pf » Tag: xss on Pete Freitag's Blog

I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.

I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.

This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.

Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.

There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.

It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.