Skip to main content
C
codeshed
Inspiring
September 14, 2016
Answered

You should in any case apply the scriptProtect security setting

  • September 14, 2016
  • 1 reply
  • 2430 views

I have been testing out Global Script Protection at the CF Admin level (v9.01). But it does appear to have any effect on the form posted data.... or maybe I am not understanding what it can/should do.

With it on and if I post a form field with something like this entered:

Test<script>alert('hello');</script> 

On the resulting page I get a pop-up alert - I would expect Global Script Protection to stop this?

Restarted both IIS and CF App and the variable not getting setting at the application level.

I am looking for simple way to add some XSS protection to a legacy cf app that has come across my desk.  lots of forms and I do not have access to the source (encrypted).

Cheers!

This topic has been closed for replies.
Correct answer codeshed

codeshed wrote:

I guess I still can't mark this thread correct or closed as the original question remains.

Up to you.  Good luck with the Portcullis.  It hasn't been updated in years, but it still works quite well for CF9 and earlier.

V/r,

^_^


Adding scriptprotect="all" to the application.cfc does the trick... now something like entering something like <script>alert("hello");</script> in a form field end up like <invalidtag>alert("hello");</script>.

Where as Global Script Protection at the CF Admin level (v9.01) does nothing.

It's a start!

1 reply

WolfShade
WolfShade
Legend
September 14, 2016

Drat.. if you were using CF10 or greater, I'd suggest using canonicalize() and then use CFQUERYPARAM for every variable within your SQL.  That would drastically reduce the risk of XSS and SQL-injection.

However, since you're using an older version, my only suggestion would be to find and download a library called Portcullis.  You can set it so that it will either A) throw an error if it finds something that doesn't belong, or B) give you a chance to sanitize inputs before going to the database.

But, to be honest, the best thing you can do is upgrade to AT LEAST CF10, so you can take advantage of canonicalize() and the ESAPI features that are new to CF10.

HTH,

^_^

C
codeshedAuthor
Inspiring
September 14, 2016

Thanks!  I will take the v10 upgrade recommendation to my client.

As I mentioned the source is closed source ( encrypted ).  Can Portcullis still be implemented? and the features in v10 possible to implement in this situation?

and I guess back to my original question - Why doesn't enabling Global Script Protection seems to do anything?

For others... looks interesting:

Portcullis | CodFusion

WolfShade
WolfShade
Legend
September 15, 2016

Not sure why ScriptProtect didn't do its job.  It should have stripped out the script tag and everything in between.  Do the logs show anything?

If the files were encrypted, they can be decrypted.  Whomever encrypted them has the means to do so.  Is this person holding the files hostage?  I don't know if you can use a combination of encrypted and unencrypted files; I assume that if any files are encrypted, they all go through the same decryptor in order to be processed.  Sorry I can't be of more help on that front.

The features in v10 are code, so you would have to have access to the unencrypted files in order to insert canonicalize() into the mix.

V/r,

^_^

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices