13 Replies Latest reply on Dec 12, 2016 12:40 PM by codeshed

    You should in any case apply the scriptProtect security setting

    codeshed

      I have been testing out Global Script Protection at the CF Admin level (v9.01). But it does appear to have any effect on the form posted data.... or maybe I am not understanding what it can/should do.

       

      With it on and if I post a form field with something like this entered:

      Test<script>alert('hello');</script> 

      On the resulting page I get a pop-up alert - I would expect Global Script Protection to stop this?

       

      Restarted both IIS and CF App and the variable not getting setting at the application level.

       

      I am looking for simple way to add some XSS protection to a legacy cf app that has come across my desk.  lots of forms and I do not have access to the source (encrypted).

       

      Cheers!

        • 1. Re: You should in any case apply the scriptProtect security setting
          WolfShade Level 4

          Drat.. if you were using CF10 or greater, I'd suggest using canonicalize() and then use CFQUERYPARAM for every variable within your SQL.  That would drastically reduce the risk of XSS and SQL-injection.

           

          However, since you're using an older version, my only suggestion would be to find and download a library called Portcullis.  You can set it so that it will either A) throw an error if it finds something that doesn't belong, or B) give you a chance to sanitize inputs before going to the database.

           

          But, to be honest, the best thing you can do is upgrade to AT LEAST CF10, so you can take advantage of canonicalize() and the ESAPI features that are new to CF10.

           

          HTH,

           

          ^_^

          • 2. Re: You should in any case apply the scriptProtect security setting
            codeshed Level 1

            Thanks!  I will take the v10 upgrade recommendation to my client.

             

            As I mentioned the source is closed source ( encrypted ).  Can Portcullis still be implemented? and the features in v10 possible to implement in this situation?

             

            and I guess back to my original question - Why doesn't enabling Global Script Protection seems to do anything?

             

            For others... looks interesting:

            Portcullis | CodFusion

            • 3. Re: You should in any case apply the scriptProtect security setting
              WolfShade Level 4

              Not sure why ScriptProtect didn't do its job.  It should have stripped out the script tag and everything in between.  Do the logs show anything?

               

              If the files were encrypted, they can be decrypted.  Whomever encrypted them has the means to do so.  Is this person holding the files hostage?  I don't know if you can use a combination of encrypted and unencrypted files; I assume that if any files are encrypted, they all go through the same decryptor in order to be processed.  Sorry I can't be of more help on that front.

               

              The features in v10 are code, so you would have to have access to the unencrypted files in order to insert canonicalize() into the mix.

               

              V/r,

               

              ^_^

              • 4. Re: You should in any case apply the scriptProtect security setting
                codeshed Level 1

                OK thanks I will have a look at the logs... I would really like to understand why script protect is not working.

                 

                This is a 3rd party software web application ($) and I guess they don't want to share the source for 2 reasons, protect their investment and breaking upgrade ability as they release new versions.

                 

                You can run encrypted & unencrypted files.

                • 5. Re: You should in any case apply the scriptProtect security setting
                  WolfShade Level 4

                  With the files being a third-party solution, and thusly encrypted, then even Portcullis can't help you, because you have to modify the application.cfc to scan the form, url, and cookie scopes.

                   

                  This places all the burden of security squarely on the shoulders of said third-party.  If they can't code for security, but they encrypt everything they put out, then they are worthy of being dropped and replaced by someone who can do the code, for you.

                   

                  Just my two cents.

                   

                  V/r,

                   

                  ^_^

                  • 6. Re: You should in any case apply the scriptProtect security setting
                    codeshed Level 1

                    Totally agree...There are more recent versions we can update to that may resolve these issues, but we are looking for a short terms/ quick fix, but since scriptProtect appears to do nothing I think I will look at Portcullis via Application.cfc ( if I can unencrypt it ).

                    • 7. Re: You should in any case apply the scriptProtect security setting
                      WolfShade Level 4

                      I'm not sure how that would work, honestly.  You'd have to unecrypt the .cfm file(s), make changes, then re-encrypt using the same key.  I think only the developers have that ability.  I mean, you _could_ build a server farm of 20 or 30 servers to run unencryption algorithms on the files, but who knows how long that could take.

                       

                      Unfortunately, with the third-party that created your turnkey solution, I don't think there are any immediate workarounds for your issue.  Unless someone else can think of something that I'm just blind to.

                       

                      V/r,

                       

                      ^_^

                      • 8. Re: You should in any case apply the scriptProtect security setting
                        codeshed Level 1

                        Thanks again for your feedback and Portcullis recommendation!

                         

                        You don't have to re-encrypt... I have done this is the past and it works fine and actually the developer includes a few unencyrpted files with the original distribution.   Having said that I would only want to deal with Application.cfc otherwise it's way to much to re-work.

                         

                        I guess I still can't mark this thread correct or closed as the original question remains.

                        • 9. Re: You should in any case apply the scriptProtect security setting
                          WolfShade Level 4

                          codeshed wrote:

                           

                          I guess I still can't mark this thread correct or closed as the original question remains.

                          Up to you.  Good luck with the Portcullis.  It hasn't been updated in years, but it still works quite well for CF9 and earlier.

                           

                          V/r,

                           

                          ^_^

                          • 10. Re: You should in any case apply the scriptProtect security setting
                            codeshed Level 1

                            Adding scriptprotect="all" to the application.cfc does the trick... now something like entering something like <script>alert("hello");</script> in a form field end up like <invalidtag>alert("hello");</script>.

                             

                            Where as Global Script Protection at the CF Admin level (v9.01) does nothing.

                             

                            It's a start!

                            • 11. Re: You should in any case apply the scriptProtect security setting
                              BKBK Adobe Community Professional & MVP

                              As you have discovered, the setting for script-protection is (in Application.cfc):

                               

                              this.scriptProtect="all"; /* Alternative values are "none" or a comma-delimited list of the scopes you wish to protect */

                               

                              There is a risk if you fill in a wrong value. Remember that, here, as with most other ColdFusion settings, the value that you set within the application overrides that of the Coldfusion Administrator. Filling the wrong value in Application.cfc may therefore make the setting ineffective. That is perhaps what happened.

                              • 12. Re: You should in any case apply the scriptProtect security setting
                                BKBK Adobe Community Professional & MVP

                                WolfShade wrote:

                                 

                                But, to be honest, the best thing you can do is upgrade to AT LEAST CF10, so you can take advantage of canonicalize() and the ESAPI features that are new to CF10.

                                Just for information: you can apply canonicalize in Coldfusion 8 and 9. For example,

                                 

                                <cfset strText = 'Hello, world. This is the &lt;strong&gt;greatest&lt;/strong&gt; example in the world.' />

                                 

                                <!--- Instantiate the ESAPI object. --->

                                <cfset objESAPI     = createObject("java","org.owasp.esapi.ESAPI") />

                                <!--- Assign the Encoder class to a new variable. --->

                                <cfset objEncoder     = objESAPI.encoder() />

                                 

                                <!--- Canonicalize the provided string. --->

                                <cfset strText = objEncoder.canonicalize(strText, false)>

                                 

                                canonicalized: <cfoutput>#strText#</cfoutput>

                                 

                                See Canonicalize Method in ColdFusion 8 and ColdFusion 9 || Matt Gifford - Monkeh Works Ltd

                                • 13. Re: You should in any case apply the scriptProtect security setting
                                  codeshed Level 1

                                  Trying to further secure the app, but only have access to some of the source code.... Adding scriptprotect="all" to the application.cfc catches some XSS options, but for things like this entered into a text field don't get caught by default:

                                  1234" style="background:expression(alert(1345))

                                   

                                  Adjusting the neo-security.xml to something like this helps, but I am sure there are other ways to inject undesirable stuff in to form fields:

                                  <struct type='coldfusion.server.ConfigMap'>

                                        <var name='&lt;\s*(object|embed|script|applet|meta|iframe)'>

                                          <string>&lt;InvalidTag</string>

                                          </var>

                                        <var name='style=|iframe|:expression|script|src|}|{'>

                                          <string>++</string>

                                          </var>

                                    </struct>

                                   

                                  Ideally I would like the reg expressions to clear the string if it finds anything it doesn't like, but it seems these setting only do a direct replace.

                                   

                                  Anyone have a better Idea of how these setting works?

                                   

                                  PS - I don't think I can introduce "canonicalize" mentioned above as I don't source code access to the various forms.