Cross Site Scripting (CSS/XSS) Gotcha when using cfform
When using cfform don’t leave the action tag blank. This simple omission could you open to XSS/CSS Cross Site Scripting vulnerabilities. Why would you do this? Well if you use an ordinary form tag and leave the action attribute blank the form defaults to submitting to the page in the URL – the browser fills this in for you, but it can sometimes have unpredictable results. I think in 99% of cases we all put in an action tag, but here is another reason to make it 100% of cases. We found this because a penetration test we had carried out at work recently did this in the URL (thankfully it wasn’t malicious!):
If you use cfform and leave action blank – ColdFusion will fill add in the attributes by using the CGI.QUERY_STRING variable. So for example – your form is on a page with a url of
And you use
ColdFusion will render this:
Which is ok, until you start wondering why the SumNum variable isn’t being parsed by your anti hacking and XSS scripts. Usually any script that does this parsing will go through the form and url scopes and strip nasty stuff out. That is fine, but ColdFusion goes back to a cgi variable, this isn’t one that usually gets stripped.