Pete FreitagPrefix Serialized JSON in ColdFusion
When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.
Why would I want to prefix my JSON?
The reason this setting exists is to prevent a hack called JSON hijacking. Services such as GMail, and twitter have suffered from JSON hijacking.
It works by embedding a script tag pointing to the JSON url on the attack site, eg hacker-site.com:
<script src="http://bank.example.com/account-info.json">
Now if you have recently logged into bank.example.com your authentication cookies will be sent in the script tag request to bank.example.com and your account info will be returned. Now the tricky part. In order for hacker-site.com to read the JSON data they can attempt to override the JavaScript Array constructor (which doesn't work on modern browsers) or on some browsers the __defineSetter__ (works on firefox) method.
So this brings us back to our question Why would I want to prefix JSON?. When you prefix with // it effectively makes the script evaluate as a comment, and these exploits won't work. Google takes a more nasty approach, they use while(1); as their JSON prefix, this will put the victim's browser in an infinite loop.
How do I enable a JSON Prefix in ColdFusion?
ColdFusion 8, and 9 added a setting in the ColdFusion administrator called Prefix serialized JSON with: which allows to to enter a prefix (the default being //.
It can also be toggled on in the Application.cfc by adding the following inside the cfcomponent tag:
<cfset this.secureJSON = true> <cfset this.secureJSONPrefix = "//">
And finally you can enable the prefix
within a cffunction call using the secureJSON attribute.
Will this break my code?
It might, if you are only using this feature with ColdFusion's ajax tags then it will automatically remove the prefix for you. If you are calling remote methods with returnformat=json using your own JavaScript then you need to remove the prefix before parsing the json.
The prefix will also be added when you call the SerializeJSON function. There is currently no argument in SerializeJSON to toggle this behavior, I have filed an enhancement request: 80423 3040329 for such as setting.
Examples, References:
Checkout Phil Haack's blog for more info about these vulnerabilities.
Like this? Follow me ↯
Tweet Follow @pfreitagPrefix Serialized JSON in ColdFusion was first published on October 20, 2009.
If you like reading about json, hijacking, coldfusion, security, cffunction, or cfcomponent then you might also like:
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
- Ways to suppress a finding in Fixinator
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- ColdFusion 2020 Developer Week - Securing CF
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
I've also added a comment to the CF9 SerializeJSON doc: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-79fa.html
Thank you for writing this entry,
-Aaron