Cross Site Scripting (CSS/XSS) Gotcha when using cfform

When using cfform don’t leave the action tag blank. This simple omission could you open to XSS/CSS Cross Site Scripting vulnerabilities. Why would you do this? Well if you use an ordinary form tag and leave the action attribute blank the form defaults to submitting to the page in the URL – the browser fills […]

When using cfform don’t leave the action tag blank. This simple omission could you open to XSS/CSS Cross Site Scripting vulnerabilities. Why would you do this? Well if you use an ordinary form tag and leave the action attribute blank the form defaults to submitting to the page in the URL – the browser fills this in for you, but it can sometimes have unpredictable results. I think in 99% of cases we all put in an action tag, but here is another reason to make it 100% of cases. We found this because a penetration test we had carried out at work recently did this in the URL (thankfully it wasn’t malicious!):

If you use cfform and leave action blank – ColdFusion will fill add in the attributes by using the CGI.QUERY_STRING variable. So for example – your form is on a page with a url of

And you use

ColdFusion will render this:

Which is ok, until you start wondering why the SumNum variable isn’t being parsed by your anti hacking and XSS scripts. Usually any script that does this parsing will go through the form and url scopes and strip nasty stuff out. That is fine, but ColdFusion goes back to a cgi variable, this isn’t one that usually gets stripped.

Duncan Isaksen-Loxton

Educated as a web developer, with over 20 years of internet based work and experience, Duncan is a Google Workspace Certified Collaboration Engineer and a WordPress expert.
Login
Log in below to access your courses.
Log In With Google
Forgot Password
Enter your email address or username and we’ll send you instructions to reset your password.