3

I am using ColdFusion 8 and jQuery 1.7.2.

I am using CFAJAXPROXY to pass data to a CFC. Doing so creates a JSON array (argument collection) and passes it through the URL. The string can be very long, since quite a bit of data is being passed.

The site that I am working has existing code that limits the length of any URL query string to 250 characters. This is done in the application.cfm file by testing the length of the query string. If any query string is great than 250 characters, the request is aborted. The purpose of this was to ensure that hackers or other malicious code wouldn't be passed through the URL string.

Now that we are using the query string to pass JSON arrays in the URL, we discovered that the Ajax request was being aborted quite frequently.

We have many other security practices in place, such as stripping any "<>" tags from code and using CFQUERYPARAM.

My question is whether limiting the length of a URL string for the sake of security a good idea or is simply ineffective?

Evik James
  • 10,335
  • 18
  • 71
  • 122
  • @dgabriel, if that's your answer, please put it as an answer and not a comment. I'd like to select it if turns out to be the best answer. – Evik James Apr 19 '12 at 16:30
  • 1
    The answer to your last Q is "ineffective" – Henry Apr 19 '12 at 18:04
  • Can you not use a POST instead of a GET, so the data ain't in the URL, thus removing the URL length as a consideration..? – Adam Cameron Apr 19 '12 at 19:35
  • @AdamCameron, great question. Maybe you can answer that for me. I don't know if you can specify post/get in CFAJAXPROXY, but I will check. Thanks for the hint. – Evik James Apr 19 '12 at 20:01
  • I've never used ``, Evik, but I had a look at the docs (http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-79f9.html), and there's a setHTTPMethod() method on the JS proxy object CF creates for you. That should do the trick, I think? – Adam Cameron Apr 19 '12 at 23:37

4 Answers4

4

There is absolutely no correlation between URI length and security rather more a question of:

  1. Limiting the amount of information that you provide to a user agent to a 'Need to know basis'. This covers things such as the type of application server you run and associated conventions, the web server you run and associated conventions and the operating system on the host machine. These are essentially things that can be considered vulnerabilities.
  2. Reducing the impact of exploiting those vulnerabilities i.e introducing patches, ensuring correct configuration etc.

As alluded to above, at the web tier, this doesn't only cover GET's (your concern), but also POST's, PUT's, DELETE's on just about any other operation on a HTTP resource.

William Greenly
  • 3,914
  • 20
  • 18
2

Moved this into an answer for Evik -

That seems (at best) completely unnecessary if the inputs are being properly sanitized. I'm sure someone clever can quickly defeat a "security by small doorway" defense, assuming that's the only defense.

OWASP has some good, sane guidelines for web security. As far as I've read, limiting the size of the url is not on the list. For more information, see: https://www.owasp.org/index.php/Top_10_2010-Main

I would also like to echo Hereblur's comment that this makes internationalization tricky, or maybe impossible.

dgabriel
  • 2,820
  • 1
  • 21
  • 14
1

I'm not a ColdFusion developer. But I think it's the same with other language.

I think It's help just a little bit. The problem of malicious code or sql injection should be handle by your application.

I agree that limited length of query string value is safer and add more difficult to hackers. But you cant do this with POST data. and It's limit some functionality. For example, For one utf-8 character, It may take 9 characters after encoded. that's mean you can put only 27 non-english characters.

Hereblur
  • 2,084
  • 1
  • 19
  • 22
1

The only reason to limit has to do with performance and DOS attack - not security per se (though DOS is a security threat by bringing down your server). Web servers and App servers (including CF) allow you to limit the size of POST data so that your server won't be degraded by very large file uploads. URL data if substantial can result in long running requests as the server struggles to parse or handle or write or whatever.

So there is some modest risk here related to such things. Back in the NT days IIS 3 had a number of flaws that were "locked down" by limiting the length of the URL - but those days are long gone. There are far more exploits representing low hanging fruit that I would look at first before examining this issue too closely - unless of course you feel like you are hanging a specific problem with folks probing you (with long URLs I mean :).

Mark A Kruger
  • 7,183
  • 20
  • 21