March 2, 2005 (This post is more than 2 years old.)

URL Validation - Rant Mode

coldfusion

So, I'm going to go off the deep end here, but I've got to know. What in the heck is wrong with people? By "you people", I mean my fellow web developers. On a listserv I belong to, one of the members likes to point out new ColdFusion sites she finds. Whenever I go to one of these sites, one of the first things I try to do is break the site. Not that I want to harm the site per se - but I'm curious to see how well built the site is.

In almost every single case - the site will be broken in less then a minute.

This is typically done by simply changing a URL variable. So for example, I may see this:

view.cfm?id=3

The first thing I do is change "id" to "foo". If that doesn't break the site, I try changing 3 to apple. Or -3. Or 9999999999999. One of these little tricks will typically cause the site to throw an error.

This demonstrates more than one problem. First - why aren't developers using the built in ColdFusion error handling? It takes all of one second to add a cferror tag and a simple error page. You can have the page send you an email describing the error, and display a nice message to the user. Or shoot, have it do nothing. That's better than showing a naked error to the user. Even worst, many sites turn on the "Show Full Path" setting which will show the full path of the file that threw the error. This is a minor security risk that also takes two seconds to fix.

Secondly - why is there no validation on the URL parameter? You need to:

Check that the variable exists
If it is numeric, ensure it is numeric
If it is a PK for a database table, it should be greater than zero
If the row doesn't exist (like when I changed the ID from 3 to 99999999999), handle it

All of the above can be done in a few lines of code. All of the above should be done every single time you type URL, Form, or Cookie. All of these variables can be modified by a sneaky user. It may not even be a sneaker user. Someone may email a link, and the email program may break the link at the ?.

The simple point is - if you are working with variables that the user can modify, you need to be extra careful and validate the heck out of it. This is - as far as I know - low level web development stuff. Yet no one seems to be doing it! Well - maybe I'm being a bit over the top (this is a rant after all) - but certainly not enough of my fellow web developers are doing it.

Last but not least - let me be clear. I am far from perfect. I'm sure someone will find a URL validation bug in one my sites. I welcome it. I know I at least try to cover these cases, so if someone does find such a problem with one of my sites, I want to know about it. Also, please don't think this is a ColdFusion problem. It applies to all dynamic web sites.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by jonese posted on 3/2/2005 at 9:32 PM

I'm so there with you ray! and i'm also one of those people who SOOO doesn't do this all the time.

It's a matter of getting into the habit and then forcing yourself to remember this stuff, and then apply it. Even if it means going back to OLD code and fixing it up...

Comment 2 by joe rinehart posted on 3/2/2005 at 9:32 PM

Go Ray!

This stuff irks me to no end. I wrote a fairly long blog post about it at http://www.clearsoftware.ne... .

Comment 3 by Adam Dray posted on 3/2/2005 at 11:11 PM

Worse, if a site is vulnerable to very basic editing of a url parameter, it's probably also vulnerable to SQL injection hacks.

Comment 4 by Damon Gentry posted on 3/2/2005 at 11:48 PM

I recently discovered a little quirk in the way URL variables are handled by the Flash Services gateway.

I'm a system administrator, and our developers noted some odd behavior when using a url variable named 'reg' (short for region). So, a request like:

http://some.server.com/inde.......

Caused a 404 error to show up in the server logs and the request obviously failed.

It turns out that the string '&reg;' is an HTML character entity. It also turns out that XML-based user agents will not allow the use of the ampersand sign in a url. Read the following W3C article:

http://www.w3.org/TR/xhtml1...

Also, if you are a developer, please be sure NOT to use URL variables that can be viewed as character entities like (amp, gt, lt, et...)

Comment 5 by Craig Rosenblum posted on 3/3/2005 at 12:27 AM

That's why i use cfparam's, and pass the url variables to the local scoped variable, but using cfparam data type.

Then instead of checking for existance of url variables, i check if local variable greater than 0 or greater than ""

Which is much cleaner to work with.

Basically the more you prepare your code for all possibilities, the better you are in the end.

And we all should have a testing process...

Comment 6 by Jim posted on 3/3/2005 at 2:59 AM

Also, why do some sites use generic ColdFusion error messages:

http://ray.camdenfamily.com...

Comment 7 by Raymond Camden posted on 3/3/2005 at 3:05 AM

Because we are too lazy to set 404 files in our IIS settings. ;) Yeah yeah, I know I need to add that. I would argue that isn't a security risk though. :P

Comment 8 by Darryl Lyons posted on 3/3/2005 at 3:37 AM

Yeah, it's pretty easy to add application-wide error handling (even server-wide).

Comment 9 by Brett Liotta posted on 3/3/2005 at 5:37 AM

ha, I do this all the time Ray. why? I don't know. I want to see how many lazy developers are out there. are they lazy or just don't know? eh, maybe a little of both. I'm not perfect either but I don't have to worry as much b/c most of my development work is on secured Intranets. i'm allowed to be a bit lazy.

Comment 10 by Dean H. Saxe posted on 3/3/2005 at 5:54 AM

Ray,

I presented to ACFUG on this topic, and other security topics, just last year. See the PowerPoint at http://www.acfug.org/index..... It's not all inclusive, but it covers a lot of good basics that I have also found to be lacking in other sites.

-dhs

Comment 11 by mark posted on 3/3/2005 at 5:21 PM

Good Article, anther of my "tests" is seeing if I can submit empty contact us forms. That drives me nuts.

Comment 12 by Rick posted on 3/4/2005 at 1:58 AM

First of all, I do agree that URL parameter validation (and form parameter validation too!) is important.

But I have to admit that I don't always validate URL parameters, mostly out of laziness and the fact that the only way someone is going to break them usually is to hand type a URL because they're TRYING to break it.

That being said, I felt the need after reading this entry to check BlogCFM to see if I'd handled it. In fact I could only find one URL parameter available to the public:

http://www.blogcfm.org/inde...

I'm happy to see that I do handle it :) Phew!

http://www.blogcfm.org/inde...
http://www.blogcfm.org/inde...
http://www.blogcfm.org/inde...

As for this statement:

"Worse, if a site is vulnerable to very basic editing of a url parameter, it's probably also vulnerable to SQL injection hacks."

I would disagree. I may not always validate URL variables, but I do ALWAYS use cfqueryparam when passing variables to queries.

- Rick

Comment 13 by gary posted on 4/23/2005 at 8:47 PM

Ray,

its lazyness, pure and simple. I have caught myself doing this on numerous occasions when under time contraints. And its something that obviously should never be put aside.

Nice rant, it just brought it to the fore again for me.

Support this Content!

Archived Comments

Webmentions