Tuesday, June 08, 2004

Oy the pains of cross-scripting

Today, as I have been looking at the cf app logs, I have seen a lot of cross-scripting attacks. Mostly generated at our behest,by a service that confirms our security.

However we also have a tool to help prevent that, Microsoft's Urlscan.

Very interesting tool, to play with and to configure, however it seems to be missing something, because cross-scripting just comes right through.

Now I have played with using some Regular Expressions that can be on each application's page, but it is a painful performance to force it loop through each url variable, and validate and verify it.

But urlscan seems to lack some additional options or configuration that prevents javascript from running on the url.

Now everyday I look at my logs, especially in the morning, and I someday want there to be no errors there, of course that may not be a realistic wish. One can hope can't they??? :)

There was one option called DenyUrlSequences, which left me with some hope of being able to prevent javascript from loading.

It was just a simple alert script, but still it kept popping up with it's annoying message.

My attempt in cfml was to use regex, and to only allow certain url variables, and if there is any bad url variables, to do a cflocation with the new cleaned up url variables and values.

We remotely may end up doing that, but we'd rather not have to scan each page's url variables for validity.

What have the rest of you done to prevent this?

If I may be so bold, I want to thank all of you for the honor of providing some little tidbit that may be of use to you.

Thanks, Salud!

2 comments:

  1. Anonymous11:53 PM

    Any reason you can't just use mod_rewrite or ISAPI_rewrite to look for suspicious URL content?

    --
    Roger Benningfield

    ReplyDelete
  2. I suppose we could, but we already are using urlscan to do this job, i don't want to load another isapi filter, unless necessary.

    ReplyDelete