QueryParam Scanner

Overview

QueryParam Scanner (qpScanner) is a tool designed to identify possible SQL injection risks in CFML queries.

License:: GPL v3
Latest Stable:: v0.8, 22 Oct 2021
Requires:: CF v9 or above, Railo v3 or above, Lucee v4.5 or above; (For CF8, CFMX7 and OpenBD support, use v0.7.3)

Downloads

Stable: v0.8 (227KB)
CF8 compatible: v0.7.3.2 (407KB)

$ sha256sum qpscanner-0.8.zip
69bc619acde8e8cfb2c4e77897ae555b734c60bb1a9a0c5f573219b4bf5b9033 *qpscanner-0.8.zip

$ sha256sum qpscanner-0.7.3.2.zip
8c710d3e1cceb85da7a2c9804d28c9f90bec5804f402cd2e7319e85a69abfe81 *qpscanner-0.7.3.2.zip

$ sha256sum hybridchill.eclipse.qpscanner_0.1.0.0.jar
3c85c73bc950e6b394c8400da0868830fc57d6681744d00518c550e69f73e042 *hybridchill.eclipse.qpscanner_0.1.0.0.jar

(A mismatch indicates a corrupted file; repeat the download and re-verify.)

Eclipse Plugin

The qpScapper plugin for Eclipse-based IDEs connects to a qpScanner instance and uses it to scan selected files and/or directories, and allows configuring default and per-project settings.

It is available as a JAR download (40KB).

Features

The current release of qpScanner has the following features:

Finds all variables in cfquery without a surrounding cfqueryparam.
Displays filenames, line number and query contents for all potential risks.
Ability to scan any directory on local filesystem.
Option to include/exclude child directories.
Option to include/exclude ORDER BY clauses.
Option to list which scopes any variables belong to.
Option to highlight variables in client scopes.
Multiple output formats (HTML, JSON, XML, WDDX).
Ability to override Request Timeout.
Option to specify file/directory exclusions (regex).
Option to include/exclude Query of Queries.
Option to include/exclude built-in CFML functions.

If there are other features you would like, please raise them using the issue tracker.