ScriptProtect in ColdFusion MX 7 not a catch all
ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the
cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.
The feature is a set of regular expressions located in
lib/neo-security.xml that replaces the tags: object, embed, script, applet, and meta with the tag name InvalidTag when they are passed as in put in the Form, URL, CGI, and Cookie scopes (you can pick which ones to check).
It recently came to my attention however that
scriptProtect does not protect against all possible types of cross site scripting attacks, as you may have assumed.
You can for instance do a XSS attack with an
iframe, so I felt that the feature gave a false sense of security, and I reported this to the Macromedia security team yesterday. I wanted to give them a chance to fix anything before made this public. I received a response today:
We've forwarded your input to the development team and they have logged a bug that they will consider fixing for future updates of ColdFusion. At the moment, we feel that the documentation provided is sufficient to let our customers know what the scriptprotect attribute does and does not protect against.
The scriptprotect attribute is meant to supplement to best-coding practices; it provides an easy way to filter out certain tag names, but is not meant to be a comprehensive solution against XSS attempts.
I didn't find the documentation to sufficiently explain what was stated in the second paragraph there, so I added it to the live docs. The customer needs to understand all types of cross site scripting attacks in order to deduce that the feature doesn't catch all cases.
You can pretty easily add
iframe to the XSS regular expression, but you still won't be safe from all possible attacks.
- Detecting SQL Injection with ScriptProtect - May 18, 2005
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HackMyCF Scanner Updated - February 1, 2011
- Using AntiSamy with ColdFusion - August 5, 2010
- Risks of FCKeditor Vulnerability in CF8 - July 6, 2009
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained