XSS vulnerabilityThis is a discussion on XSS vulnerability within the Cold Fusion forums in Application Servers & Tools category; I able to embed following text successfully even applying scriptProtect=all. >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26 %23x61;%26%23x73;%26%23x63;%26 %23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;ale rt(392271)> Anybody have any cfm script to strip out above character, I have scipt which remove <script> tag but could not detect above tag. Any help will appreciable thanks amar Piwar :shocked;... | ||||||||
| | ||||||||
| ||||||||
| Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-26-2008, 11:26 AM
| |||
| |||
 XSS vulnerability I able to embed following text successfully even applying scriptProtect=all. >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26 %23x61;%26%23x73;%26%23x63;%26 %23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;ale rt(392271)> Anybody have any cfm script to strip out above character, I have scipt which remove <script> tag but could not detect above tag. Any help will appreciable thanks amar Piwar :shocked;  |
|
#2
08-26-2008, 02:54 PM
| |||
| |||
| Re: XSS vulnerability Try this code out <!------------------------------------------------------------------------> <!--- function to clean up the content ---> <cffunction name="cleanContent" output="false" returntype="string" access="public" description="cleans user inputed content to strip our XSS and possible illegal content"> <cfargument name="content" type="string" required="true"> <cfset var local = structNew()> <cfset local.content = arguments.content> <cfset local.content = urlDecode(local.content)> <cfset local.content = reReplaceNoCase(local.content,"<[^>]*>","","ALL")> <cfset local.content = replaceNoCase(local.content,"<","","ALL")> <cfset local.content = replaceNoCase(local.content,">","","ALL")> <cfset local.content = htmlEditFormat(local.content)> <cfset local.content = replaceNoCase(local.content,">","","ALL")> <cfset local.content = replaceNoCase(local.content,"<","","ALL")> <cfreturn local.content> </cffunction> <!--- function to clean up the content ---> <!------------------------------------------------------------------------> <!------------------------------------------------------------------------> <!--- clean scopes ---> <cfset variables.runXSS = true> <cfif variables.runXSS IS true> <cfloop collection="#form#" item="variables.i"> <cfset form[variables.i] = cleanContent(form[variables.i])> </cfloop> <cfloop collection="#url#" item="variables.i"> <cfset url[variables.i] = cleanContent(url[variables.i])> </cfloop> </cfif> <!--- clean scopes ---> <!------------------------------------------------------------------------> |
|
#3
08-26-2008, 03:08 PM
| |||
| |||
| Re: XSS vulnerability try safetext() at cflib.org. it may work, it may not. |
|
#4
09-04-2008, 01:11 PM
| |||
| |||
| Re: XSS vulnerability >"><%00script>alert(85472)</script> How I can detect above string in user input. The code given provided in last reply works well wither other vlunarabilities but not with >"><%00script>alert(85472)</script> Your help needed. Thanks in advance ~~~ Thanks the polar express |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
All times are GMT -5. The time now is 03:28 PM.
