Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!-----------------------------------------------------------------------------------------------------------------------------------------
- READ CAREFULLY: USE AT YOUR OWN RISK! CF_HACKER VERSION 2.1 release: Oct 28 01.
- Use at your own risk! Javafuse Inc. makes no warranty claim or guarantee, implicitly or otherwise, to the soundness and general
- ability of this tag to do what it claims. As well, the user, by using this code, agrees to indemnify the authors: Javafuse inc.
- to be free from all claims which result from the use of the tag "CF_HACKER", or any other name under which the codebase appears
- and to defend Javafuse against any possible litigation resulting from the use of this code in its original format or any augmented
- forms.
- Database security is the responsibility of the Architect/Developement Company deploying the site and tag, not Javafuse inc.
- Javafuse is not responsible for lost, damaged, de-valued, compromised data integrity, or any other loss, monetarily,
- intellectually, or percieved, resulting from the voluntary use of this tag, contained codebase, or augmented code base contained
- here in under any name.
- This tag is free to use for developement and for production with no strings attached!
- While no site is safe against hacking, this tag can help the developer as a tool in the fight against malicious attacks.
- This tag strips most HTML, CFML, Profanity and most core SQL that could be used to "attack" a site.
- Again, use at your own risk! There is no warranty or charge for this code.
- We ask that if you use this tag, that you email us. Why? Because we are always looking to get feedback, and find any additional
- SQL or REGEX that could be used to protect databases from malicious scope data. As well, by providing this openly for free,
- when changes or modifications are made, we can notify you by email. We are willing to send out emails when new versions
- or bugs are found, if youre willing to leave us an address. )
- Remember best practices, when possible search and identify based off of numerical or dynamically computed identifiers.
- Also use stored procedures when possible, althougth this wont remove CFML or HTML!
- One GOOD example:
- Is to store usernames and password in an extra column containing an alpha/numerically hashed combined value of the two,
- and then compare that computed value against the stored hashed numerical value in the database.
- This allows you to create where statements like this: WHERE userHash = #hash(username, password)#
- (Dont use allaire crypto functions, they suck as they produce non predictable chars that must be escaped!)
- And here even if the idiot does submit SQL, its dumped into a value like 'ALKJDLKIOIENF98765IDOIDHD98873LKJ', and well
- Ive never heard of that deleting rows before!. ) lol
- One VERY BAD example:
- Just let you user submit any text into a where clause:
- WHERE userName = '#form.userName#' and password='#form.password#'
- This example is what this tag is designed to help guard against.
- What happens when I pass the following two form fields to the following query? What will happen?
- First the query, sitting on the server waiting to find users.
- <Cfquery name="matchUser" datasource="#DS#">
- select * from users
- where username = '#form.username#' and password = '#form.password#'
- </CFQUERY>
- Now I am going to submit the following two form fields to this query:
- <form action="index.cfm" method="post">
- <input type="text" name="username" value="john@cfjava.com">
- <input type="text" name="password" value="fake' ; delete from users where email != ' ">
- </form>
- The resulting SQL when executed will show this:
- Select * from users
- where username = 'john@cfjava.com' and password= 'fake'; delete from users where email != ' '
- READ THIS:
- (while this exact syntax may not work on your dbase, it wont take but 5 seconds to come up with syntax that will..... >) )
- Notice anything? Yes! Your entire users table is now completely empty! Why? Because you let the user
- submit what ever they wanted into the where clause of an SQL statement. But why stop there, I could have leveled the database!
- Because odds are if youre leaving security holes like this open, you havent taken the precaution of creating special users for your
- database who have limited privileges!
- So what to do? Design with security in mind. Create appropriate users. Hash values to alpha/nums when and where possible.
- Store combined versions of data in an extra column that are dynamically computed on key value matching, it reduces the number of
- comparisons, and keeps you from matching fields to untouched user text.
- And only when you absolutely have to, do you ever let a user submit text into a where clause. And in this case, use this tag,
- or a similar tag to help manage your risk! Else you may be liable, in that a lawyer only has to prove "partial" liability for a
- partial settlement! So developer beware! The goes for all scopes, if you're really interested in the next security step, then
- use an URL encryption algor, so that by looking not even you can tell where youre going, let alone what youre passing. )
- There a ton of books on Architecture and Design that you can look in too for real explanations.
- USE AT YOUR OWN RISK!!!!
- Javafuse INC. IS NOT LIABLE FOR ANY TYPE OF DAMAGE, REAL, INTELLECTUAL, OR PERCIEVED, INCURRED THROUGH THE VOLUNTARY USE OF THIS TAG!
- TAG USE:
- !!!!!!!!!! NOTICE:AS OF THIS GENERATION OF THE TAG, YOU STILL MUST ESCAPE ALL IMAGE FIELDS IN FORMS!
- OK, I will try to show by example. The tag will filter all fields in the FORM and URL scopes by default.
- I want to filter the url and form scopes, filtering all fields; this is the default!
- <cf_hacker>
- I want to filter all fields only the form scope:
- <cf_hacker scopes="form" >
- I want to filter all fields only in the form and cookie scopes:
- <cf_hacker scopes="form,cookie">
- I want to filter all fields except the one named "links" in the form scope:
- <cf_hacker scopes="form" form="links">
- I want to filter the form and url scopes, but skip two FORM fields, named user_links and user_html, that may contain HTML.
- Remember that form and url scopes are set by default, so we do not have to pass them into the tag with the "scopes" parameter.
- So this call is ....
- <cf_hacker form="user_links,user_html">
- the same as this call:
- <cf_hacker scopes="form,url" form="user_links,user_html">
- Which ever one is easier for you to quickly understand...
- I want to filter the FORM, URL and COOKIE scopes, skipping fields in each scope:
- <cf_hacker scopes="form,url,cookie" cookie="user_home" url="user_name" form="image1,image2,image3">
- TO SUMMARIZE:
- The tag filters all fields in URL and FORM scopes by default, you dont have to anything but call tag.
- To explicitly filter a scope or scopes, pass a comma delimited list of scopes to filter.
- To skip fields/values/variables in the passed scopes, simple name the scope as a parameter and give a comma delimited list of fields to skip.
- We will be building on this base for quite some time. So if you come across syntax for one of these database types, please email with any
- additions you would like to see integrated to: john@cfjava.com Please include your name, and country of origin as well, and you will get "props"
- in the next update release of the tag! . )
- You can thank the following people who have contributed to this tag. Contribute a database regex and join the wall of shame!
- John Ensign U.S.A. john@cfjava.com
- Lucas B. Nederlands withheld
- Some notes on the codebase:
- Exempt fields and profanities are run from loops, as they should be; the regex for the database syntax is not, and this is primarily for
- readability. As well, by laying them out one by one, readers who are not familiar with REGEX can come to grips with this much at least,
- and hopefully begin to add/submit their own match values. We dont want any flaming retarded statements, like you should loop that too.... etc.
- This tag does add a millisec or two to processing time. In this particular case its not about milli-secs, its about taking judicious steps
- to minimize our clients risk, and being able to prove you took reasonable and prudent measures to protect your client's data!
- Its all about RISK MANAGEMENT, nothing is 100%. And if you had to ask, then quit now while your still ahead. )
- Beware of cheap imitations! Peeps using the string methods are fooling themselves!
- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
- <!--- WHICH SCOPES ARE WE FILTERING --->
- <cfparam name="attributes.scopes" default="FORM,URL">
- <!--- DYNAMICALLY CREATE EMPTY LIST SCOPE FIELDS TO BE ESCAPED --->
- <cfloop list="#attributes.scopes#" index="target">
- <cfset name = "attributes." & #target#>
- <cfparam name="#name#" default="">
- </cfloop>
- <!--- LIST OF PROFANITIES TO FILTER --->
- <cfset profanities = "">
- <!--- FILTER ALL PASSED SCOPES OR DEFAULT SCOPES --->
- <cfloop list="#attributes.scopes#" index="scope">
- <!--- SET CURRENT SCOPE AND ESTABLISH HANDLE TO FIELD --->
- <cfloop collection="#evaluate("caller.#scope#")#" item="field">
- <cftry>
- <cfscript>
- //IS THIS FIELD TO BE SKIPPED OR IS IT A FILE FIELD?
- if( (listContainsNoCase(evaluate("attributes.#scope#"), field) EQ 0) AND NOT(isNumeric(field)) AND NOT(field EQ "") )
- {
- //GRAB FIELD VALUE
- value = evaluate("#scope#.#field#");
- //IF FIELD IS EMPTY MOVE ONTO NEXT FIELD
- if(len(value) EQ 0)
- break;
- //IF THIS IS A FILE FIELD FROM WINDOWS MOVE ONTO NEXT FIELD
- if(REFindNoCase("\ *\.tmp", value) GT 0)
- break;
- //HTML and CFML : skipping exempt fields and cleaning all others.
- value = REReplace(value, "<[^>]*>", "", "All");
- //SYSTEM CALLS
- value = REReplaceNoCase(value, " *sp_ *", "", "All");
- value = REReplaceNoCase(value, " *dt_ *", "", "All");
- value = REReplaceNoCase(value, " *db_ *", "", "All");
- //DELETES
- value = REReplaceNoCase(value, " *; *delete *from *", "", "All");
- value = REReplaceNoCase(value, " *delete *from *", "", "All");
- // SELECTS AND PASSED SUB-SELECTS
- value = REReplaceNoCase(value, " *\( *select *from *\) *", "", "All");
- value = REReplaceNoCase(value, " *; *select *\* *from *", "", "All");
- value = REReplaceNoCase(value, " *select *\* *from *", "", "All");
- value = REReplaceNoCase(value, " *select *into *from *", "", "All");
- // INSERTIONS
- value = REReplaceNoCase(value, " *; *insert *into *\( *\) *values *", "", "All");
- value = REReplaceNoCase(value, " *insert *into *\( *\) *values *", "", "All");
- // UPDATES
- value = REReplaceNoCase(value, " *; *update *", "", "All");
- value = REReplaceNoCase(value, " *update *set *= *", "", "All");
- // CREATIONS
- value = REReplaceNoCase(value, " *create *proc *as *", "", "All");
- value = REReplaceNoCase(value, " *create *view *as *", "", "All");
- value = REReplaceNoCase(value, " *create *trigger *on *", "", "All");
- value = REReplaceNoCase(value, " *create *table *", "", "All");
- value = REReplaceNoCase(value, " *create *table *\( *\) *", "", "All");
- value = REReplaceNoCase(value, " *create *database *on *\( *\) *", "", "All");
- value = REReplaceNoCase(value, " *create *database *on *", "", "All");
- value = REReplaceNoCase(value, " *create *function *\( *\) *as *", "", "All");
- value = REReplaceNoCase(value, " *create *temporary *table *", "", "All");
- // ALTERATIONS
- value = REReplaceNoCase(value, " *alter *database *remove *", "", "All");
- value = REReplaceNoCase(value, " *alter *database *modify *", "", "All");
- value = REReplaceNoCase(value, " *alter *database *add *", "", "All");
- value = REReplaceNoCase(value, " *alter *proc *as *", "", "All");
- value = REReplaceNoCase(value, " *alter *view *as *", "", "All");
- value = REReplaceNoCase(value, " *alter *trigger *on *", "", "All");
- value = REReplaceNoCase(value, " *alter *table *on *", "", "All");
- // TRANSACTIONS
- value = REReplaceNoCase(value, " *begin *tran *commit *", "", "All");
- value = REReplaceNoCase(value, " *begin *distributed *tran *commit *", "", "All");
- // DROPS
- value = REReplaceNoCase(value, " *drop *trigger *", "", "All");
- value = REReplaceNoCase(value, " *drop *view *", "", "All");
- value = REReplaceNoCase(value, " *drop *table *", "", "All");
- value = REReplaceNoCase(value, " *drop *database *", "", "All");
- value = REReplaceNoCase(value, " *drop *user *", "", "All");
- //PROFANITIES
- for( index = 1; index LT listLen(profanities); index = index + 1)
- {
- value = REReplaceNoCase(value, " *#ListGetAt(profanities, index)# *", "", "All");
- }
- rc = structUpdate( evaluate("caller.#scope#"), #field#, value);
- }
- </cfscript>
- <cfcatch></cfcatch>
- </cftry>
- </cfloop>
- </cfloop>
- <!------------------------------------------------- TO DO: ------------------------------------------------------
- Fix image file upload fields:
- win - now working on windows, still not happy with it though. )
- liny/unix - need to get liny/unix upload naming schema for matching
- mac - ditto
- rollback
- use statement
- CF will not give complete header data per RFC convention like asp,php,perl,vb will.
- Plan on converting tag to an advanced version in java automated form field type
- detection using java REGEX for isps or industrial level users.
- Continue adding support for mysql, oracle, and postgres.
- *Most of SQL server is covered.
- ------------------------------------------------------------------------------------------------------------------->
Add Comment
Please, Sign In to add comment