Highlighted

Enabling Global Script Protection is not working while adding "&"

Explorer ,
Sep 04, 2014

Copy link to clipboard

Copied

Hi All,

To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.

Steps I followed

1] I executed the below URL.

     https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>

2] In the fornt end I got a javascript alert message as injected in the URL.

But this alert message should not come as I have enabled script protection in CF admin. Right????

Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.

I searched the neo-security.xml and its looks like below.

<var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='&lt;\s*(object|embed|script|applet|meta)'><string>&lt;InvalidTag</string></var></struct></var>

Can any one help me out to fix this.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Abdul L Koyappayil wrote:

But still one doubt remains why alert message is coming only when there is "&" in the URL??

This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs

a=1

b=2

Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into

cardholder_number=

<script>alert(1)</script>

The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application

cardholder_number=EMPTY_STRING&<script>alert(1)</script>

However, Coldfusion's scriptprotect feature will intervene and neutralize this to

cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>

which is harmless. These will enter into Coldfusion as the URL variables

cardholder_number=EMPTY_STRING

EMPTY_STRING=EMPTY_STRING

The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

http://www.myDomain.com/index.cfm?<script>alert(1)</script>

But what reason will I say if they are asking me why javascript alert is coming then.

As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form

sneakyVar=<script>alert(1)</script>

That is not the case here.

Views

1.1K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Enabling Global Script Protection is not working while adding "&"

Explorer ,
Sep 04, 2014

Copy link to clipboard

Copied

Hi All,

To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.

Steps I followed

1] I executed the below URL.

     https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>

2] In the fornt end I got a javascript alert message as injected in the URL.

But this alert message should not come as I have enabled script protection in CF admin. Right????

Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.

I searched the neo-security.xml and its looks like below.

<var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='&lt;\s*(object|embed|script|applet|meta)'><string>&lt;InvalidTag</string></var></struct></var>

Can any one help me out to fix this.

Adobe Community Professional
Correct answer by BKBK | Adobe Community Professional

Abdul L Koyappayil wrote:

But still one doubt remains why alert message is coming only when there is "&" in the URL??

This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs

a=1

b=2

Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into

cardholder_number=

<script>alert(1)</script>

The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application

cardholder_number=EMPTY_STRING&<script>alert(1)</script>

However, Coldfusion's scriptprotect feature will intervene and neutralize this to

cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>

which is harmless. These will enter into Coldfusion as the URL variables

cardholder_number=EMPTY_STRING

EMPTY_STRING=EMPTY_STRING

The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

http://www.myDomain.com/index.cfm?<script>alert(1)</script>

But what reason will I say if they are asking me why javascript alert is coming then.

As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form

sneakyVar=<script>alert(1)</script>

That is not the case here.

Views

1.2K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 04, 2014 0
Adobe Community Professional ,
Sep 04, 2014

Copy link to clipboard

Copied

Could you show us the code of the test page that shows the alert?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Explorer ,
Sep 04, 2014

Copy link to clipboard

Copied

I didnt use any test page ...I just directly executed.

To do testing and reproduce you can do the followings,

     1]Tick the the check box "Enable Global Script Protection" in CF admin->server settings

     2]create a cfm template in your domain and add some html contents (say test.cfm).

     3]Execute the url as I explained in my last post. (in you case : http(s)://yourdomain.com/index.cfm?x=&<script>alert(1)</script>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Adobe Community Professional ,
Sep 04, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.

There is nothing to worry about. Except your code actually reports an issue, which I doubt.

A cross-site scripting attack will attempt to sneak a script into your application, by means of a URL variable. That is not what you have here.

The query-string

cardholder_number=&<script>alert(1)</script>

cannot pass the script to your page. To be sure, run this on your test page:

<cfdump var="#url#">

It will pass the URL variable cardholder_number='', nothing more. (Remember that & is a delimiter that separates the key-value pairs in the URL.) The alert-script may run in the client's browser, and fire the alert, but that is only happening at the client end. Your application will know nothing about that. If potential attackers keep away from you, then you will have no attacker.

Added: To see the effect of the Coldfusion Scriptprotect, remove the & and do the URL dump

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Explorer ,
Sep 04, 2014

Copy link to clipboard

Copied

nice explanation BK...... I couldnt think in that way.....

But still one doubt remains why alert message is coming only when there is "&" in the URL??

So I can explain to my security team that when script protecting is enabled client side scripts will not go inside the server (cfm page). Ok I agreed.

But what reason will I say if they are asking me why javascript alert is coming then. They might think that ther is some security hole because of this the alert message is getting cropped up.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Adobe Community Professional ,
Sep 04, 2014

Copy link to clipboard

Copied

Abdul L Koyappayil wrote:

But still one doubt remains why alert message is coming only when there is "&" in the URL??

This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs

a=1

b=2

Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into

cardholder_number=

<script>alert(1)</script>

The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application

cardholder_number=EMPTY_STRING&<script>alert(1)</script>

However, Coldfusion's scriptprotect feature will intervene and neutralize this to

cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>

which is harmless. These will enter into Coldfusion as the URL variables

cardholder_number=EMPTY_STRING

EMPTY_STRING=EMPTY_STRING

The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

http://www.myDomain.com/index.cfm?<script>alert(1)</script>

But what reason will I say if they are asking me why javascript alert is coming then.

As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form

sneakyVar=<script>alert(1)</script>

That is not the case here.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Adobe Community Professional ,
Sep 04, 2014

Copy link to clipboard

Copied

This thread has information that will help someone else in future. If you are satisfied, please mark the post that you consider to be the correct answer. If you find it necessary, add a further explanatory post, and mark that as the answer.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2014 0
Explorer ,
Sep 05, 2014

Copy link to clipboard

Copied

BKBK wrote:

The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example

http://www.myDomain.com/index.cfm?<script>alert(1)</script>

     I agreed that the above URL will execute the javascript. But one doubt here. You mentioned that "by default, browsers will run any Javascript that you place in the query-string". If that is the case then why I am not getting alert message while hitting the url like below.

     https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>

     This url contains a url variable(cardholder_number) , is that the reason not to execute the javascript.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 05, 2014 0
BKBK LATEST
Adobe Community Professional ,
Sep 05, 2014

Copy link to clipboard

Copied

The explanations and examples were obvious. However, the language could do with some sharpening:

By default, browsers will run any Javascript that occurs as a field in the query-string.


[Context: query-string comprises field1=value1&field2=value2&field3=value3 and so on]

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 05, 2014 0