#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    20
    Rep Power
    0

    How to prevent SQL Injection


    How would I prevent SQL injection in the link below?

    Would I just makes sure there are cfparams on this page for client.user and client.usertype?

    index.cfm?action=act_do_login&room=1&serverid=1&username=#urlencodedformat(trim(client.user))#&usert ype=#client.usertype#
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,286
    Rep Power
    968
    Always use cfqueryparam (bind variables) in your queries, which has many benefits. One of which is preventing SQL injection attacks.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    20
    Rep Power
    0
    The use of cfqueryparam definitely is a must, however in this case I'm not using the variable and passing it to a db query.

    I log into the site and it sets 'client.user' to the username I'm logged in as. From the site I can then access a chat room and it passes my username into the chatroom so that username is displayed.

    This is the link URL:
    index.cfm?action=act_do_login&room=1&serverid=1&username=#urlencodedformat(trim(client.user))#&usert ype=#client.usertype#

    A scan was ran a one of the results was this: The username parameter appears to be vulnerable to SQL injection attacks. The payloads (select%201) and (select%201%2c2) were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

    So in the URL of the browser could someone replace the username that is passed with a possible SQL Injection attempt even tho the variable isn't being passed to a SQL Query, or would this be considered a false positive?
  6. #4
  7. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,286
    Rep Power
    968
    Are you storing client variables in a database? If not, then no, I don't see how there can be a SQL injection attack if the data is never used while accessing a database.

    If still want to add logic to eliminate suspicious data, you can use something like this simple function to test whether the value contains likely SQL injection code: http://www.cflib.org/udf/IsSQLInject
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    20
    Rep Power
    0
    Thank you!

    What about in the case of cross site scripting attacks?

    I've read where you can add scriptprotect="all" in the application file. I've done this but I'm not seeing any change. Also I've read I should wrap htmleditformat around variables.

    Example:
    newroom=59934<script>alert(1)</script>0760a342c4e

    The following attack I'm not to sure about. A user can take the URL and modify it to what is below.

    Actual URL: index.cfm?action=act_do_login&room=1

    Modified URL:
    Code:
    /index.cfm?action=act_do_login29fb9<img%20src%3da%20onerror%3dalert(1)>f2f8569f2c8&room=1
    CF throws an error 'Could not find the included template
    Code:
    act_do_login29fb9<img src=a onerror=alert(1)>f2f8569f2c8.cfm.'
    however, the alert still works.

    What is the best way to remedy these types of situations?
  10. #6
  11. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,286
    Rep Power
    968
    Yes, you can turn on scriptprotect, or add your own logic to inspect the form and URL scopes to remove XSS code.

    Also, if you are just taking form or URL variables and using them in cfincludes without any validation, you have much bigger problems than XSS. A hacker can basically invoke any template on your server.

IMN logo majestic logo threadwatch logo seochat tools logo