Friday, June 12, 2009

Cross Site Scripting and SQL Injection in CGI scope

This is not another post telling you what 100 other have. We all know you need to check....
However often times there are a few variables forgotten when checking for CSS and SQL injection.
In ColdFusion there is a scope called CGI. It contains things like CGI.QUERY_STRING and CGI.SCRIPT_NAME. If you use either of these in your code these are susceptible to attack also. I have seen a malformed URL create attacks in both of these.

Here is one SQL injection tool that may help you.

No comments:

Post a Comment