pf » Detecting SQL Injection with ScriptProtect
Detecting SQL Injection with ScriptProtect
It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection Attacks
WARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.
You can edit, and add the regular expression patterns for the scriptprotect feature in ColdFusion MX 7 by editing neo-security.xml located in WEB-INF/cfusion/lib. Add the following pattern under the default cross site scripting pattern.
<var name=";.*(select|insert|update|delete|drop|alter|create)"> <string>SQL_INJECTION_ATTEMPT</string> </var>
I first tried just using a ; as the pattern - but that caused problems with some of the variables in the CGI scope (things like User Agent often have semi-colon's in them). So the pattern now looks for a semi-colon followed by zero or more characters followed by a select, insert, update, delete, drop alter or a create.
Don't expect to catch all possible SQL Injection attacks with this, so don't trust it to stop them. I'm just posting this FYI.
add to del.icio.us
| Tags: scriptprotect, sql injection, security, coldfusion 7
Related Entries
- Devnet Article on Securing CF From SQL Injection - April 9, 2009
- ScriptProtect in ColdFusion MX 7 not a catch all - May 17, 2005
- Mastering CFQUERYPARAM - July 24, 2008
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- CFPARAM for Simple String Validation - May 29, 2007
;.*(select|insert|update|delete|drop|alter|create)
If that is used a as a regular expression, then it never even reaches the select, insert, etc etc. Because the . character is acting like a lazy match. Which finds ANYTHIGN beyond the ; character.
\s*(select|insert|update|delete|drop|alter|create)
- ColdFusion 8 FCKeditor Vulnerability
- Ajax Same Origin Policy No More with Firefox 3.5
- Firefox 3.5 Introduces Origin Header, Security Features
- Tips for Secure File Uploads with ColdFusion
- 7 Years And Blog Entry Number 700
- CFCatch Java Exceptions
- Cheat Sheet for SQL Server
- CFML on Google App Engine for Java
RSS
Pete Freitag is a software engineer, and web developer located in central new york.
Pete's company Foundeo Inc. builds products for web developers and provides consulting services.
In 2003 Pete published the ColdFusion MX Developers Cookbook with SAMs Publishing.
More about Pete.
