Reputation: 21
How to handle Script Attack in application
We are facing issues of javascript getting embedded into message body, following is the code snippet of the javascript,
} {*\htmltag241 var DanaShimData="var DSJsFuncs = ,null,,,,[{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\ \"Install\",flg:0xf},{nm:\"writeln\",flg:0x3f},{nm:\ "GotoURL\ \",flg:0xe},{nm:\"AddRoot\",lcnm:\"addroot\",flg:0xb},{nm:\ \"LoadURL\",lcnm:\"loadurl\",flg:0xb},{nm:\"addRule\ ",flg:0xf}, {nm:\"postURL\",lcnm:\"posturl\",flg:0x12},{nm:\ "replace\ \",flg:0x12f},],[{
Could anyone please let us know if you have observed such occurances / findings.
Any helps appreciated.
Thanks, Sudipta Ghosh
Upvotes: 1
Views: 353
Answers (3)
Reputation: 958
Also make sure you use cfqueryparams, captchas or some sort of session authentication form posts.
Upvotes: 0
Reputation: 4577
There is a project called 'AntiSammy' (http://www.antisamy.net/) which uses files to combat XSS attacks that are provided by big sites like Slashdot and eBay. You may want to look at extracting the AntiSammy code to help you.
Here is a post by Peter Freitag on using AntiSammy without ColdBox. http://www.petefreitag.com/item/760.cfm
Here are the docs for the ColdBox Framework: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
Upvotes: 5
Related Questions
- ColdFusion CSRF XSS attack prevention
- What validations should be done post canonicalize function in ColdFusion to avoid XSS attack?
- In ColdFusion How to Eliminate Vulnerable for Cross-Site Script
- ColdFusion XSS Protection with 3 Contexts all-in-one
- How to prevent script tags and other XSS entities from being inserted into the db?
- XSS remediation - Improper Neutralization of Script-Related HTML Tags
- ColdFusion security by checking ARGUMENTS.TargetPage in Application.onRequestStart?
- Securing user input outputted in html with coldfusion
- Prevent XSS attacks site-wide
- ColdFusion how to Prevent XSS Attacks in a WYSIWYG