Highlighted

Portcullis CFC breaking AJaX submitted form

LEGEND ,
Sep 03, 2015

Copy link to clipboard

Copied

Hello, all,

Is anyone else, here, using the Portcullis CFC??

I've got a form that is submitting via AJaX, and as long as I have JavaScript stripping out malicious code, it works great.  But if I disable the client-side validation/sanitization and allow Portcullis to detect malicious code, Portcullis is set to redirect to the root index page if it detects anything.  (I have further server-side validation/sanitization, in case JS is disabled.)

Since my form is submitted via AJaX and uses output to display error/success messages to the DOM, Portcullis is loading the main page as the content to display within the DOM of the form page!!

I do NOT have the option of disabling or otherwise skirting using Portcullis.  I've tried modifying the Application.cfc to check the cgi.http_referer - if a particular page is the referrer, don't redirect. It's redirecting, anyway.

Any solutions to this without disabling Portcullis?

V/r,

^_^

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

    JSOUP - How to get list of disallowed tags found in html?

    http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

Views

392

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Portcullis CFC breaking AJaX submitted form

LEGEND ,
Sep 03, 2015

Copy link to clipboard

Copied

Hello, all,

Is anyone else, here, using the Portcullis CFC??

I've got a form that is submitting via AJaX, and as long as I have JavaScript stripping out malicious code, it works great.  But if I disable the client-side validation/sanitization and allow Portcullis to detect malicious code, Portcullis is set to redirect to the root index page if it detects anything.  (I have further server-side validation/sanitization, in case JS is disabled.)

Since my form is submitted via AJaX and uses output to display error/success messages to the DOM, Portcullis is loading the main page as the content to display within the DOM of the form page!!

I do NOT have the option of disabling or otherwise skirting using Portcullis.  I've tried modifying the Application.cfc to check the cgi.http_referer - if a particular page is the referrer, don't redirect. It's redirecting, anyway.

Any solutions to this without disabling Portcullis?

V/r,

^_^

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

    JSOUP - How to get list of disallowed tags found in html?

    http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

Views

393

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 03, 2015 0
Engaged ,
Sep 03, 2015

Copy link to clipboard

Copied

Are you testing FORM or URL variables (or both)?  Are you dumping (or emailing) the failed form/URL parameters so you can determine what may be triggering it?  What type of redirect are you performing?  (I'm returning a 403 error instead of redirecting.)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 03, 2015 0
LEGEND ,
Sep 04, 2015

Copy link to clipboard

Copied

Hi, Jamo‌,

I am testing both form and URL scopes.  If anything is found, it doesn't email or anything, it just redirects to the /index.cfm page.

I know _what_ is triggering it - I'm testing by placing HTML tags and HTML entities into a textarea.  But I need to figure a way to get it to display an error message if triggered by a specific cgi.http_referer.  In the Application.cfc, there is a line:

<cfif session.redirect eq 1>

    <cflocation url="/" addtoken="no" />

</cfif>

I modified this to:

<cfif session.redirect eq 1>

    <cfif trim(cgi.http_referer) eq "formpage.cfm">

        Please correct the following: blah blah blah <cfabort>

    <cfelse>

        <cflocation url="/" addtoken="no" />

    </cfif>

</cfif>

.. but the root index page still appears within the DOM of the form page.

V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2015 0
Engaged ,
Sep 04, 2015

Copy link to clipboard

Copied

CGI.Referer can be spoofed, not passed by the browser or stripped by proxy.  I wouldn't be entirely trustworthy of it except for during specific testing.

Do you know which rules are failing?  You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.

Which version of ColdFusion and hosted OS are you using?

We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result.  (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)

    JSOUP - How to get list of disallowed tags found in html?

    http://stackoverflow.com/a/30822689/693068

AntiSamy is another possible solution to sanitize HTML, but I haven't used it.

https://www.petefreitag.com/item/760.cfm

or ESAPI4CF:

https://github.com/damonmiller/esapi4cf

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2015 0
LEGEND ,
Sep 08, 2015

Copy link to clipboard

Copied

Thank you for replying.  This is soon to be a non-issue.  The decision has been reached (and I like to think I helped push it along) to kick Portcullis to the curb - mostly because the last version was released January 2010.  I am now in the process of trying to implement the new ESAPI for sanitization.  So, I'll now be posting a question in the forum related to that. 

Thanks, and V/r,

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 08, 2015 0