Closed Thread
Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: XSS Insertion Prevention

  1. #21
    twalters84 is offline Learning Programmer
    Join Date
    Oct 2007
    Posts
    57
    Rep Power
    0

    File Spoofing?

    Hello again,

    You got to be kidding me right? I am going to assume your not.

    By spoofing, you mean taking an EXE file and giving it a JPG extension right?

    So what happens when you do something like the following when a file is spoofed?

    <img src="spoofedFile.JPG">

    My first thought it would show a box with an X through it. That is at least what happens when a JPG can not be found.

    My biggest question is how do you tell a file is spoofed upon uploading it? How is that prevented?

    The more I learn about securing a website, the more I hate hackers. The worst thing is I bet the majority of programmers do not even take measures to secure a website like this.

    Thanks again for any information you can provide me with. If there was a security class in my area, I would definately take that. For now, this is the best I got so I really appreciate it.

    Sincerely,
    Travis Walters
    admin@codebuyers.com
    Last edited by twalters84; 01-15-2008 at 10:48 AM.
    spammy sig deleted

  2. CODECALL Circuit advertisement
    Join Date
    Always
    Posts
    Many

     
  3. #22
    Join Date
    Jul 2006
    Location
    Amherst, New York, United States
    Posts
    6,277
    Blog Entries
    26
    Rep Power
    20
    I am not kidding, and I have no clue how to check against this. I would suppose maybe checking the content headers. Generally though, from my experience, images are usually spoofed as shell scripts. I have never spoofed a file, so I have no clue how it works.

  4. #23
    Join Date
    Aug 2006
    Posts
    11,209
    Blog Entries
    6
    Rep Power
    101
    So you are saying that we should not even accept JPG/GIF files to be uploaded?

  5. #24
    twalters84 is offline Learning Programmer
    Join Date
    Oct 2007
    Posts
    57
    Rep Power
    0

    Another Good Article

    Hey there,

    I found another good article here:

    Application Security with Coldfusion

    The part that I found very interesting and is related to our latest discussion is the following:

    A common task that can be very dangerous. People can upload a file and then execute that file on your server. In <cffile>, many peole use the accept="" attribute to limit the kinds of files you can upload, but this isn't the greatest approach. A hacker can spoof the mime type. So, could upload a ColdFusion page, spoof the mime type, and execute the ColdFusion page. This spoofing can easily be done with ColdFusion.

    Best practices: Upload to a directory outside the web root or to a static content server. Always check the file extension (cffile.serverFileExt), although this is obviously not reliable, but it would stop someone from executing a ColdFusion page when it has an image mime type (as an example). Use the accept="" attribute, just don't rely on it. Also check the filename to avoid XSS. Otherwise, a person could have JavaScript in the filename that could be executed. The combination of these things would make it very challenging to exploit uploading.
    Uploading files to a different server for storage may be a good idea. Does anybody know of any good hosts that are strickly for storage? If I do this, I would definately need something reliable.

    However, I wonder if I created a seperate directory just for uploads if that would solve the problem. I am wondering maybe if there is a way to make everything non-executable in that folder some how?

    Sincerely,
    Travis Walters
    spammy sig deleted

  6. #25
    twalters84 is offline Learning Programmer
    Join Date
    Oct 2007
    Posts
    57
    Rep Power
    0

    Some Documention

    Hello again,

    For other coldfusion developers, I found a few things that are quite useful.

    This feature is undocumented in coldfusion 7 but it works:

    Script Protection Attribute in Cfapplication

    It does not protect against all XSS attacks, but its better than nothing.

    The Adobe Coldfusion Security Center also has some nice information:

    Adobe Coldfusion Security Center

    Hope this helps other developers.

    Sincerely,
    Travis Walters
    spammy sig deleted

Closed Thread
Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Hack prevention?
    By RobotGymnast in forum C and C++
    Replies: 5
    Last Post: 08-14-2009, 06:56 PM
  2. Memory leak prevention methodogies
    By c___newbie in forum C and C++
    Replies: 17
    Last Post: 07-25-2009, 07:41 AM
  3. PHP: Directory Traversal Prevention
    By John in forum Classes and Code Snippets
    Replies: 0
    Last Post: 09-22-2008, 01:18 PM
  4. Code abuse prevention
    By shibbythestoner in forum PHP Development
    Replies: 6
    Last Post: 01-23-2008, 06:30 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts