Managed Hosting



Portcullis - SQL Injection and XSS Filter
Project Home External Project Link Contact Project

Author: John Mason (All RIAForge projects by this author)
Last Updated: January 16, 2010 12:37 AM
Version: 2.0.1
Views: 49,669
Downloads: 6,032
License: Apache License, Version 2


Portcullis is a CFC based url,form,cookie filter to help protect against SQL Injection and XSS (Cross Site Scripting) attacks. This CFC can help filter input, strip tags and escape HTML based on internal settings. It can also log attacks and temporarily block future attempts based on a set time limit. Portcullis can be installed into any ColdFusion application as a simple shared scoped singleton.

Why use Portcullis?
You need to protect your application as soon as possible and don't have time for a complete code review or a budget for additional security hardware. Portcullis can buy you some time. It's not a complete solution. After installing portcullis, you need to, at the very least, conduct a scheduled code review with a outside consultant. Free free to ask for my rates at codfusion.com.

Some common CF security myths?
1) CFQueryparam blocks XSS and Sql injection. Answer: It prevents many SQL injection attempts but does almost nothing to XSS attacks.
2) HTMLEditformat and XMLformat will escape the dangerous stuff. Answer: Neither of these functions completely escape all the dangerous characters.
3) CF ScriptProtect will protect me. Answer: Nope, it also does very little and probably should have been left out of the CF Server.
4) The site is too small to be of interest to hackers. Answer: Almost every site gets regularly attacked. Hackers may want to use your 'small' site to gain access to the underlining network or server.

1.0.2 (4/23/2008) - First public release
1.0.3 (5/10/2008) - Added CRLF defense, HttpOnly for cookies, function to remove individual IPs from the log and a new escapeChars function that replaces the htmlEditFormat() which does not catch everything.
1.0.4 (6/19/2008) - Fixed item naming with a regex scan to allow just alphanumeric and underscore characters
1.0.5 (7/21/2008) - Added some key words to block the popular CAST()/ASCII injection attack. Also, fixed a bug reported if ampersands are in the url string it sometimes mixes up the variable naming
1.0.6 (8/26/2008) - Exception field corrections, fixed a couple missing var scopes, querynew bug in CF6, bug fix for checkReferer
1.0.7 (6/10/2009) - Added to sql and word filters, modified MSWord smart quotes filter
2.0.0 (1/4/2010) - Additions to the keyword list, accessors, context aware sql command words search
2.0.1 (1/16/2010) - New isDetected() method and verification of valid variable names in accordance with the cf variable naming rules

If you like Portcullis and need a server side validation system, try out Thor another project I maintain which is a CFC based validator. Server side validation is a critical function of any application and Thor makes it easier to manage and maintain. You can find Thor at thor.riaforge.org


CFML Engines supported
- ColdFusion 9
- ColdFusion 8
- ColdFusion 7
- ColdFusion 6
- Railo 3
- Open BD

For ColdFusion 5 and older versions, I recommend a custom tag called XSSblock from Illumineti http://www.illumineti.com/documents/xssblock.txt