Prevent brute force attacks

Check to see if the login was successful. you can apply your own variable here. Obviously all variable names

<cfif [login successful...]>
	Do something since you've successfully logged in.
	<cfparam name="session.FailedLogin" default="0" >
	<cfset session.FailedLogin = session.FailedLogin+1>
	<cfif session.FailedLogin gt 10>
	<cfset createObject("java", "java.lang.Thread").sleep(JavaCast("int", session.FailedLogin*500))>

Send an Email using CFScript

	savecontent variable="mailBody"{   
		writeOutput('<h1>Hello!</h1><p>Tada it works.</p>');  
	/* create mailer service */  
	mailerService = new mail();    
	/* set mail attributes using implicit setters provided */  
	mailerService.setSubject('YOUR SUBJECT');  
	/* add mailparams */  
	/* send mail using send(). Attribute values specified in an end action like "send" will not persist after the action is performed */  
	mailerService.send(body=mailBody);  writeoutput("<h3>Thank you</h3>" & "<p>Thank you, " & mailfrom & "<br>" & "Your message, " & subject & ", has been sent to " & mailto & "</p>");

XSS Additional Protection

This is a snippet of code from one of my applications. It’s not a stop-all, but it’s a good start.

//XSS protection
   whiteListReserved = "!|*|'|(|)|;|:|@|&|=|+|$|,|/|?|%|##|[|]";
   whiteListUnreserved = "A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z|a|b|c|d|e|f|g|h|i|j|k|l|m|n|o|p|q|r|s|t|u|v|w|x|y|z|0|1|2|3|4|5|6|7|8|9|-|_|.|~";
   whiteList = listappend(whiteListReserved,whiteListUnreserved,"|");
   qString = URLDecode(cgi.query_string);

   for(i=1;i lte Len(qString);i++){
    Get the character at the given index. The ColdFusion Mid() function takes the string, the starting index
    and the number of characters to return. In this case, we only want one character, so the length is one.
    strChar = Mid(qString, i, 1 );
    if (listFind(whiteList,strChar,"|") eq 0){
     writeOutput("<script type='text/javascript'>alert('#strChar# is in violation of xss rules.');</script>");
     //Here I have a session variable that I toggle based on a user being authenticated. not super relevant to this posting.
     Session.isAuthenticated = 0;
     url.msg = "There is a security violation within your request. Your session has been reset. Please log back in.";

Restarting your Coldfusion Application without restarting ColdFusion

To restart you application place the following line of code in your Application.cfc within the OnRequestStart function.


Now anytime you pass the URL string “restart” your application will restart. Obviously you can use whatever method you chose, but this will point you in the right direction.