Enabling Global Script Protection is not working while adding "&"

Hi All,
To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.
Steps I followed
1] I executed the below URL.
     https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>
2] In the fornt end I got a javascript alert message as injected in the URL.
But this alert message should not come as I have enabled script protection in CF admin. Right????
Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL  then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.
I searched the neo-security.xml and its looks like below.
<var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='&lt;\s*(object|embed|script|applet|meta)'><string>&lt;InvalidTag</string></var></st ruct></var>
Can any one help me out to fix this.

Abdul L Koyappayil wrote:
But still one doubt remains why alert message is coming only when there is "&" in the URL??
This happens with "&" because it is a special Javascript symbol whose purpose is to delimit - that is, separate - the key-value value pairs in the URL's query-string. For example, in the URL www.myDomain.com/index.cfm?a=1&b=2, the "&" delimits the query-string into the 2 key-value pairs
a=1
b=2
Let us then consider the case where the URL is www.myDomain.com/index.cfm?cardholder_number=&<script>alert(1)</script>. The & will delimit the query-string into
cardholder_number=
<script>alert(1)</script>
The presence of '&' implies there are 2 variables. However, there is only one '=' sign, which means there is just one key-value pair. In addition, cardholder_number is a legal name for a URL variable, whereas <script>alert(1)</script> is not. The browser therefore sends the following query-string to your application
cardholder_number=EMPTY_STRING&<script>alert(1)</script>
However, Coldfusion's scriptprotect feature will intervene and neutralize this to
cardholder_number=EMPTY_STRING&<invalidtag>alert(1)</script>
which is harmless. These will enter into Coldfusion as the URL variables
cardholder_number=EMPTY_STRING
EMPTY_STRING=EMPTY_STRING
The special nature of '&' as delimiter is what prompts the browser to run the script. In fact, by default, browsers will run any Javascript that you place in the query-string. Run this, for example
http://www.myDomain.com/index.cfm?<script>alert(1)</script>
But what reason will I say if they are asking me why javascript alert is coming then.
As you have just seen, the <script> tag cannot come in. The alert occurs at the browser - that is, at the client - but Coldfusion runs at the server. Communication between client and server is by means of the URL variables that the client sends to the server. For the attack to be effective, it has to be sent in the form
sneakyVar=<script>alert(1)</script>
That is not the case here.

Similar Messages

  • Global Script Protect and data uploading

    I need to allow some users to upload data to our database
    that includes html tags. When global script protect is on all these
    tags are made safe and the content loses its formatting.
    When I disable global script protect it is possible to load
    an iframe externally to simulate a cross-site script attack.
    How can I prevent the cross site scripting but still allow
    users to upload html content to the database?
    I'm using Fusebox 3 if that matters.

    echowebs wrote:
    >
    > isn't there a more beneficial 'server compliant' way to
    > parse all these things than having to parse them on
    every page call on my site?
    > Sorry I am venting b/c I have spent hours on this crazy
    thing this morning and
    > it is driving me nuts :)
    >
    > thanks Ian
    >
    Well, not with ColdFusion. Since by the time ColdFusion gets
    the
    request it is too late for a server option. You, of course,
    could
    easily put such search logic in an Applicaton.cfm|.cfc
    template that is
    automatically run every request. But yes, ColdFusion based
    tools will
    run every request.
    If you want something 'server compliant' then you need to
    look at the
    setting and configuration options of your web server, i.e.
    IIS or
    Apache. This is the system that could do something more
    globally. I do
    not know what, since I have never had to deal with this
    level.
    But, the reality of HTTP based systems, is that every request
    is
    unqualifiedly untrusted and if you must build a secure system
    you just
    have to work with that situation. Every request could include
    malicious
    code in the Get, Post, Cookie, etc and if you just process
    this data
    without screening it, then trouble can insue.

  • How do I get around global script protection in my CMS?

    We have global script protection enabled on our CF server.  I am the admin with full rights.  The tags it scans for and replaces with "invalidTag" are these, which are located in the neo-security.xml file:
         object|iframe|embed|xss|script|javascript|applet|meta
    However, we ocassionally introduce these tags into pages controlled by our CMS, which of course go into a database.  When that happens the tags are replaced with "invalidTag".
    I want and need script protection enabled to prevent against hackers, but I also want to be able to add these tags to our local CMS.  What is the best way around this?  Right now, I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose.
    When I Googled this issue I saw a couple of hacks that had something to do with re-writing the tag after it was sent into the database, but that seems kind of polish to me.  I'm wondering if I'm missing some simple trick to get around this.  But then I guess if I could, a hacker could.
    Thanks for any advice.

    Thanks for clearing that up. I think you said it succinctly yourself: 'I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose'. I think it's a matter of weighing the risks and the benefits, and then making a choice.

  • I am having trouble with my speakers not working while online in particular on windows.My audio works when playing audio files

    I am having trouble with my speakers not working while online particular on facebook. My audio works when playing audio files.

    Hi,
    Did it happen all the time or sometime?
    Please check online browser status:
    Click Volume icon in the taskbar, click Mixer link button as below:
    If it's fine, follow this guide to run troubleshooter to detect and fix the issue:
    Tips for fixing common sound problems
    http://windows.microsoft.com/en-in/windows/tips-fixing-common-sound-problems#tips-fixing-common-sound-problems=windows-7
    Meanwhile, this similar thread also could be referred:
    https://social.technet.microsoft.com/forums/ie/en-US/a4a1cfe5-93a5-4c0b-9bf6-f7db0304f2ba/no-sound-on-youtube-or-any-other-webpage
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Iphone 6 plus fingerprint is not working while charging

    My iphone 6 plus fingerprint scan is not working while charging. Is this normal?
    I tried my iphone 5s and it works just fine even while charging.

    I think I got an answer to my own question
    If you're using generic lightning cable (non-original lighting cable), the fingerprint scan doesn't work while charging.
    I just find it weird as my iphone 5s works even if i'm not using the original lightning cable though.

  • I am trying to allow guests on windows to connect to shares on my Lion server but it keeps asking for a password for guest. I have allow guest users to access this share enabled but it still does not work.

    I am trying to allow guests on windows to connect to shares on my Lion server but it keeps asking for a password for guest. I have allow guest users to access this share enabled but it still does not work.

    Ditto. Guest accounts shouldn't have a password. No way to enter one in System Prefs...

  • HT1665 i have an apple IPhone4. I am experiencing certain problem with my iphone4. The problems are as follows a. my ear piece and proximity sensor is not working while making a call. 2. It cannot reproduce sound without earphone but rings if gets any cal

    Hi folks,
    i have an apple IPhone4. I am experiencing certain problem with my iphone4. The problems are as follows a. my ear piece and proximity sensor is not working while making a call. 2. It cannot reproduce sound without earphone but rings normally if gets any call.
    Can any one help me in this regard??

    Try to reset the phone by holding the sleep and home button for about 10sec, until the Apple logo comes back again. You will not lose data by resetting, but it can cure some glitches after installing new software or apps.

  • HP Protect Smart not working with windows 7

    Hi there
    i bought hp dv4 special edition with windows vista installed 
    hp protect smart was working fine on windows vista 
    i replaced vista by windows 7 RC
    but HP protect smart not working now ( disabled because the drive is not supported!!!!!!!!)
    i contact hp support and they send an update for hp protect smart but this did not fix the problem
    so i tried to install the software in compatibility mode as windows vista as microsoft suggested but the problem still exsist
    has anyone face this problem and fix it?
    please help.

    Hi,
    How to solve this problem informations here.
    ** Say thanks by clicking the "Thumb up" icon which is on the left. **
    ** Make it easier for other people to find solutions, by marking my answer with "Accept as Solution" if it solves your issue. **

  • HT201320 I have ne iphone 5, i been setting my email using AT&T global but it is not working, please help me on the correct configuration

    I have ne iphone 5, i been setting my email using AT&T global but it is not working, please help me on the correct configuration

    Contact the email provider and obtain the correct setup information.

  • Hello I am using Ipad 4 and its charger is not working while I was using it few days before and it was working properly now it says that the cable does not support this Ipad Please Help me out.

    Hello I am using Ipad 4 and its charger is not working while I was using it few days before and it was working properly now it says that the cable does not support this Ipad Please Help me out.

    Try a reset:
    - Hold the home button and sleep/wake button down at the same time. When the Apple logo appears release both buttons then try and charge again.
    If issue persists try:
    - Another known working cable
    - Check the charging port for any damage or debris
    - You could also use a dry soft bristle toothbrush and gently brush it on the port to clean it of any debris that could be in there

  • Microphone not working while using handset

    microphone not working while using handset
    But it is working when loud speaker is On
    Y
    Wat to do??
    Kindly revert with your comments

     Repair the phone with PCC and report back  PC Companion (PCC)  Bridge (for Mac)   Alternatives on How to backup Xperias http://talk.sonymobile.com/thread/36355  

  • Hp split x2 touchscreen not working while un-docking

    hello hp support, i've recently bought a hp split x2 13-110dx. my touchscreen stops working whenever i detach the screen (tablet) from the keyboard (docking station). if i try to safely remove "Docking Station", first nothing happens and then after about 10 seconds all controls (touchscreen and touchpad) othen the keyboard itself stops responding. a reset allways solves this problem but that means that now i allways have to reset after every undocking. also, if the tablet is working fine, and i dock the tablet, again the touckscreen stops responding (again, reset required) i have done a hard (full) shutdown.i have installed all microsoft updates (i am running win8, not 8.1). what to do?sincerely,matan leilien

    Hi  ,
    Thank you for visiting the HP Forums! A great place where you can find solutions for your issues, with help from the community!
    I came across your post about the Notebook, and wanted to assist you! I have looked into your issue about your HP Split x2 Touchscreen and issues with the touchscreen not working while removed from the dock. Here is a document to troubleshoot the TouchScreen. The section you need is the TouchScreen responds inaccurately.
    Here is a link to the HP Support Assistant if you need it. Just download and run the application and it will help with the software and drivers on your system that need updating. Hope this helps. Thanks.

  • Iphone4 speakers not working while calling!!

    Hi
    Can somebody help me?
    My Iphone4 speakers not working while calling only and they work elswhere!!
    I tried to reset the devise with sleep and home buttens but nothing changed?!
    Thx

    Hi
    Can somebody help me?
    My Iphone4 speakers not working while calling only and they work elswhere!!
    I tried to reset the devise with sleep and home buttens but nothing changed?!
    Thx

  • Iphone 5c clock does not work while asleep

    done hard reset updated on and off set automatically time but it works while the device is in use

    iphone 5c clock does not work while asleep
    I have to ask how you know... does it show the right time before you go to sleep? When you wake up?

  • My autofill does not work while using Safari. Have checked both Safari and Apple settings.

    My Autofill does not work while using Safari. I have checked both my Safari settings and my Apple settings but don't know what else to do.

    Hi Eustace....yes, I did reset Safari but it didn't help. I'm running Mac OS X Lion 10.7.5...which might be the problem...my Safari is Version 6.1.1.

Maybe you are looking for

  • Illustrator CC Crashes when I try and change the font

    Help! I can not get Illustrator to work - I reinstalled my wacom driver and have troubleshooted with Wacom. This seems to be an issue with Illustrator. When I open a doc or create a new doc the minute I try and change the font it crashes.

  • Multiple iPads with exact same settings?  Is this possible?

    I have several iPads I am using in my Kindergarten classroom. I am wondering how do I set it up so that when I sync what I consider my "master"- the one I download on and configure with folders just so etc.- how can I duplicate it's settings/apps ont

  • FileNotFoundException thrown when opening a file for writing from EJB

    Hi, I know it is against EJB rules that access file IO from EJB. However we have a legacy system to working with and we need to generate a text file on file system. Weblogic (we are using 10.3) allows open a file for read from EJB. When we tried to o

  • DYLD_INSERT_LIBRARIES doesn't work for app signed with entitlement in ML

    Hi I notice that DYLD_INSERT_LIBRARIES no longer works in Mountion Lion if the application is codesigned with entitlement. For example: DYLD_INSERT_LIBRARIES=./mylib.dylib /Applications/Safari.app/Contents/MacOS/Safari   dyld: DYLD_ environment varia

  • Stock figures uploaded wrongly

    Dear All,            we have done initial uploaded the stock using movement type 561. there are some  FERT materials where the base unit of measure is each EA. the client has given us the stock in boxes, as the material is sold in boxes. alternative