Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
Ben Nadel at Scotch On The Rock (SOTR) 2010 (Munich) with: Jens Hoppe
Ben Nadel at Scotch On The Rock (SOTR) 2010 (Munich) with: Jens Hoppe@jens_hoppe )

SerializeJson() Escapes Forward-Slashes In ColdFusion

By Ben Nadel on

After my post yesterday about security precautions when using jsStringFormat() in ColdFusion, I wondered if the serializeJson() function would be susceptible to the same kind of Cross-Site Scripting (XSS) attack. Luckily, serializeJson() escapes forward-slashes, which prevents the premature closing of Script tags.

To test this, I create a small ColdFusion object, appended a malicious "</script>" tag to one of the values, and then serialized it for use within a JavaScript context:

  • <cfscript>
  •  
  • // Our object of user-provided values.
  • user = {
  • "name" = "Tricia Smith",
  • "nickname" = "T-rex"
  • };
  •  
  • // Attempt to add the malicious code that will break the
  • // JavaScript code blog interpretation.
  • user.name &= "</script>";
  •  
  • </cfscript>
  •  
  •  
  • <!--- ----------------------------------------------------- --->
  • <!--- ----------------------------------------------------- --->
  •  
  •  
  • <cfoutput>
  • <script type="text/javascript">
  •  
  • var user = #serializeJson( user )#;
  •  
  • </script>
  • </cfoutput>

When you run this code, and then view the resulting page source, you will see that serializeJson() prevents the interpretation of the closing script tag:

var user = {"name":"Tricia Smith<\/script>","nickname":"T-rex"};

Nicely done, ColdFusion, nicely done. As you can see, the malicious code is blocked because it fails to close the current JavaScript context.




Reader Comments

This is a bug in the implementation of serializeJson(), most likely due to Adobe misreading the JSON spec/RFC.

Slashes don't need to be escaped, and accordingly *shouldn't* be escaped.

This came up on the Railo Google Group a few weeks ago (https://groups.google.com/d/msg/railo/4EiksqmZgas/O30ZvtV8JsoJ), and have accepted this as a bug (https://issues.jboss.org/browse/RAILO-2807). I'll raise a similar one for CF if CF is doing this too (https://bugbase.adobe.com/index.cfm?event=bug&id=3689049)

--
Adam

@Adam,

If it's a bug, then it's a fortuitous one. Without the escaping of the forward slashes, the object serialization would more likely leave open an opportunity for an XSS attack.

That said, it's possible that serializeJson() was never intended to be used as a way to define actual JavaScript code. Doing so, may be outside the bounds of what is considered an accepted use-case.

That said, I _do_ use it that way :)

Convenient as it is, the function's intended purpose is to serialise a CFML object into JSON. It's not serializeJsonAndNodToXss(). A function should generally just do one thing.

CF has other functions specifically for sanitising JS for XSS considerations.

--
Adam

@Adam,

I understand, and I agree. I think the way I use serializeJson() is definitely not how it was intended. And, to be fair, it's in the vast minority of my use-cases. That said, I _do_ use it this way, so it's better to know than to be left in wonder :)

Hi Ben,
when I upgrade to ColdFusion 11, my original code doesn't work any more. The serializeJson works weirdly.
My code is like the following:
<cfset qloops = "Prh8MgOfv/gXkxhBU+FAAFgAgmqOCCAnnRgBIu+EBABAxWaOGFFXrBhhAE+ICADRiGKOKIsHlxB4cBU">
<cfdump var="#serializeJson(qLoops)#">

and I got this:
"Prh8MgOfv/gXkxhB\uFAAFgAgmqOCCAnnRgBI\uEBABAxWaOGFFXrBhhAE+ICADRiGKOKIsHlxB4cBU"

the original gXkxhBU+FAA becomes gXkxhB\uFAA.