0

Thanx to some good ole fashioned hackers... They are trying to insert some trash code.

20-Feb-21'[0] is not a valid date/time format 20-Feb-21'[A=0] is not a valid date/time format

By slipping in bad code into my date time or wherever.

So I am controlling some things this way.

      <cfif #cgi.query_string# contains '{0}'>
      <cfabort>
      </cfif>

But is there a way I can just validate the string and if bad - do the same thing? It doesn't happen often, but I just happen to be looking at the log files and saw this garbage.

I am also killing any known bots if I can sniff them...

      <cfif #cgi.HTTP_USER_AGENT# contains 'bot'>
      <cfabort>
      </cfif>

Any other suggestions folks. Thx.

Merle_the_Pearl
  • 1,391
  • 3
  • 18
  • 25
  • 1
    Have you checked out FuseGuard or Portcullis https://foundeo.com/security/fuseguard/ http://www.codfusion.com/blog/page.cfm/projects/portcullis You should also consider using a WAF (like StackPath or CloudFlare) for DDoS protection. – James Moberg Mar 02 '21 at 23:15
  • 1
    you can check if a date is valid with isDate https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-in-k/isdate.html. would your bot code block googlebot and others indexing your site? – luke Mar 03 '21 at 02:46
  • 1
    OWASP is always a good security resource. Read through their various cheatsheets. https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html Rather than blacklisting things, go for whitelisting. `isDate` is definitely worth a look. And don't only filter on the client side. Do it on the server side, too. – Shawn Mar 03 '21 at 12:57
  • Fix your bad code, then you don't need protection for something you could have full control of. Always sanitize input, never trust external data. Just because your UI doesn't offer it, doesn't mean that nobody can exploit it. – Alex Mar 03 '21 at 21:52
  • Probably the least of your problems, but bear in mind that your user agent block will also block some 'good' bots such as `Googlebot` and `bingbot` - which you might not want to do if this is for a public facing site where the client cares about SEO. – Sev Roberts Mar 04 '21 at 13:30
  • 1
    As others have alluded to, the approach in your question is too little and in the wrong place. A thorough response would be too long for a SO answer never mind a comment, but: Sanitize user input as much as possible. Queryparam to prevent SQL injection. No path traversal based on user input. If you know what type+range a valid value must be then verify it before using it, and redirect/abort/replace with a default value if it isn't, ie whitelisting what you can at the page/object/function level. Blacklist known bad patterns at onRequestStart or let FuseGuard do it for you. Get a WAF if you can. – Sev Roberts Mar 04 '21 at 13:51

0 Answers0