• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Re: CryptoJS v3.1.2 vulnerability

New Here ,
Aug 05, 2024 Aug 05, 2024

Copy link to clipboard

Copied

Currently, I am using CryptoJS v3.1.2 Library file which has vulnerabilty. How to mitigate this issue in Coldfusion?

Views

310

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 2 Correct answers

Community Expert , Aug 14, 2024 Aug 14, 2024

CryptoJS is client-side, with the client, usually the browser, as domain. Whereas, ColdFusion is server-side, with the server as domain.

 

So we should not expect ColdFusion to be responsible for a client-side task such as "hide the credit card in payload".  As CryptoJS has been discontinued,  an obvious solution is to:

  • Get a client-side alternative to CryptoJS. A quick search on the web gives Stanford Javascript Crypto Library, JSEncrypt and Web Cryptography API. 

Votes

Translate

Translate
Community Expert , Aug 14, 2024 Aug 14, 2024

Could you share your code, together with comments on what you wish to achieve? Then we'll know what to test.

Votes

Translate

Translate
Community Expert ,
Aug 06, 2024 Aug 06, 2024

Copy link to clipboard

Copied

I'm pretty sure this isn't included with ColdFusion. So I don't think you can mitigate it in ColdFusion. It's a Node.js package I think.

 

https://security.snyk.io/package/npm/crypto-js/3.1.2

 

https://github.com/brix/crypto-js - apparently it's now discontinued in favor of the Crypto module built into Node.js

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 07, 2024 Aug 07, 2024

Copy link to clipboard

Copied

@Janaki30364817ulno , why do you even continue to use Javascript for encryption and decryption in a ColdFusion application? I would suggest you do away with Javascript encryption altogether.

 

Nowadays, ColdFusion has its own in-built encryption/decryption library. The encryption is powerful. Also, using it automatically offers you the advantage of Adobe's upgrades and updates. 

 

The following example conveys the flavour of ColdFusion's encryption/decryption library:

 

<!--- Tested on ColdFusion 2023 --->
<cfset plainText = "Hello, World!">
<cfset secretKey = generateSecretKey("AES",256)>
<cfset algorithm = "AES/CBC/PKCS5Padding">
<cfset encryptedText = encrypt(plainText, secretKey, algorithm, "hex")>
<cfset decryptedText = decrypt(encryptedText, secretKey, algorithm, "hex")>

<cfoutput>
    Encrypted Text: #encryptedText#<br>
    Decrypted Text: #decryptedText#
</cfoutput>

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

I would like to do client side encryption to hide the credit card information in payload so i used this logic in client side encryption using javascript and server side decryption in coldfusion. We have implemented this logic in CryptoJS 3.1.2 which has vulnerabilites and latest version of CryptoJS 4.2.0 also discontinued. I want to hide the credit card in payload. What's the best way to implement this logic in Coldfusion?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

CryptoJS is client-side, with the client, usually the browser, as domain. Whereas, ColdFusion is server-side, with the server as domain.

 

So we should not expect ColdFusion to be responsible for a client-side task such as "hide the credit card in payload".  As CryptoJS has been discontinued,  an obvious solution is to:

  • Get a client-side alternative to CryptoJS. A quick search on the web gives Stanford Javascript Crypto Library, JSEncrypt and Web Cryptography API. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

I tried with Stanford Javascript Crypto Library to encrypt, but unable to decrypt in coldfusion.
Could you give me a sample code

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

Could you share your code, together with comments on what you wish to achieve? Then we'll know what to test.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

<cfscript>
// Load BouncyCastle provider
javaLoader = createObject("java", "java.security.Security");
bouncyCastleProvider = createObject("java", "org.bouncycastle.jce.provider.BouncyCastleProvider").init();
javaLoader.addProvider(bouncyCastleProvider);

// Example values (replace with actual values)
encryptedMessage = '{"iv":"3atIpqYRBUIDZD3LlFoDcQ==","v":1,"iter":10000,"ks":128,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"0ZbZ5Jq92Tc=","ct":"YcPM/jQ1PImAZzUV6+WyXsPCbxuQK5fBs34="}'; // SJCL encrypted message JSON
key = "mySecretKey"; // The password/key used for encryption

// Parse the encrypted message (assuming JSON format)
decryptedData = deserializeJSON(encryptedMessage);
salt = binaryDecode(decryptedData.salt, "base64");
iv = binaryDecode(decryptedData.iv, "base64");
ciphertext = binaryDecode(decryptedData.ct, "base64");

// Key Derivation (PBKDF2 with HMAC-SHA256)
generator = createObject("java", "org.bouncycastle.crypto.generators.PBKDF2ParametersGenerator").init(
createObject("java", "org.bouncycastle.crypto.digests.SHA256Digest").newInstance()
);
generator.init(createObject("java", "org.bouncycastle.crypto.params.KeyParameter").newInstance(key.getBytes(), salt));
keyParams = generator.generateDerivedParameters(256);
key = keyParams.getKey();

// Decrypt
cipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/CBC/PKCS5Padding", "BC");
cipher.init(2, createObject("java", "javax.crypto.spec.SecretKeySpec").newInstance(key, "AES"), createObject("java", "javax.crypto.spec.IvParameterSpec").newInstance(iv));
decryptedText = toString(cipher.doFinal(ciphertext), "UTF-8");

// Output the decrypted message
writeOutput("Decrypted Message: " & decryptedText);
</cfscript>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

Please ignore this code. I am experincing issue in below code. 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

<script>
async function encryptData(plainText, key) {
const encoder = new TextEncoder();
const data = encoder.encode(plainText);

// Generate a random IV
const iv = crypto.getRandomValues(new Uint8Array(16)); // AES block size is 16 bytes

// Import the key for AES-CBC
const cryptoKey = await crypto.subtle.importKey(
'raw',
key,
{ name: 'AES-CBC', length: 128 },
false,
['encrypt']
);

// Encrypt the data
const encryptedBuffer = await crypto.subtle.encrypt(
{ name: 'AES-CBC', iv: iv },
cryptoKey,
data
);

// Combine IV and encrypted data for transmission
const combined = new Uint8Array(iv.byteLength + encryptedBuffer.byteLength);
combined.set(iv);
combined.set(new Uint8Array(encryptedBuffer), iv.byteLength);

return btoa(String.fromCharCode(...combined)); // Encode as base64
}

// Example usage
(async () => {
const key = crypto.getRandomValues(new Uint8Array(16)); // 128-bit key
const encryptedBase64 = await encryptData('Secret message', key);
console.log('Encrypted (Base64):', encryptedBase64);

// Export key to Base64 for use in ColdFusion
const keyBase64 = btoa(String.fromCharCode(...key));
console.log('Key (Base64):', keyBase64);
})();


</script>
<cfscript>
function decryptAES_CBC(encryptedBase64, keyBase64) {
// Convert base64 to binary
encryptedBytes = toBinary(encryptedBase64);
keyBytes = toBinary(keyBase64);

// Extract the IV and encrypted data
ivLength = 16; // AES block size
iv = arraySlice(encryptedBytes, 1, ivLength);
encryptedData = arraySlice(encryptedBytes, ivLength + 1);

// Create a Java AES/CBC/PKCS5Padding Cipher instance
cipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/CBC/PKCS5Padding");

// Generate the secret key from byte array
keySpec = createObject("java", "javax.crypto.spec.SecretKeySpec").init(keyBytes, "AES");
ivSpec = createObject("java", "javax.crypto.spec.IvParameterSpec").init(iv);

// Initialize the cipher for decryption
cipher.init(2, keySpec, ivSpec);

// Decrypt the data
decryptedBytes = cipher.doFinal(encryptedData);

// Convert decrypted bytes to string
decryptedString = binaryDecode(decryptedBytes, "utf-8");

return decryptedString;
}

// Example usage
keyBase64 = "QNPeiLBgxpEItOrNWWb1PA=="; // Replace with the actual key from JavaScript
encryptedBase64 = "+6DQ8IlZUt+M11/SVxWZLNWmI5EwCFWy6wVgr9uoU5w="; // Replace with the actual data from JavaScript

decrypted = decryptAES_CBC(encryptedBase64, keyBase64);
writeOutput("Decrypted: " & decrypted);
</cfscript>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 14, 2024 Aug 14, 2024

Copy link to clipboard

Copied

LATEST

Suggestions:

  1.  The call cipher.doFinal() returns a binary. So replace
// Decrypt the data
decryptedBytes = cipher.doFinal(encryptedData);

with

// Decrypt the data, converting result from binary to Base64 string
decryptedBytesBinary = cipher.doFinal(encryptedData);
decryptedBytes=binaryEncode(decryptedBytesBinary,"base64");

2.  UTF-8 is not a valid value for the encoding attribute of binaryDecode(). The proper encoding required is Base64. So, replace

// Convert decrypted bytes to string
decryptedString = binaryDecode(decryptedBytes, "utf-8");

with

	// Convert decrypted bytes to base64 string
	decryptedString = binaryDecode(decryptedBytes, "base64");

3.  The argument of writeoutput() and first argument of decryptAES_CBC() should be strings. So replace

decrypted = decryptAES_CBC(encryptedBase64, keyBase64);
writeOutput("Decrypted: " & decrypted);

with

decrypted = decryptAES_CBC(toString(encryptedBase64), keyBase64);
writeOutput("Decrypted: " & toString(decrypted));


If the replacements went well, you should receive the result:
Decrypted: Secret message




Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation