Restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.
<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>
<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>
<cfabort>
</cfif>
Do NOTE that we have used two ColdFusion CGI variables here -
CGI.HTTP_REFERER: Full URL of the template which posts the data to another template
CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.
This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.
Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.
Hope this tip would be useful.Any suggestions are welcomed.
thanks
Eliza
