Detecting SQL Injection with ScriptProtect
It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection Attacks
WARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.
You can edit, and add the regular expression patterns for the scriptprotect feature in ColdFusion MX 7 by editing neo-security.xml located in WEB-INF/cfusion/lib. Add the following pattern under the default cross site scripting pattern.
<var name=";.*(select|insert|update|delete|drop|alter|create)"> <string>SQL_INJECTION_ATTEMPT</string> </var>
I first tried just using a ; as the pattern - but that caused problems with some of the variables in the CGI scope (things like User Agent often have semi-colon's in them). So the pattern now looks for a semi-colon followed by zero or more characters followed by a select, insert, update, delete, drop alter or a create.
Don't expect to catch all possible SQL Injection attacks with this, so don't trust it to stop them. I'm just posting this FYI.
Tweet
add to del.icio.us
| Tags: scriptprotect, sql injection, security, coldfusion 7
Related Entries
- Devnet Article on Securing CF From SQL Injection - April 9, 2009
- ScriptProtect in ColdFusion MX 7 not a catch all - May 17, 2005
- Mastering CFQUERYPARAM - July 24, 2008
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- CFPARAM for Simple String Validation - May 29, 2007
Trackbacks
Trackback Address: 363/A18737366BA3861EE07811CCF05BF201
Comments
On 05/19/2005 at 8:32:34 PM EDT Brian G wrote:
1
What happens if this pattern is detected? Does it throw an error you can catch with CFCATCH or just put something in the logs?
On 05/29/2005 at 4:01:57 PM EDT Anonymous wrote:
2
Hmmm strange, because this won't work:
;.*(select|insert|update|delete|drop|alter|create)
If that is used a as a regular expression, then it never even reaches the select, insert, etc etc. Because the . character is acting like a lazy match. Which finds ANYTHIGN beyond the ; character.
On 10/27/2005 at 7:02:31 PM EDT David S wrote:
3
This would be great if it worked. Tried it and it didn't prevent a SQL injection attack. It also caused errors in the CGI scope.
On 08/22/2007 at 10:41:17 AM EDT matt wrote:
4
I used this instead and it worked great.
\s*(select|insert|update|delete|drop|alter|create)
On 08/18/2008 at 7:44:55 PM EDT speqy wrote:
5
also need to test for exec|cast|declare -- to prevent attacks where the SQL code is encoded as a hex string
Post a Comment
Recent Entries
- Howto Install and Run the Android Emulator
- jQuery UI Autocomple IE 6 Select List z-Index Issues
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
- Using AntiSamy with ColdFusion
- Writing Secure CFML Slides from CFUnited 2010
- Locking Down ColdFusion Presentation Slides
- Cross Domain Data Theft using CSS
- Using jQuery UI Autocomplete with Hidden ID's
;.*(select|insert|update|delete|drop|alter|create)
If that is used a as a regular expression, then it never even reaches the select, insert, etc etc. Because the . character is acting like a lazy match. Which finds ANYTHIGN beyond the ; character.
\s*(select|insert|update|delete|drop|alter|create)
