So, I’m going to go off the deep end here, but I’ve got to know. What in the heck is wrong with people? By “you people”, I mean my fellow web developers. On a listserv I belong to, one of the members likes to point out new ColdFusion sites she finds. Whenever I go to one of these sites, one of the first things I try to do is break the site. Not that I want to harm the site per se - but I’m curious to see how well built the site is.
In almost every single case - the site will be broken in less then a minute.
This is typically done by simply changing a URL variable. So for example, I may see this:
The first thing I do is change “id” to “foo”. If that doesn’t break the site, I try changing 3 to apple. Or -3. Or 9999999999999. One of these little tricks will typically cause the site to throw an error.
This demonstrates more than one problem. First - why aren’t developers using the built in ColdFusion error handling? It takes all of one second to add a cferror tag and a simple error page. You can have the page send you an email describing the error, and display a nice message to the user. Or shoot, have it do nothing. That’s better than showing a naked error to the user. Even worst, many sites turn on the “Show Full Path” setting which will show the full path of the file that threw the error. This is a minor security risk that also takes two seconds to fix.
Secondly - why is there no validation on the URL parameter? You need to:
- Check that the variable exists
- If it is numeric, ensure it is numeric
- If it is a PK for a database table, it should be greater than zero
- If the row doesn't exist (like when I changed the ID from 3 to 99999999999), handle it </ul> All of the above can be done in a few lines of code. All of the above should be done every single time you type URL, Form, or Cookie. All of these variables can be modified by a sneaky user. It may not even be a sneaker user. Someone may email a link, and the email program may break the link at the ?. The simple point is - if you are working with variables that the user can modify, you need to be extra careful and validate the heck out of it. This is - as far as I know - low level web development stuff. Yet no one seems to be doing it! Well - maybe I'm being a bit over the top (this is a rant after all) - but certainly not enough of my fellow web developers are doing it. Last but not least - let me be clear. I am far from perfect. I'm sure someone will find a URL validation bug in one my sites. I welcome it. I know I at least try to cover these cases, so if someone does find such a problem with one of my sites, I want to know about it. Also, please don't think this is a ColdFusion problem. It applies to all dynamic web sites.