Copy link to clipboard
Copied
Hi All,
To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.
Steps I followed
1] I executed the below URL.
https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>
2] In the fornt end I got a javascript alert message as injected in the URL.
But this alert message should not come as I have enabled script protection in CF admin. Right????
Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.
I searched the neo-security.xml and its looks like below.
<var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='<\s*(object|embed|script|applet|meta)'><string><InvalidTag</string></var></struct></var>
Can any one help me out to fix this.
Abdul L Koyappayil wrote:
But still one doubt remains why alert message is coming only when there is "&" in the URL??
This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs
a=1
b=2
Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_n
...Copy link to clipboard
Copied
Could you show us the code of the test page that shows the alert?
Copy link to clipboard
Copied
I didnt use any test page ...I just directly executed.
To do testing and reproduce you can do the followings,
1]Tick the the check box "Enable Global Script Protection" in CF admin->server settings
2]create a cfm template in your domain and add some html contents (say test.cfm).
3]Execute the url as I explained in my last post. (in you case : http(s)://yourdomain.com/index.cfm?x=&<script>alert(1)</script>
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.
There is nothing to worry about. Except your code actually reports an issue, which I doubt.
A cross-site scripting attack will attempt to sneak a script into your application, by means of a URL variable. That is not what you have here.
The query-string
cardholder_number=&<script>alert(1)</script>
cannot pass the script to your page. To be sure, run this on your test page:
<cfdump var="#url#">
It will pass the URL variable cardholder_number='', nothing more. (Remember that & is a delimiter that separates the key-value pairs in the URL.) The alert-script may run in the client's browser, and fire the alert, but that is only happening at the client end. Your application will know nothing about that. If potential attackers keep away from you, then you will have no attacker.
Added: To see the effect of the Coldfusion Scriptprotect, remove the & and do the URL dump
Copy link to clipboard
Copied
nice explanation BK...... I couldnt think in that way.....
But still one doubt remains why alert message is coming only when there is "&" in the URL??
So I can explain to my security team that when script protecting is enabled client side scripts will not go inside the server (cfm page). Ok I agreed.
But what reason will I say if they are asking me why javascript alert is coming then. They might think that ther is some security hole because of this the alert message is getting cropped up.
Copy link to clipboard
Copied
Abdul L Koyappayil wrote:
But still one doubt remains why alert message is coming only when there is "&" in the URL??
This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs
a=1
b=2
Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into
cardholder_number=
<script>alert(1)</script>
The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application
cardholder_number=EMPTY_STRING&<script>alert(1)</script>
However, Coldfusion's scriptprotect feature will intervene and neutralize this to
cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>
which is harmless. These will enter into Coldfusion as the URL variables
cardholder_number=EMPTY_STRING
EMPTY_STRING=EMPTY_STRING
The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example
http://www.myDomain.com/index.cfm?<script>alert(1)</script>
But what reason will I say if they are asking me why javascript alert is coming then.
As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form
sneakyVar=<script>alert(1)</script>
That is not the case here.
Copy link to clipboard
Copied
This thread has information that will help someone else in future. If you are satisfied, please mark the post that you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark that as the answer.
Copy link to clipboard
Copied
BKBK wrote:
The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example
http://www.myDomain.com/index.cfm?<script>alert(1)</script>
I agreed that the above URL will execute the javascript. But one doubt here. You mentioned that "by default, browsers will run any Javascript that you place in the query-string". If that is the case then why I am not getting alert message while hitting the url like below.
https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>
This url contains a url variable(cardholder_number) , is that the reason not to execute the javascript.
Copy link to clipboard
Copied
The explanations and examples were obvious. However, the language could do with some sharpening:
By default, browsers will run any Javascript that occurs as a field in the query-string.
[Context: query-string comprises field1=value1&field2=value2&field3=value3 and so on]