November 25, 2008

Security reminder - Are you using scriptprotect?

One of our applications had an entry in the ColdFusion exception logs today:

ScriptProtect error replacing insecure tag in scope CGI;

Essentially someone (via an automated process) was trying to find a weakness in our application by trying URL’s like:>'><script>alert(40891)</script>

Luckily we use scriptprotect (among many other defensive techniques) to prevent this type of thing from causing any damage. But I just thought I’d throw out a quick reminder to EVERYONE using CF7+ (or Railo) to make sure and use the scriptprotect attribute of either the cfapplication tag or Application.cfc

It is simple to do (set once and forget) and helps protect you against XSS attacks and as it’s easier to implement than cfqueryparam there really isn’t any excuse to get caught with your pants down by not using it!

© Michael Sharman 2017