mattbrundage · August 12, 2024 17:08
diff --git a/index.cfm b/index.cfm

 <!doctype html>
 <html lang="en-us">
 <head>
 	<meta charset="utf-8">
 	<title>&lt;cfdump&gt; is not vulnerable to XSS</title>
 	<style>
 		main {
 			margin-inline: auto;
 			max-width: 800px;
 		}
 		td:not(:last-child) { white-space: nowrap; }
 		td:last-child { word-break: break-all; }
 	</style>
 </head>

 <body>
 	<main>
 		<cfif NOT getPageContext().getResponse().isCommitted()>
 			<!--- inner double quotes are mandatory --->
 			<!--- <cfheader name="Clear-Site-Data" value='"*"' /> --->
 		</cfif>

 		<cfset Variables.exampleValue="<script>alert(0);</script>" />

 		<cfparam name="Form.XSS_attempt" default="#Variables.exampleValue#" />
 		<cfparam name="URL.XSS_attempt" default="#Variables.exampleValue#" />
 		<cfcookie name="XSS_attempt" httpOnly="yes" preserveCase="yes" sameSite="strict" secure="yes" value="#Form.XSS_attempt#" />

 		<h1><code>&lt;cfdump&gt;</code> is not vulnerable to XSS</h1>

 		<h2>Reduced test cases</h2>

 		<p>This page sets the default values of the "<var>XSS_attempt</var>" variables in the Form, URL, and Cookie scopes to an unencoded script tag, <code><cfoutput>#encodeForHTML(Variables.exampleValue)#</cfoutput></code>. This method bypasses ColdFusion ScriptProtect to demonstrate that <code>&lt;cfdump&gt;</code> still protects against XSS even if ScriptProtect is not in play.</p>

 		<p>If <code>&lt;cfdump&gt;</code> were vulnerable to XSS, this page would have opened four successive JavaScript <code>alert()</code> dialogs. It didn't, because <code>&lt;cfdump&gt;</code> is not vulnerable to XSS. Internally, as <code>&lt;cfdump&gt;</code> builds its HTML table of key/value pairs to output, it encodes for HTML the values of each key and value. This is a built-in security feature of <code>&lt;cfdump&gt;</code>.</p>

 		<p>The end result are HTML-encoded script tags &mdash; which are displayed as inert text on the page because special characters are encoded. For instance, <code>&lt;</code> and <code>&gt;</code> are encoded as <code>&amp;lt;</code> and <code>&amp;gt;</code>, respectively.</p>

 		<h3>Attempt XSS via the Form scope</h3>

 		<p>ColdFusion ScriptProtect is in play with this method.</p>

 		<form method="post">
 			<textarea name="XSS_attempt" rows="1" cols="40"><cfoutput>#encodeForHTML(Form.XSS_attempt)#</cfoutput></textarea>
 			<button>Submit</button>
 		</form>

 		<cfdump label="Form" var="#Form#" />

 		<h3>Attempt XSS via the URL scope</h3>

 		<p>ColdFusion ScriptProtect is in play with this method.</p>

 		<p>
 			<cfif URL.XSS_attempt EQ Variables.exampleValue AND structCount(URL) EQ 1>
 				<a href="?XSS_attempt=REPLACE_THIS">Add an XSS attempt to the query string.</a>
 			<cfelse>
 				<a href="./">Remove query string.</a>
 			</cfif>
 		</p>

 		<cfdump label="URL" var="#URL#" />

 		<h3>Attempt XSS via the Cookie scope</h3>

 		<p>Attempting XSS via the Form scope will change the value of <var>Cookie.XSS_attempt</var> accordingly. As such, ColdFusion ScriptProtect is in play with this method.</p>

 		<cfdump label="Cookie" var="#Cookie#" />

 		<h3>Attempt XSS via the structure returned from <code>getHttpRequestData()</code></h3>

 		<p>See the <var>content</var> field after a form submission, the <var>headers.cookie</var> field, and the <var>headers.referer</var> field when a query string is present in the referring URL. In addition to the usual HTML encoding that <code>&lt;cfdump&gt;</code> provides to each key/value pair, the posted form value in <var>content</var>, the cookie value in <var>headers.cookie</var> and the query string value(s) in <var>headers.referer</var> are already URL-encoded per the HTML spec.</p>

 		<cfdump var="#getHttpRequestData()#" label="getHttpRequestData()" />
 	</main>
 </body>
 </html>

	<!doctype html>
	<html lang="en-us">
	<head>
	<meta charset="utf-8">
	<title><cfdump> is not vulnerable to XSS</title>
	<style>
	main {
	margin-inline: auto;
	max-width: 800px;
	}
	td:not(:last-child) { white-space: nowrap; }
	td:last-child { word-break: break-all; }
	</style>
	</head>

	<body>
	<main>
	<cfif NOT getPageContext().getResponse().isCommitted()>
	<!--- inner double quotes are mandatory --->
	<!--- <cfheader name="Clear-Site-Data" value='"*"' /> --->
	</cfif>

	<cfset Variables.exampleValue="<script>alert(0);</script>" />

	<cfparam name="Form.XSS_attempt" default="#Variables.exampleValue#" />
	<cfparam name="URL.XSS_attempt" default="#Variables.exampleValue#" />
	<cfcookie name="XSS_attempt" httpOnly="yes" preserveCase="yes" sameSite="strict" secure="yes" value="#Form.XSS_attempt#" />

	<h1><code><cfdump></code> is not vulnerable to XSS</h1>

	<h2>Reduced test cases</h2>

	<p>This page sets the default values of the "<var>XSS_attempt</var>" variables in the Form, URL, and Cookie scopes to an unencoded script tag, <code><cfoutput>#encodeForHTML(Variables.exampleValue)#</cfoutput></code>. This method bypasses ColdFusion ScriptProtect to demonstrate that <code><cfdump></code> still protects against XSS even if ScriptProtect is not in play.</p>

	<p>If <code><cfdump></code> were vulnerable to XSS, this page would have opened four successive JavaScript <code>alert()</code> dialogs. It didn't, because <code><cfdump></code> is not vulnerable to XSS. Internally, as <code><cfdump></code> builds its HTML table of key/value pairs to output, it encodes for HTML the values of each key and value. This is a built-in security feature of <code><cfdump></code>.</p>

	<p>The end result are HTML-encoded script tags — which are displayed as inert text on the page because special characters are encoded. For instance, <code><</code> and <code>></code> are encoded as <code>&lt;</code> and <code>&gt;</code>, respectively.</p>

	<h3>Attempt XSS via the Form scope</h3>

	<p>ColdFusion ScriptProtect is in play with this method.</p>

	<form method="post">
	<textarea name="XSS_attempt" rows="1" cols="40"><cfoutput>#encodeForHTML(Form.XSS_attempt)#</cfoutput></textarea>
	<button>Submit</button>
	</form>

	<cfdump label="Form" var="#Form#" />

	<h3>Attempt XSS via the URL scope</h3>

	<p>ColdFusion ScriptProtect is in play with this method.</p>

	<p>
	<cfif URL.XSS_attempt EQ Variables.exampleValue AND structCount(URL) EQ 1>
	<a href="?XSS_attempt=REPLACE_THIS">Add an XSS attempt to the query string.</a>
	<cfelse>
	<a href="./">Remove query string.</a>
	</cfif>
	</p>

	<cfdump label="URL" var="#URL#" />

	<h3>Attempt XSS via the Cookie scope</h3>

	<p>Attempting XSS via the Form scope will change the value of <var>Cookie.XSS_attempt</var> accordingly. As such, ColdFusion ScriptProtect is in play with this method.</p>

	<cfdump label="Cookie" var="#Cookie#" />

	<h3>Attempt XSS via the structure returned from <code>getHttpRequestData()</code></h3>

	<p>See the <var>content</var> field after a form submission, the <var>headers.cookie</var> field, and the <var>headers.referer</var> field when a query string is present in the referring URL. In addition to the usual HTML encoding that <code><cfdump></code> provides to each key/value pair, the posted form value in <var>content</var>, the cookie value in <var>headers.cookie</var> and the query string value(s) in <var>headers.referer</var> are already URL-encoded per the HTML spec.</p>

	<cfdump var="#getHttpRequestData()#" label="getHttpRequestData()" />
	</main>
	</body>
	</html>