write code which is xxs safe. Also I can manually find, detect and correct XXS vulnerabilities. I am looking for something automated which can scan thousands of .cfm and .cfc to automate the processes.
Probably the correct answer is that such a tool does not exists. There are companies such as VeriCode which offer a service do such things. They have an automated process which in my opinion does a horrible job because of it's inability to follow code logic.
Anyway, I'll give all +1s and at this point leave the question unanswered.
Update 2: Someone did answer that I would not find a tool, so I will mark this as accepted.
Upvotes: 3
Views: 1777
Answers (4)
Reputation: 4067
This semi-new tool, security analyzer, for the ColdFusion Builder sounds promising: http://www.adobe.com/devnet/coldfusion/articles/security-analyzer.html.
And VERACODEs scanning is much better nowadays: http://www.veracode.com/
Upvotes: 0
Reputation: 13548
Not specific to XSS but Pete Freitag has a tool that will scan your ColdFusion server for vulnerabilities. The site is Hack My CF. I believe there is a free scan option and they also offer monthly subscription options. I think the tool includes some XSS checks as well.
Upvotes: 3
Reputation: 5678
Although not ColdFusion-specific, there are several plugins for Fiddler which can detect or hint at where XSS flaws may exist. I've tried out watcher before and found it gave me some useful pointers.
Upvotes: 2
Reputation: 2109
If you're using ColdFusion 10, you should read this article: http://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/
I don't think you'll find a tool that checks your actual code, XSS tools out there focus on the form inputs, etc. You might be able to write a script parser yourself that looks for <cfoutput> tags in your ColdFusion file and then looks to see if any of the tags mentioned are present, but trying to define a set of rules for when variables should or should not be wrapped by XSS preventing functions would be almost impossible. You really need to look at each variable and its context.
There are some things you can do in ColdFusion to prevent XSS attacks though as mentioned in the article above and this one: http://www.mindfiresolutions.com/Prevent-crosssite-scripting-attacks-in-ColdFusion-1341.php
Upvotes: 2
Related Questions
- ColdFusion CSRF XSS attack prevention
- What validations should be done post canonicalize function in ColdFusion to avoid XSS attack?
- ColdFusion XSS Protection with 3 Contexts all-in-one
- Is there any reliable Static Code Analysis Tool available for ColdFusion?
- Can I get robust XSS protection in CF11 that I can apply to an entire site without touching every query or input?
- cfBuilder - working with javascript, CSS, HTML etc
- What are my options for white-listing HTML in ColdFusion?
- How to handle Script Attack in application
- Prevent XSS attacks site-wide
- ColdFusion how to Prevent XSS Attacks in a WYSIWYG