Do any tools exists that will scan ColdFusion source code and locate XSS vulnerabilities?
Say for example a programmer wrote something like this:
<cfoutput> This is a #url.cat#. </cfoutput>
The tool would need to locate un-sanitized code.
Update:
While all of the answers and feedback so far are accurate, none point to a tool which can be run against the source code directly.
I personally know how to write code which is xxs safe. Also I can manually find, detect and correct XXS vulnerabilities. I am looking for something automated which can scan thousands of .cfm and .cfc to automate the processes.
Probably the correct answer is that such a tool does not exists. There are companies such as VeriCode which offer a service do such things. They have an automated process which in my opinion does a horrible job because of it's inability to follow code logic.
Anyway, I'll give all +1s and at this point leave the question unanswered.
Update 2: Someone did answer that I would not find a tool, so I will mark this as accepted.
Not specific to XSS but Pete Freitag has a tool that will scan your ColdFusion server for vulnerabilities. The site is Hack My CF. I believe there is a free scan option and they also offer monthly subscription options. I think the tool includes some XSS checks as well.
If you're using ColdFusion 10, you should read this article: http://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/
I don't think you'll find a tool that checks your actual code, XSS tools out there focus on the form inputs, etc. You might be able to write a script parser yourself that looks for <cfoutput> tags in your ColdFusion file and then looks to see if any of the tags mentioned are present, but trying to define a set of rules for when variables should or should not be wrapped by XSS preventing functions would be almost impossible. You really need to look at each variable and its context.
There are some things you can do in ColdFusion to prevent XSS attacks though as mentioned in the article above and this one: http://www.mindfiresolutions.com/Prevent-crosssite-scripting-attacks-in-ColdFusion-1341.php
Although not ColdFusion-specific, there are several plugins for Fiddler which can detect or hint at where XSS flaws may exist. I've tried out watcher before and found it gave me some useful pointers.
This semi-new tool, security analyzer, for the ColdFusion Builder sounds promising: http://www.adobe.com/devnet/coldfusion/articles/security-analyzer.html.
And VERACODEs scanning is much better nowadays: http://www.veracode.com/
Related
We operate a ColdFusion site with a custom CSS acting as a directory of various companies. Depending on the type of company, we have a set of subpages containing specific information pulled from the CMS about the company, such as "location/directions". We're looking to add functionality enabling users to add comments to the existing content. I'm looking for suggestions on open source or other available ColdFusion software out there that could work for this. While we could write something custom, commenting tools have been done a thousand times and probably better than we can do it.
While what we're looking for sounds like a blog or forum, its more of a hybrid. We'd like to be able to add functionality enabling commenting on the content we post in the context we post it in. Seems like there must be something out there that can be easily modified and integrated with our CMS.
Does anyone know of anything out there we should look into?
I'm going to vote to close this too, as per the others, but here's an answer anyway.
If you just want to add commenting to existing content, perhaps use Disqus. It's not locally installable (and is not CFML-based; it's all JS), but it does handle most things one would need if just wanting to add comments to a site.
If you want a native, self-managed solution, unfortunately StackOverflow have deemed that sort of question "unworthy", so you'll need to ask elsewhere. Despite being an entirely reasonable question, for which the answers would be helpful to other people later on (which is - in theory - the raison d'etre of Stack Overflow. Although that's hard to tell, sometimes).
My website http://www.imayne.com seems to have this issue, verified by MacAfee. Can someone show me how to fix this? (Title)
It says this:
General Solution:
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.
Ensure that parameters and user input are sanitized by doing the following:
Remove < input and replace with "<";
Remove > input and replace with ">";
Remove ' input and replace with "&apos";
Remove " input and replace with """;
Remove ) input and replace with ")";
Remove ( input and replace with "(";
I cannot seem to show the actual code. This website is showing something else.
Im not a web dev but I can do a little. Im trying to be PCI compliant.
Let me both answer your question and give you some advice. Preventing XSS properly needs to be done by defining a white-list of acceptable values at the point of user input, not a black-black of disallowed values. This needs to happen first and foremost before you even begin thinking about encoding.
Once you get to encoding, use a library from your chosen framework, don't attempt character substitution yourself. There's more information about this here in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS) (don't worry about it being .NET orientated, the concepts are consistent across all frameworks).
Now for some friendly advice: get some expert support ASAP. You've got a fundamentally obvious reflective XSS flaw in an e-commerce site and based on your comments on this page, this is not something you want to tackle on your own. The obvious nature of this flaw suggests you've quite likely got more obscure problems in the site as well. By your own admission, "you're a noob here" and you're not going to gain the competence required to sufficiently secure a website such as this overnight.
The type of changes you are describing are often accomplished in several languages via an HTML Encoding function. What is the site written in. If this is an ASP.NET site this article may help:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
In PHP use this function to wrap all text being output:
http://ch2.php.net/manual/en/function.htmlentities.php
Anyplace you see echo(...) or print(...) you can replace it with:
echo(htmlentities( $whateverWasHereOriginally, ENT_COMPAT));
Take a look at the examples section in the middle of the page for other guidance.
Follow those steps exactly, and you're good to go. The main thing is to ensure that you don't treat anything the user submits to you as code (HTML, SQL, Javascript, or otherwise). If you fail to properly clean up the inputs, you run the risk of script injection.
If you want to see a trivial example of this problem in action, search for
<span style="color:red">red</span>
on your site, and you'll see that the echoed search term is red.
I think I just realized how restrictive my web host is when they wouldn't let me use cfdump. This actually kind of angers me, cause really, what harm is dump going to do? Anyway my question is has anyone written a cfdump alternative that will kick out complex types of data or can link me to a site with a code example? Can't really used cfc's or udfs either cause guess what, they're blocked too. Anyway looking for something simple that I can just paste in my cfml and I will be happy. It's sad that I used to be able to do this, but have forgotten a lot of that skillset since I moved into Flex and AS.
oh and they're using cf7, so no cf8 or 9 tricks ;-)
Thanks in advance.
You probably don't want to hear "Change to another hosting company" but if they're that restrictive, you're really limited in what you can do. I've actually never heard of a host that blocks cfdump although I know of a few that still, stupidly, block createObject().
Depending on exactly what they've blocked, you may be able to copy WEB-INF/cftags/dump.cfm from your local ColdFusion installation to a folder inside your application and then invoke it with cfmodule:
<cfmodule template="dump.cfm" var="#something#"/>
#Sean Corfield is right -- switch hosts.
In the meantime, there was a custom tag called "cf_dump" from the era of CF4. I have no idea if it will work on 7, but you could always try to get it working.
cf_dump at Adobe
In case anyone else comes across this old thread as I have just done, do not blindly following to the advice of "change your host", as this is very poor advice. make the effort to speak with your host before jumping to conclusions.
The host have likely not blocked cfdump they have blocked Java, which is a good thing as this means they take security seriously. CFdump uses java, thus why it does not work.
Allowing Java in CF is a very serious security issue as it completely bypasses all security sandboxes and without giving too much away basically means that any other customer on the same server could hack your site and steal your data as well as hacking/crashing ColdFusion itself.
Unfortunately blocking java does disable quite a lot of useful features and breaks most frameworks, so it is a toss up between functionality or security, so bear this in mind before you decide to go and find a host that enables everything and has no security.
At the end of the day if you want access to all of ColdFusion's functionality then you need your own server or VPS.
I've actually been looking for this for some time and today I actually stumbled across the solution. Unfortunately, I didn't come up with this. Thanks and credit goes to John Whish.
http://www.aliaspooryorik.com/blog/index.cfm/e/posts.details/post/using-onerror-method-of-application-cfc-47
Basically he's figured out most of the CFDump data can be called in the Application.cfc onError function.
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.
I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).
Is anyone aware of a similar tool? Preferably it should be:
cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)
Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).
Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/
I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do.
The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do.
I hope that helps.
http://www.metasploit.com/
Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.
I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!
Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.
There are some Firefox plugins to do some XSS testing here:
http://labs.securitycompass.com/index.php/exploit-me/
A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:
Open Source (LGPL),
Cross Platform - PHP is not in your list, but maybe it's ok?
Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
Logs to databases.
I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.
From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.
A much better idea, I think, would be to perform code reviews.
You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.
So I understand that there are a few options available as far as parsing straight XML goes: NSXMLParser, TouchXML from TouchCode, etc. That's all fine, and seems to work fine for me.
The real problem here is that there are dozens of small variations in RSS feeds (and Atom feeds too), so supporting all possible permutations of feeds available out on the Internet gets very difficult to manage. I searched around for a library that would handle all of these low-level details for me, but came out without anything.
Since one could link to an external C/C++ library in Objective-C, I was wondering if there is a library out there that would be best suited for this task? Someone must have already created something like this, it's just difficult to find the "right" option from the thousands of results in Google.
Anyway, what's the best way to parse RSS/Atom feeds in an iPhone application?
I've just released an open source RSS/Atom Parser for iPhone and hopefully it might be of some use.
I'd love to hear your thoughts on it too!
"Best" is relative. The best performance you'll need to go the SAX route and implement the handlers. I don't know of anything out there open source available (start a google code project and release it for the rest of us to use!)
Whatever you do, it's probably a really bad idea to try and load the whole XML file into memory and act on it like a DOM. Chances are you'll get feeds that are much larger than you can handle on the device leading to frequent memory warnings and crashes.
I'm currently trying out the MWFeedParser #Michael Waterfall is developing.
Quite easy to set up and use (I'm a beginner iPhone developer).
His sample code for using MWFeedParser to populate a UITableViewController implementation is helpful as well.
take a look at apple's XML Performance sample -- which points to using libXML directly -- for performance and quicker updates to the display. Which may be important if you are working with very large feeds.
Check out my library for parsing Atom feeds, (BSAtomParser) at GitHub. It doesn't care about validating the feed, it does its best at returning whatever is valid. The parser covers most of RFC 4287, even extensions.
Here's my solution: a really simple yet powerful RSS parsing library: https://github.com/H2CO3/RSSKit
Have you looked at TouchCode yet? I don't think it has an RSS processor, but it might give you a start.
http://code.google.com/p/touchcode/
I came accross igasus project on sourceforge today. I haven't used it or really checked it, but perhaps it might help.
From their site:
igagus is a web service for the iPhone that allows aggregation of RSS to be delivered in an iPhone friendly format.
Actually, I was trying to suggest you ask on the TouchCode discussion board, because I remember someone was trying to expand it to support RSS. That might be a decent starting point. But I was being rushed by my wife.
But I see now that TouchCode doesn't have a discussion board. I'd still ask the author, though, he might know what came of that effort.
This might be a reasonable starting point for you. Atom support isn't there yet, but you could help out?