8 Replies Latest reply on Sep 5, 2014 12:58 AM by BKBK

    Enabling Global Script Protection is not working while adding "&"

    Abdul L Koyappayil Level 1

      Hi All,

       

      To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.

       

      Steps I followed

       

      1] I executed the below URL.

           https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>

      2] In the fornt end I got a javascript alert message as injected in the URL.

       

      But this alert message should not come as I have enabled script protection in CF admin. Right????

       

      Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.

       

      I searched the neo-security.xml and its looks like below.

       

      <var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='&lt;\s*(object|embed|script|applet|meta)'><string>&lt;InvalidTag</string></var></st ruct></var>

       

      Can any one help me out to fix this.

        • 1. Re: Enabling Global Script Protection is not working while adding "&"
          BKBK Adobe Community Professional & MVP

          Could you show us the code of the test page that shows the alert?

          • 2. Re: Enabling Global Script Protection is not working while adding "&"
            Abdul L Koyappayil Level 1

            I didnt use any test page ...I just directly executed.

             

            To do testing and reproduce you can do the followings,

             

                 1]Tick the the check box "Enable Global Script Protection" in CF admin->server settings

                 2]create a cfm template in your domain and add some html contents (say test.cfm).

                 3]Execute the url as I explained in my last post. (in you case : http(s)://yourdomain.com/index.cfm?x=&<script>alert(1)</script>

            • 3. Re: Enabling Global Script Protection is not working while adding "&"
              BKBK Adobe Community Professional & MVP

              Abdul L Koyappayil wrote:

               

              Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.

               

              There is nothing to worry about. Except your code actually reports an issue, which I doubt.

               

              A cross-site scripting attack will attempt to sneak a script into your application, by means of a URL variable. That is not what you have here.

               

              The query-string

               

              cardholder_number=&<script>alert(1)</script>

               

              cannot pass the script to your page. To be sure, run this on your test page:

               

              <cfdump var="#url#">

               

              It will pass the URL variable cardholder_number='', nothing more. (Remember that & is a delimiter that separates the key-value pairs in the URL.) The alert-script may run in the client's browser, and fire the alert, but that is only happening at the client end. Your application will know nothing about that. If potential attackers keep away from you, then you will have no attacker.

               

               

               

              Added: To see the effect of the Coldfusion Scriptprotect, remove the & and do the URL dump

              • 4. Re: Enabling Global Script Protection is not working while adding "&"
                Abdul L Koyappayil Level 1

                nice explanation BK...... I couldnt think in that way.....

                 

                But still one doubt remains why alert message is coming only when there is "&" in the URL??

                 

                So I can explain to my security team that when script protecting is enabled client side scripts will not go inside the server (cfm page). Ok I agreed.

                But what reason will I say if they are asking me why javascript alert is coming then. They might think that ther is some security hole because of this the alert message is getting cropped up.

                • 5. Re: Enabling Global Script Protection is not working while adding "&"
                  BKBK Adobe Community Professional & MVP

                  Abdul L Koyappayil wrote:

                   

                  But still one doubt remains why alert message is coming only when there is "&" in the URL??

                  This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs

                   

                  a=1

                  b=2

                   

                  Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into

                   

                  cardholder_number=

                  <script>alert(1)</script>

                   

                  The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application

                   

                  cardholder_number=EMPTY_STRING&<script>alert(1)</script>

                   

                  However, Coldfusion's scriptprotect feature will intervene and neutralize this to

                   

                  cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>

                   

                  which is harmless. These will enter into Coldfusion as the URL variables

                   

                  cardholder_number=EMPTY_STRING

                  EMPTY_STRING=EMPTY_STRING

                   

                  The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

                   

                  http://www.myDomain.com/index.cfm?<script>alert(1)</script>

                   

                  But what reason will I say if they are asking me why javascript alert is coming then.

                  As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form

                   

                  sneakyVar=<script>alert(1)</script>

                   

                  That is not the case here.

                  • 6. Re: Enabling Global Script Protection is not working while adding "&"
                    BKBK Adobe Community Professional & MVP

                    This thread has information that will help someone else in future. If you are satisfied, please mark the post that you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark that as the answer.

                    • 7. Re: Enabling Global Script Protection is not working while adding "&"
                      Abdul L Koyappayil Level 1

                      BKBK wrote:

                       

                      The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

                       

                      http://www.myDomain.com/index.cfm?<script>alert(1)</script>

                       

                           I agreed that the above URL will execute the javascript. But one doubt here. You mentioned that "by default, browsers will run any Javascript that you place in the query-string". If that is the case then why I am not getting alert message while hitting the url like below.

                       

                           https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>

                       

                           This url contains a url variable(cardholder_number) , is that the reason not to execute the javascript.

                      • 8. Re: Enabling Global Script Protection is not working while adding "&"
                        BKBK Adobe Community Professional & MVP

                        The explanations and examples were obvious. However, the language could do with some sharpening:

                         

                        By default, browsers will run any Javascript that occurs as a field in the query-string.


                        [Context: query-string comprises field1=value1&field2=value2&field3=value3 and so on]