Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at NCDevCon 2011 (Raleigh, NC) with: Daria Norris and Tim Cunningham

SerializeJson() Escapes Forward-Slashes In ColdFusion

By Ben Nadel on

After my post yesterday about security precautions when using jsStringFormat() in ColdFusion, I wondered if the serializeJson() function would be susceptible to the same kind of Cross-Site Scripting (XSS) attack. Luckily, serializeJson() escapes forward-slashes, which prevents the premature closing of Script tags.

To test this, I create a small ColdFusion object, appended a malicious "</script>" tag to one of the values, and then serialized it for use within a JavaScript context:

  • <cfscript>
  •  
  • // Our object of user-provided values.
  • user = {
  • "name" = "Tricia Smith",
  • "nickname" = "T-rex"
  • };
  •  
  • // Attempt to add the malicious code that will break the
  • // JavaScript code blog interpretation.
  • user.name &= "</script>";
  •  
  • </cfscript>
  •  
  •  
  • <!--- ----------------------------------------------------- --->
  • <!--- ----------------------------------------------------- --->
  •  
  •  
  • <cfoutput>
  • <script type="text/javascript">
  •  
  • var user = #serializeJson( user )#;
  •  
  • </script>
  • </cfoutput>

When you run this code, and then view the resulting page source, you will see that serializeJson() prevents the interpretation of the closing script tag:

var user = {"name":"Tricia Smith<\/script>","nickname":"T-rex"};

Nicely done, ColdFusion, nicely done. As you can see, the malicious code is blocked because it fails to close the current JavaScript context.




Reader Comments

This is a bug in the implementation of serializeJson(), most likely due to Adobe misreading the JSON spec/RFC.

Slashes don't need to be escaped, and accordingly *shouldn't* be escaped.

This came up on the Railo Google Group a few weeks ago (https://groups.google.com/d/msg/railo/4EiksqmZgas/O30ZvtV8JsoJ), and have accepted this as a bug (https://issues.jboss.org/browse/RAILO-2807). I'll raise a similar one for CF if CF is doing this too (https://bugbase.adobe.com/index.cfm?event=bug&id=3689049)

--
Adam

Reply to this Comment

@Adam,

If it's a bug, then it's a fortuitous one. Without the escaping of the forward slashes, the object serialization would more likely leave open an opportunity for an XSS attack.

That said, it's possible that serializeJson() was never intended to be used as a way to define actual JavaScript code. Doing so, may be outside the bounds of what is considered an accepted use-case.

That said, I _do_ use it that way :)

Reply to this Comment

Convenient as it is, the function's intended purpose is to serialise a CFML object into JSON. It's not serializeJsonAndNodToXss(). A function should generally just do one thing.

CF has other functions specifically for sanitising JS for XSS considerations.

--
Adam

Reply to this Comment

@Adam,

I understand, and I agree. I think the way I use serializeJson() is definitely not how it was intended. And, to be fair, it's in the vast minority of my use-cases. That said, I _do_ use it this way, so it's better to know than to be left in wonder :)

Reply to this Comment

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.