Loving QueryParam Scanner

Posted At : September 18, 2008 7:30 AM | Posted By : Steve
Related Categories: ColdFusion

When the recent spat of SQL Injection attacks starting hitting the ColdFusion community recently, I actually felt pretty safe. I thought to myself, "I have been using <cfqueryparam> for years. Every query that I have written since before I started working for myself has been safe from SQL injection attacks."

In good news, I was right about that. What I failed to consider, however, was that I also maintain legacy code written by others. Including code written well before the use of <cfqueryparam> was popularized.

A client of mine recently asked me to edit some of the old code. In this case, the original author was requesting permission to modernize the application when I started working with them - five years ago. We actually have updated a lot of it, but some old code still remains.

When I looked at the code, I was first struck by what a nasty, tangled mess it is with <cfquery> scattered throughout the output code. I braced myself to ignore the mess. After all, I was only asked to make a small change - no real way to justify a major clean-up effort for that. Then I was it.

<cfquery name="foo" ...>
SELECT *
FROM mytable
WHERE myvalue = #URL.id#
</cfquery>

A vulnerability to SQL Injection. I can ignore messy code, but not a security problem. I called my client and quickly got approval to secure all of the queries.

I imagined searching through all of the messy code to find all of the vulnerable queries. It seemed like a nightmare. Fortunately, I remembered reading about QueryParam Scanner.

I downloaded it, copied the files to the server on which I wanted to check the code and opened up the newly created folder in my browser. With no more effort than that, it was working. I put in the path to the code and ran the search. After a few seconds, it reported all of the potential vulnerabilities that it found. While this had some false positives (#Val(URL.id)# not really being a vulnerability, for example), it still made the process quick and painless.

It provided the file names and line number of the vulnerabilities and even (I discovered a few minutes in), allowed me to see the cfquery statement directly from the report.

I don't want to think about how long that process would have taken without QueryParam Scanner.

So, thanks Peter Boughton!

Comments (3) | Print | del.icio.us | Digg It! | Linking Blogs | 3508 Views
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
Thanks Steve! :)

I have now released v0.7 which (amongst other things), adds an "ignore built-in functions" option which prevents false positives like #Val(...)# and similar.

Also, I think I made it display the queries by default now, so they are not hidden like before.
# Posted By Peter Boughton | 9/23/08 12:23 PM
Peter,

Those enhancements look great! If I were going to ask for any improvements, those would be the ones I would request.

Thanks for your hard work!
# Posted By Steve Bryant | 9/23/08 1:38 PM
The QueryParam scanner is a great tool.

May I request one enhancement to it?
I wish there were a way to make it ignore the commented code.
# Posted By Jalpesh Patel | 9/3/10 9:14 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.