API tools faq
paste
Guest User

Untitled

a guest
Jul 15th, 2018
319
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.35 KB | None | 0 0
raw download clone embed print report
  1. <!-----------------------------------------------------------------------------------------------------------------------------------------
  2. READ CAREFULLY: USE AT YOUR OWN RISK! CF_HACKER VERSION 2.1 release: Oct 28 01.
  3.  
  4. Use at your own risk! Javafuse Inc. makes no warranty claim or guarantee, implicitly or otherwise, to the soundness and general
  5. ability of this tag to do what it claims. As well, the user, by using this code, agrees to indemnify the authors: Javafuse inc.
  6. to be free from all claims which result from the use of the tag "CF_HACKER", or any other name under which the codebase appears
  7. and to defend Javafuse against any possible litigation resulting from the use of this code in its original format or any augmented
  8. forms.
  9.  
  10. Database security is the responsibility of the Architect/Developement Company deploying the site and tag, not Javafuse inc.
  11. Javafuse is not responsible for lost, damaged, de-valued, compromised data integrity, or any other loss, monetarily,
  12. intellectually, or percieved, resulting from the voluntary use of this tag, contained codebase, or augmented code base contained
  13. here in under any name.
  14.  
  15. This tag is free to use for developement and for production with no strings attached!
  16.  
  17. While no site is safe against hacking, this tag can help the developer as a tool in the fight against malicious attacks.
  18. This tag strips most HTML, CFML, Profanity and most core SQL that could be used to "attack" a site.
  19.  
  20. Again, use at your own risk! There is no warranty or charge for this code.
  21. We ask that if you use this tag, that you email us. Why? Because we are always looking to get feedback, and find any additional
  22. SQL or REGEX that could be used to protect databases from malicious scope data. As well, by providing this openly for free,
  23. when changes or modifications are made, we can notify you by email. We are willing to send out emails when new versions
  24. or bugs are found, if youre willing to leave us an address. )
  25.  
  26. Remember best practices, when possible search and identify based off of numerical or dynamically computed identifiers.
  27. Also use stored procedures when possible, althougth this wont remove CFML or HTML!
  28.  
  29. One GOOD example:
  30. Is to store usernames and password in an extra column containing an alpha/numerically hashed combined value of the two,
  31. and then compare that computed value against the stored hashed numerical value in the database.
  32. This allows you to create where statements like this: WHERE userHash = #hash(username, password)#
  33. (Dont use allaire crypto functions, they suck as they produce non predictable chars that must be escaped!)
  34. And here even if the idiot does submit SQL, its dumped into a value like 'ALKJDLKIOIENF98765IDOIDHD98873LKJ', and well
  35. Ive never heard of that deleting rows before!. ) lol
  36.  
  37. One VERY BAD example:
  38. Just let you user submit any text into a where clause:
  39. WHERE userName = '#form.userName#' and password='#form.password#'
  40. This example is what this tag is designed to help guard against.
  41.  
  42. What happens when I pass the following two form fields to the following query? What will happen?
  43.  
  44. First the query, sitting on the server waiting to find users.
  45.  
  46. <Cfquery name="matchUser" datasource="#DS#">
  47. select * from users
  48. where username = '#form.username#' and password = '#form.password#'
  49. </CFQUERY>
  50.  
  51. Now I am going to submit the following two form fields to this query:
  52.  
  53. <form action="index.cfm" method="post">
  54. <input type="text" name="username" value="john@cfjava.com">
  55. <input type="text" name="password" value="fake' ; delete from users where email != ' ">
  56. </form>
  57.  
  58. The resulting SQL when executed will show this:
  59.  
  60. Select * from users
  61. where username = 'john@cfjava.com' and password= 'fake'; delete from users where email != ' '
  62.  
  63. READ THIS:
  64. (while this exact syntax may not work on your dbase, it wont take but 5 seconds to come up with syntax that will..... >) )
  65.  
  66. Notice anything? Yes! Your entire users table is now completely empty! Why? Because you let the user
  67. submit what ever they wanted into the where clause of an SQL statement. But why stop there, I could have leveled the database!
  68. Because odds are if youre leaving security holes like this open, you havent taken the precaution of creating special users for your
  69. database who have limited privileges!
  70.  
  71. So what to do? Design with security in mind. Create appropriate users. Hash values to alpha/nums when and where possible.
  72. Store combined versions of data in an extra column that are dynamically computed on key value matching, it reduces the number of
  73. comparisons, and keeps you from matching fields to untouched user text.
  74.  
  75. And only when you absolutely have to, do you ever let a user submit text into a where clause. And in this case, use this tag,
  76. or a similar tag to help manage your risk! Else you may be liable, in that a lawyer only has to prove "partial" liability for a
  77. partial settlement! So developer beware! The goes for all scopes, if you're really interested in the next security step, then
  78. use an URL encryption algor, so that by looking not even you can tell where youre going, let alone what youre passing. )
  79.  
  80. There a ton of books on Architecture and Design that you can look in too for real explanations.
  81.  
  82. USE AT YOUR OWN RISK!!!!
  83.  
  84. Javafuse INC. IS NOT LIABLE FOR ANY TYPE OF DAMAGE, REAL, INTELLECTUAL, OR PERCIEVED, INCURRED THROUGH THE VOLUNTARY USE OF THIS TAG!
  85.  
  86. TAG USE:
  87.  
  88. !!!!!!!!!! NOTICE:AS OF THIS GENERATION OF THE TAG, YOU STILL MUST ESCAPE ALL IMAGE FIELDS IN FORMS!
  89.  
  90. OK, I will try to show by example. The tag will filter all fields in the FORM and URL scopes by default.
  91.  
  92. I want to filter the url and form scopes, filtering all fields; this is the default!
  93. <cf_hacker>
  94.  
  95. I want to filter all fields only the form scope:
  96. <cf_hacker scopes="form" >
  97.  
  98. I want to filter all fields only in the form and cookie scopes:
  99. <cf_hacker scopes="form,cookie">
  100.  
  101. I want to filter all fields except the one named "links" in the form scope:
  102. <cf_hacker scopes="form" form="links">
  103.  
  104. I want to filter the form and url scopes, but skip two FORM fields, named user_links and user_html, that may contain HTML.
  105. Remember that form and url scopes are set by default, so we do not have to pass them into the tag with the "scopes" parameter.
  106. So this call is ....
  107. <cf_hacker form="user_links,user_html">
  108. the same as this call:
  109. <cf_hacker scopes="form,url" form="user_links,user_html">
  110. Which ever one is easier for you to quickly understand...
  111.  
  112. I want to filter the FORM, URL and COOKIE scopes, skipping fields in each scope:
  113. <cf_hacker scopes="form,url,cookie" cookie="user_home" url="user_name" form="image1,image2,image3">
  114.  
  115. TO SUMMARIZE:
  116. The tag filters all fields in URL and FORM scopes by default, you dont have to anything but call tag.
  117. To explicitly filter a scope or scopes, pass a comma delimited list of scopes to filter.
  118. To skip fields/values/variables in the passed scopes, simple name the scope as a parameter and give a comma delimited list of fields to skip.
  119.  
  120.  
  121. We will be building on this base for quite some time. So if you come across syntax for one of these database types, please email with any
  122. additions you would like to see integrated to: john@cfjava.com Please include your name, and country of origin as well, and you will get "props"
  123. in the next update release of the tag! . )
  124.  
  125.  
  126. You can thank the following people who have contributed to this tag. Contribute a database regex and join the wall of shame!
  127.  
  128. John Ensign U.S.A. john@cfjava.com
  129. Lucas B. Nederlands withheld
  130.  
  131. Some notes on the codebase:
  132.  
  133. Exempt fields and profanities are run from loops, as they should be; the regex for the database syntax is not, and this is primarily for
  134. readability. As well, by laying them out one by one, readers who are not familiar with REGEX can come to grips with this much at least,
  135. and hopefully begin to add/submit their own match values. We dont want any flaming retarded statements, like you should loop that too.... etc.
  136. This tag does add a millisec or two to processing time. In this particular case its not about milli-secs, its about taking judicious steps
  137. to minimize our clients risk, and being able to prove you took reasonable and prudent measures to protect your client's data!
  138. Its all about RISK MANAGEMENT, nothing is 100%. And if you had to ask, then quit now while your still ahead. )
  139.  
  140. Beware of cheap imitations! Peeps using the string methods are fooling themselves!
  141.  
  142. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
  143.  
  144. <!--- WHICH SCOPES ARE WE FILTERING --->
  145. <cfparam name="attributes.scopes" default="FORM,URL">
  146.  
  147. <!--- DYNAMICALLY CREATE EMPTY LIST SCOPE FIELDS TO BE ESCAPED --->
  148. <cfloop list="#attributes.scopes#" index="target">
  149. <cfset name = "attributes." & #target#>
  150. <cfparam name="#name#" default="">
  151. </cfloop>
  152.  
  153. <!--- LIST OF PROFANITIES TO FILTER --->
  154. <cfset profanities = "">
  155.  
  156. <!--- FILTER ALL PASSED SCOPES OR DEFAULT SCOPES --->
  157. <cfloop list="#attributes.scopes#" index="scope">
  158.  
  159. <!--- SET CURRENT SCOPE AND ESTABLISH HANDLE TO FIELD --->
  160. <cfloop collection="#evaluate("caller.#scope#")#" item="field">
  161. <cftry>
  162. <cfscript>
  163. //IS THIS FIELD TO BE SKIPPED OR IS IT A FILE FIELD?
  164. if( (listContainsNoCase(evaluate("attributes.#scope#"), field) EQ 0) AND NOT(isNumeric(field)) AND NOT(field EQ "") )
  165. {
  166. //GRAB FIELD VALUE
  167. value = evaluate("#scope#.#field#");
  168.  
  169. //IF FIELD IS EMPTY MOVE ONTO NEXT FIELD
  170. if(len(value) EQ 0)
  171. break;
  172.  
  173. //IF THIS IS A FILE FIELD FROM WINDOWS MOVE ONTO NEXT FIELD
  174. if(REFindNoCase("\ *\.tmp", value) GT 0)
  175. break;
  176.  
  177. //HTML and CFML : skipping exempt fields and cleaning all others.
  178. value = REReplace(value, "<[^>]*>", "", "All");
  179.  
  180. //SYSTEM CALLS
  181. value = REReplaceNoCase(value, " *sp_ *", "", "All");
  182. value = REReplaceNoCase(value, " *dt_ *", "", "All");
  183. value = REReplaceNoCase(value, " *db_ *", "", "All");
  184.  
  185. //DELETES
  186. value = REReplaceNoCase(value, " *; *delete *from *", "", "All");
  187. value = REReplaceNoCase(value, " *delete *from *", "", "All");
  188.  
  189. // SELECTS AND PASSED SUB-SELECTS
  190. value = REReplaceNoCase(value, " *\( *select *from *\) *", "", "All");
  191. value = REReplaceNoCase(value, " *; *select *\* *from *", "", "All");
  192. value = REReplaceNoCase(value, " *select *\* *from *", "", "All");
  193. value = REReplaceNoCase(value, " *select *into *from *", "", "All");
  194.  
  195. // INSERTIONS
  196. value = REReplaceNoCase(value, " *; *insert *into *\( *\) *values *", "", "All");
  197. value = REReplaceNoCase(value, " *insert *into *\( *\) *values *", "", "All");
  198.  
  199. // UPDATES
  200. value = REReplaceNoCase(value, " *; *update *", "", "All");
  201. value = REReplaceNoCase(value, " *update *set *= *", "", "All");
  202.  
  203. // CREATIONS
  204. value = REReplaceNoCase(value, " *create *proc *as *", "", "All");
  205. value = REReplaceNoCase(value, " *create *view *as *", "", "All");
  206. value = REReplaceNoCase(value, " *create *trigger *on *", "", "All");
  207. value = REReplaceNoCase(value, " *create *table *", "", "All");
  208. value = REReplaceNoCase(value, " *create *table *\( *\) *", "", "All");
  209. value = REReplaceNoCase(value, " *create *database *on *\( *\) *", "", "All");
  210. value = REReplaceNoCase(value, " *create *database *on *", "", "All");
  211. value = REReplaceNoCase(value, " *create *function *\( *\) *as *", "", "All");
  212. value = REReplaceNoCase(value, " *create *temporary *table *", "", "All");
  213.  
  214. // ALTERATIONS
  215. value = REReplaceNoCase(value, " *alter *database *remove *", "", "All");
  216. value = REReplaceNoCase(value, " *alter *database *modify *", "", "All");
  217. value = REReplaceNoCase(value, " *alter *database *add *", "", "All");
  218. value = REReplaceNoCase(value, " *alter *proc *as *", "", "All");
  219. value = REReplaceNoCase(value, " *alter *view *as *", "", "All");
  220. value = REReplaceNoCase(value, " *alter *trigger *on *", "", "All");
  221. value = REReplaceNoCase(value, " *alter *table *on *", "", "All");
  222.  
  223. // TRANSACTIONS
  224. value = REReplaceNoCase(value, " *begin *tran *commit *", "", "All");
  225. value = REReplaceNoCase(value, " *begin *distributed *tran *commit *", "", "All");
  226.  
  227. // DROPS
  228. value = REReplaceNoCase(value, " *drop *trigger *", "", "All");
  229. value = REReplaceNoCase(value, " *drop *view *", "", "All");
  230. value = REReplaceNoCase(value, " *drop *table *", "", "All");
  231. value = REReplaceNoCase(value, " *drop *database *", "", "All");
  232. value = REReplaceNoCase(value, " *drop *user *", "", "All");
  233.  
  234. //PROFANITIES
  235. for( index = 1; index LT listLen(profanities); index = index + 1)
  236. {
  237. value = REReplaceNoCase(value, " *#ListGetAt(profanities, index)# *", "", "All");
  238. }
  239. rc = structUpdate( evaluate("caller.#scope#"), #field#, value);
  240. }
  241. </cfscript>
  242. <cfcatch></cfcatch>
  243. </cftry>
  244. </cfloop>
  245. </cfloop>
  246.  
  247. <!------------------------------------------------- TO DO: ------------------------------------------------------
  248. Fix image file upload fields:
  249. win - now working on windows, still not happy with it though. )
  250. liny/unix - need to get liny/unix upload naming schema for matching
  251. mac - ditto
  252. rollback
  253. use statement
  254.  
  255. CF will not give complete header data per RFC convention like asp,php,perl,vb will.
  256. Plan on converting tag to an advanced version in java automated form field type
  257. detection using java REGEX for isps or industrial level users.
  258.  
  259. Continue adding support for mysql, oracle, and postgres.
  260. *Most of SQL server is covered.
  261. ------------------------------------------------------------------------------------------------------------------->
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!