Thread: XSS Insertion Prevention |
Hello again,
You got to be kidding me right? I am going to assume your not.
By spoofing, you mean taking an EXE file and giving it a JPG extension right?
So what happens when you do something like the following when a file is spoofed?
<img src="spoofedFile.JPG">
My first thought it would show a box with an X through it. That is at least what happens when a JPG can not be found.
My biggest question is how do you tell a file is spoofed upon uploading it? How is that prevented?
The more I learn about securing a website, the more I hate hackers. The worst thing is I bet the majority of programmers do not even take measures to secure a website like this.
Thanks again for any information you can provide me with. If there was a security class in my area, I would definately take that. For now, this is the best I got so I really appreciate it.
Sincerely,
Travis Walters
admin@codebuyers.com
Last edited by twalters84; 01-15-2008 at 10:48 AM.
I am not kidding, and I have no clue how to check against this. I would suppose maybe checking the content headers. Generally though, from my experience, images are usually spoofed as shell scripts. I have never spoofed a file, so I have no clue how it works.
So you are saying that we should not even accept JPG/GIF files to be uploaded?
Hey there,
I found another good article here:
Application Security with Coldfusion
The part that I found very interesting and is related to our latest discussion is the following:
Uploading files to a different server for storage may be a good idea. Does anybody know of any good hosts that are strickly for storage? If I do this, I would definately need something reliable.A common task that can be very dangerous. People can upload a file and then execute that file on your server. In <cffile>, many peole use the accept="" attribute to limit the kinds of files you can upload, but this isn't the greatest approach. A hacker can spoof the mime type. So, could upload a ColdFusion page, spoof the mime type, and execute the ColdFusion page. This spoofing can easily be done with ColdFusion.
Best practices: Upload to a directory outside the web root or to a static content server. Always check the file extension (cffile.serverFileExt), although this is obviously not reliable, but it would stop someone from executing a ColdFusion page when it has an image mime type (as an example). Use the accept="" attribute, just don't rely on it. Also check the filename to avoid XSS. Otherwise, a person could have JavaScript in the filename that could be executed. The combination of these things would make it very challenging to exploit uploading.
However, I wonder if I created a seperate directory just for uploads if that would solve the problem. I am wondering maybe if there is a way to make everything non-executable in that folder some how?
Sincerely,
Travis Walters
Hello again,
For other coldfusion developers, I found a few things that are quite useful.
This feature is undocumented in coldfusion 7 but it works:
Script Protection Attribute in Cfapplication
It does not protect against all XSS attacks, but its better than nothing.
The Adobe Coldfusion Security Center also has some nice information:
Adobe Coldfusion Security Center
Hope this helps other developers.
Sincerely,
Travis Walters
There are currently 1 users browsing this thread. (0 members and 1 guests)
| vBulletin v4.0.2 ©2010, Jelsoft Enterprises Ltd.
|
Copyright 2005-2010 |
LinkBack URL
About LinkBacks
Reply With Quote
