Blog

Day 3: Avoid Cross-site scripting (XSS) using ColdFusion 10 - Part 2

Yesterday I have tried to look over three newly added security functions to avoid XSS attach on your website. Today look for remaining functions encodeForCSS, encodeForURL and canonicalize.

encodeForCSS:

As function name says it will encode your string to make safe render in CSS. Normally I do not use dynamic CSS but in certain case you may want to change background color of div based on user input. User input??? Yes and it dangerous too as we are opening again door for XSS attack for hacker. Have a look on sample below.

By Pritesh
Comments(0)
Tags: ColdFusion, ColdFusion10, security
Day 2: Avoid Cross-site scripting (XSS) using ColdFusion 10 - Part 1

In ColdFusion 10 added bunch of functions to avoid XSS attack, XSS attack (as explained above by Wikipedia) is some scripting code/iFrame in dynamic content which will render in webpage and significantly create security risk. Most of us already using HTMLEditFormat to encode user input (like comment in blog post) to avoid unwanted HTML rendering. But HTMLEditFormat is not capable to avoid all kind of XSS attack since this function encode only <, >, & and ". This function will not help if you to avoid XSS in tag attribute, CSS and JavaScript. ColdFusion 10 introduce endcodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, endCodeForURL and canonicalize to fight with XSS attach. In this post I will try to cover some of them.

By Pritesh
Comments(0)
Tags: ColdFusion, ColdFusion10, security
Day 1: ColdFusion 10 limit number of post request parameters to 100 by default.

Today started celebrating ColdFusion month with series of 30 blog posts on ColdFusion 10's new feature and here first one. This is really not a new feature or enhancement but new administrator setting which may give 400 error (it's not 404) project already running in older version of ColdFusion. In administrator new setting available "Maximum number of POST request parameter" which is default set to 100 means you can post maximum 100 parameter to ColdFusion on form submit. Normally 100 parameters are sufficient for any webpage but in my case I have very complex search which numerous search parameters which exceed ColdFusion administrator limit and when try to submit page give 400 ColdFusion error at first glance confuse with 404 error (seems Adobe change default error template). Even though I have onError method in Application.cfc to catch any ColdFusion error but seems this stopped at server level before executing my Application.cfc. To make sure page exists I had directly paste URL in browser and seems work fine and it drive me crazy, why it showing error while submitting the page????

By Pritesh
Comments(4)
Tags: ColdFusion, ColdFusion10
Celebrating ColdFusion-X month

We all know ColdFusion 10 is out and lots of tweet regarding release. As usual my first step was to install ColdFusion 10 in my dev computer and going everything smooth and start testing ColdFusion 10 with my existing projects which were running under CF9 before. Seems everything working good so Adobe take care of backward compatibility, I have a project on development computer since CF7 era and this project migrated to CF8, CF9 as new ColdFusion version released. When we move from CF8 to CF9 was really tedious job for us because of ExtJs version changed. 

Found list of new features in ColdFusion by Charlie Arehart and decided to checkout all new features (at least one per day) and blog that. Below is list of all 30 days series for ColdFusion 10. (I will add link as post available on that day :) )

By Pritesh
Comments(0)
Tags: ColdFusion, ColdFusion10
Show tooltip when input element get focus

Hello Friends,

Recently I am working on one of the project, and inside it we want functionality to show a hint tooltip box (show information related to that field) when that input element get focus.

I use clueTip (a jQuery tooltip plugin) to show hint tooltip box.

By Mahavir Dhruv
Comments(0)
Tags: jQuery, JavaScript, html
Problems, tips and tricks about Magento
Problems, tips and tricks about Magento

Hello friends,

I am new to Magento. I find many configurations that has to be done before you make your Magento site live. So I thought I should list out all important configurations at one place so that this list can also be used as checklist as well as tips and tricks for new Magento developers.

By Vikas
Comments(2)
Tags: Magento
Add CMS page links to top navigation in magento

I had a site running on magento 1.6.2 CE.

To add a menu item, first of all you need to find out where it is added into template file.

Following file is rendering categories as a menu on top navigation

By Vikas
Comments(13)
Tags: magento
Securing you ASP scripts for SQL injection

Recently I got a client email that his site is affected by malware and Trojan virus. Google safe browsing tool and other firewall security gateway was blocking some of the site URLs.

Site was written in classic asp. When I look into the file contents, no files were modified. Normally if hackers get the ftp details then they modify files and add some iframe code that will load other virus affected sites. But this wasn't case here. So there may be a case of SQL injection. When I looked into database tables, I found some of the fields with having some html code. That html code was loading other sites which are virus infected. Our site is not allowing anyone to add/edit records, however records were modified. This was done by SQL injection using query string parameter.

By Vikas
Comments(0)
Tags: asp, SQL injections
Cloning SVN repository to GIT on Windows

Since couple of weeks working on implementing Git Repository for our codebase of our all projects. Before this we were using SVN as versioning control but as Git getting more popularity we decided to move Git. Week ago wrote post regarding creating Git server and move some of code to Git which was not in any version control. Now it was time to move all our SVN repositories to GIT and of course do not want to lost all my code revision, comments etc. GIT support cloning from SVN which make job much easier for us. There are three easy steps to cloning SVN to GIT.

By Pritesh
Comments(0)
Tags: GIT, SVN
Calculate HMAC-SHA256 digest using user defined function in ColdFusion

Recently I am working on OpenID 2.0 protocol, in which I require HMAC-SHA256 (Hash Message Authentication Code - Secure Hash Algorithm using 256 bit key length) digest to generate Encrypted MAC key. For that, I use following UDF HMAC_SHA256(): I wrote this function by taking reference from OpenID Consumer library.

By Mahavir Dhruv
Comments(2)
Tags: OpenID, HMAC-SHA