XSS Insertion Prevention

**twalters84** · 01-15-2008 12:46 PM

Hello again,

You got to be kidding me right? I am going to assume your not.

By spoofing, you mean taking an EXE file and giving it a JPG extension right?

So what happens when you do something like the following when a file is spoofed?

<img src="spoofedFile.JPG">

My first thought it would show a box with an X through it. That is at least what happens when a JPG can not be found.

My biggest question is how do you tell a file is spoofed upon uploading it? How is that prevented?

The more I learn about securing a website, the more I hate hackers. The worst thing is I bet the majority of programmers do not even take measures to secure a website like this.

Thanks again for any information you can provide me with. If there was a security class in my area, I would definately take that. For now, this is the best I got so I really appreciate it.

Sincerely,
Travis Walters
admin@codebuyers.com

**John** · 01-15-2008 12:56 PM

I am not kidding, and I have no clue how to check against this. I would suppose maybe checking the content headers. Generally though, from my experience, images are usually spoofed as shell scripts. I have never spoofed a file, so I have no clue how it works.

**TcM** · 01-15-2008 04:03 PM

So you are saying that we should not even accept JPG/GIF files to be uploaded?

**twalters84** · 01-15-2008 04:41 PM

Hey there,

I found another good article here:

Application Security with Coldfusion

The part that I found very interesting and is related to our latest discussion is the following:

A common task that can be very dangerous. People can upload a file and then execute that file on your server. In <cffile>, many peole use the accept="" attribute to limit the kinds of files you can upload, but this isn't the greatest approach. A hacker can spoof the mime type. So, could upload a ColdFusion page, spoof the mime type, and execute the ColdFusion page. This spoofing can easily be done with ColdFusion.

Best practices: Upload to a directory outside the web root or to a static content server. Always check the file extension (cffile.serverFileExt), although this is obviously not reliable, but it would stop someone from executing a ColdFusion page when it has an image mime type (as an example). Use the accept="" attribute, just don't rely on it. Also check the filename to avoid XSS. Otherwise, a person could have JavaScript in the filename that could be executed. The combination of these things would make it very challenging to exploit uploading.

Uploading files to a different server for storage may be a good idea. Does anybody know of any good hosts that are strickly for storage? If I do this, I would definately need something reliable.

However, I wonder if I created a seperate directory just for uploads if that would solve the problem. I am wondering maybe if there is a way to make everything non-executable in that folder some how?

Sincerely,
Travis Walters

**twalters84** · 01-15-2008 07:35 PM

Hello again,

For other coldfusion developers, I found a few things that are quite useful.

This feature is undocumented in coldfusion 7 but it works:

Script Protection Attribute in Cfapplication

It does not protect against all XSS attacks, but its better than nothing.

The Adobe Coldfusion Security Center also has some nice information:

Adobe Coldfusion Security Center

Hope this helps other developers.

Sincerely,
Travis Walters

Thread: XSS Insertion Prevention

LinkBack

Thread Tools

Search Thread

Display

File Spoofing?

Another Good Article

Some Documention

Thread Information

Users Browsing this Thread

Similar Threads

Memory leak prevention methodogies

Dynamic Email insertion in HTML

Bookmarks

Bookmarks

Posting Permissions