Prefix Serialized JSON in ColdFusion
When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.
Why would I want to prefix my JSON?
The reason this setting exists is to prevent a hack called JSON hijacking. Services such as GMail, and twitter have suffered from JSON hijacking.
It works by embedding a script tag pointing to the JSON url on the attack site, eg hacker-site.com:
__defineSetter__ (works on firefox) method.
So this brings us back to our question Why would I want to prefix JSON?. When you prefix with
// it effectively makes the script evaluate as a comment, and these exploits won't work. Google takes a more nasty approach, they use
while(1); as their JSON prefix, this will put the victim's browser in an infinite loop.
How do I enable a JSON Prefix in ColdFusion?
ColdFusion 8, and 9 added a setting in the ColdFusion administrator called Prefix serialized JSON with: which allows to to enter a prefix (the default being
It can also be toggled on in the
Application.cfc by adding the following inside the
<cfset this.secureJSON = true> <cfset this.secureJSONPrefix = "//">
And finally you can enable the prefix
cffunction call using the
Will this break my code?
It might, if you are only using this feature with ColdFusion's ajax tags then it will automatically remove the prefix for you. If you are calling remote methods with
The prefix will also be added when you call the
SerializeJSON function. There is currently no argument in SerializeJSON to toggle this behavior, I have filed an enhancement request:
80423 3040329 for such as setting.
Checkout Phil Haack's blog for more info about these vulnerabilities.
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
I've also added a comment to the CF9 SerializeJSON doc: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-79fa.html
Thank you for writing this entry,
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions