For the past couple of years I have worked with a large financial industry application. Considering the sensitive nature our customers’ data, we have quarterly vulnerability assessments performed against our applications by IBM (an eye opening experience if you have never done this before!), and we have occasional security training.
When it comes to the programming layer of web security concerns, we typically find two main types of security vulnerabilities that need focus, those being SQL Injection and Cross Site Scripting. Although these attacks target different areas of your applications, addressing them and securing your applications is achieved through the same method, scrubbing your data!
By taking the approach of only allowing good characters, you are better positioning your applications to be safe from future attacks. One method that we employ is to run a goodChars() method on every request, that loops through URL and FORM scopes and ensures that no one is sneaking in things that might be harmful. Of course every application has different needs, and this script might need to be altered for other implementations, but the basic idea is seen here:
str = REReplace(str, “[^A-Za-z0-9=_s-.##$&@]“, “”, “ALL”);
<cfset form.Test1 = “@##&.kws-j$dl927^” />
<cfset form.Test2 = “qsd%0d%0a_fs7=293(*^%5″”" />
<cfset url.Test3 = “asdf|<script>alert(‘HAHA! I am hacking you!’)</script>” />
<cfloop collection=”#form#” item=”i”>
<cfset form[i] = goodChars(form[i]) />
<cfloop collection=”#url#” item=”i”>
<cfset url[i] = goodChars(url[i]) />
<cfdump var=#form# />
<cfdump var=#url# />
When you dump the FORM and URL scopes you will see that our strings were modified like this:
form.Test1 —> @#&.kws-j$dl927
form.Test2 —> qsd0d0a_fs7=2935
url.Test3 —> asdfscriptalertHAHA I am hacking youscript
I should probably note that this is more of a “blunt force” approach to making sure that nothing dirty is getting through. While this may be perfectly acceptable for some applications, you may want to consider taking a more granular approach and applying this to specific points in your application, or perhaps logging abnormalities to expose users that might be trying to breach your system. Logging may also shed light on characters that your users need in normal use of the application and may need to be added to the “safe” list.
If you are not already taking steps toward scrubbing your data, hopefully a script like this might be a good starting point to getting the wheels turning on how to keep your data and your users safe.