XSS Insertion Prevention

[twalters84]

Hello again,

You got to be kidding me right? I am going to assume your not.

By spoofing, you mean taking an EXE file and giving it a JPG extension right?

So what happens when you do something like the following when a file is spoofed?

<img src="spoofedFile.JPG">

My first thought it would show a box with an X through it. That is at least what happens when a JPG can not be found.

My biggest question is how do you tell a file is spoofed upon uploading it? How is that prevented?

The more I learn about securing a website, the more I hate hackers. The worst thing is I bet the majority of programmers do not even take measures to secure a website like this.

Thanks again for any information you can provide me with. If there was a security class in my area, I would definately take that. For now, this is the best I got so I really appreciate it.

Sincerely,
Travis Walters
admin@codebuyers.com

[John]

I am not kidding, and I have no clue how to check against this. I would suppose maybe checking the content headers. Generally though, from my experience, images are usually spoofed as shell scripts. I have never spoofed a file, so I have no clue how it works.

[TcM]

So you are saying that we should not even accept JPG/GIF files to be uploaded?

[twalters84]

Hey there,

I found another good article here:

Application Security with Coldfusion

The part that I found very interesting and is related to our latest discussion is the following:

Quote:

A common task that can be very dangerous. People can upload a file and then execute that file on your server. In <cffile>, many peole use the accept="" attribute to limit the kinds of files you can upload, but this isn't the greatest approach. A hacker can spoof the mime type. So, could upload a ColdFusion page, spoof the mime type, and execute the ColdFusion page. This spoofing can easily be done with ColdFusion.

Best practices: Upload to a directory outside the web root or to a static content server. Always check the file extension (cffile.serverFileExt), although this is obviously not reliable, but it would stop someone from executing a ColdFusion page when it has an image mime type (as an example). Use the accept="" attribute, just don't rely on it. Also check the filename to avoid XSS. Otherwise, a person could have JavaScript in the filename that could be executed. The combination of these things would make it very challenging to exploit uploading.

Uploading files to a different server for storage may be a good idea. Does anybody know of any good hosts that are strickly for storage? If I do this, I would definately need something reliable.

However, I wonder if I created a seperate directory just for uploads if that would solve the problem. I am wondering maybe if there is a way to make everything non-executable in that folder some how?

Sincerely,
Travis Walters

[twalters84]

Hello again,

For other coldfusion developers, I found a few things that are quite useful.

This feature is undocumented in coldfusion 7 but it works:

Script Protection Attribute in Cfapplication

It does not protect against all XSS attacks, but its better than nothing.

The Adobe Coldfusion Security Center also has some nice information:

Adobe Coldfusion Security Center

Hope this helps other developers.

Sincerely,
Travis Walters