Enabling Global Script Protection is not working while adding "&"

Question

Hi All,To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.Steps I followed1] I executed the below URL. https://xyz.abc.com/index.cfm?cardholder_number=&2] In the fornt end I got a javascript alert message as injected in the URL.But this alert message should not come as I have enabled script protection in CF admin. Right????Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=) from the above URL then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.I searched the neo-security.xml and its looks like below.<InvalidTagCan any one help me out to fix this.

BKBK · Accepted Answer

Abdul L Koyappayil wrote:But still one doubt remains why alert message is coming only when there is "&" in the URL??This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairsa=1b=2Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&. The & will delimit the query-string intocardholder_number=The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas is not. The browser therefore sends the following query-string to your applicationcardholder_number=EMPTY_STRING&However, Coldfusion's scriptprotect feature will intervene and neutralize this tocardholder_number=EMPTY_STRING&alert(1)which is harmless. These will enter into Coldfusion as the URL variablescardholder_number=EMPTY_STRINGEMPTY_STRING=EMPTY_STRINGThe special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for examplehttp://www.myDomain.com/index.cfm?But what reason will I say if they are asking me why javascript alert is coming then.As you have just seen, the That is not the case here.

BKBK · Answer

Abdul L Koyappayil wrote:Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=) from the above URL then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.There is nothing to worry about. Except your code actually reports an issue, which I doubt.A cross-site scripting attack will attempt to sneak a script into your application, by means of a URL variable. That is not what you have here.The query-stringcardholder_number=&cannot pass the script to your page. To be sure, run this on your test page:It will pass the URL variable cardholder_number='', nothing more. (Remember that & is a delimiter that separates the key-value pairs in the URL.) The alert-script may run in the client's browser, and fire the alert, but that is only happening at the client end. Your application will know nothing about that. If potential attackers keep away from you, then you will have no attacker. Added: To see the effect of the Coldfusion Scriptprotect, remove the & and do the URL dump

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded