ColdFusion and Lucees Global Script Protection are designed to discourage cross-site scripting attacks by replacing scripts and other potentially harmful tags in forms before sending the data to the server. However, sometimes, this can get in the way—especially when trying to develop a content management system. In this article, I will show you various methods to bypass this security feature.

Table of Contents

What is ColdFusion and Lucee's Global Script Protection?

ColdFusion and Lucee's Global Script Protection is a security feature designed to prevent the injection of potentially harmful scripts on the server. This feature eliminates one of the common vectors used in cross-site scripting attacks.

Global Script Protection removes certain objects, such as scripts, styles, and applets, among other potentially dangerous stuff, and replaces these objects with an 'InvalidTag' before server-side processing occurs.

This sanitation occurs when input is sent to the server via a form, AJAX, or a header. This is an important security feature; however, it poses problems when the site administrator uses interfaces that require the input of these scripts, such as when designing a content management system. 

How do you bypass ColdFusion and Lucee's Global Script Protection?

Site administrators may bypass Global Script Protection globally on the server, on a per-application basis, or programmatically. 

Bypassing Global Script Protection on the Server

ColdFusion and Lucee allow you to use the administrator to turn off Global Script Protection. However, this is not recommended as it will turn off this security feature globally. While Global Script Protection does not guarantee your code's security, it effectively removes one of the most commonly used vectors for cross-site scripting attacks.

Modifying ColdFusion and Lucee's Global Script Protection Behavior

ColdFusion

You may modify the behavior of ColdFusion's Global Script Protection by editing the neo-security.xml located in WEB-INF/cfusion/lib. You should back this file up before editing if something goes awry and you need to back out of any changes. The default settings below will replace any object, embed, script, applet, or meta strings with 'InvalidTag'.

 neo-security.xml:

<var name="CrossSiteScriptPatterns">
    <struct type="coldfusion.server.ConfigMap">
        <var name="<s*(object|embed|script|applet|meta)">
            <string><InvalidTag</string>
        </var>
    </struct>
</var>

Lucee

Lucee exposes these settings in the Lucee Administrator where you can specify the protected scopes. The available scopes in Lucee are: CGI, cookie, form and URL. It should be noted that Lucee also prohibits iframes and will replace them with InvalidTag as well.

Modifying Global Script Protection Per Application Basis

You may override Global Script Protection on the application level by setting this.scriptprotect to none in the application.cfc template like so:

this.scriptProtect="none"

This behaves identically with ColdFusion and Lucee.

Programatically Bypassing Global Script Protection

In Galaxie Blog, I bypassed Global Script Protection programmatically because certain hosting providers would not allow you to turn it off. This approach takes a little more work; however, I like that it requires deliberate intention while keeping the original script protection features on. It is nice to also have the added security of Global Script Protection for other features, such as protecting against cross-site scripting when users make comments. 

My methodology is to modify the potential tags that Global Script would remove before hitting the server and then replace these faux tags with the correct tags when saving the data to the database. 

Client Side Logic

To perform this, I use the following JavaScript on the client site before sending the request to the server. Note that the replaceNoCase function on the client is a JavaScript function that replicates the functionality of ColdFusion and Lucee's replaceNoCase:

function bypassScriptProtection(s){
	 Replace '<script' with '<script'. 
	var s = replaceNoCase(s,'<script','<script', 'all');
	 Replace the end tag
	var s = replaceNoCase(s,'</script','</script', 'all');
	 Use the same logic for stylesheets
	var s = replaceNoCase(s,'<style','<style', 'all');
	 Replace the end tag
	var s = replaceNoCase(s,'</style','</style', 'all');
	 Now replace the meta tag. There is no closing '</meta' to worry about
	var s = replaceNoCase(s,'<meta','<meta', 'all');
	 Return it
	return s;
}
// ReplaceNoCase, scope is either 'all' or 'one'. 
// Gregory Alexander <www.gregoryalexander.com>
function replaceNoCase(string,subString,replacement, scope){
	if (scope == 'all'){
		 i is a RegEx ignore case flag, g is global flag
		var regEx = new RegExp(subString, "ig");
	} else {
		 i is an RegEx ignore case flag
		var regEx = new RegExp(subString, "i");
	}
	 i is an ignore case flag, g is global flag
	var regEx = new RegExp(subString, "ig");
	var result = string.replace(regEx, replacement);
	return result;
}

Server-Side Logic

The following logic is on the server before saving the data to the database. If you wish, you can also use the same script to revert the strings back to the original before delivering the content back to the client. 

<cffunction name="sanitizeScriptProtection" access="public" output="true" returntype="string" 
		hint="Cleans up the 'attach' strings to bypass script protection">
	<cfargument name="s" type="string" required="yes">
	<!--- Clean up 'script' --->
	<cfset s = replaceNoCase(s, "script", "script", "all")>
	<!--- ...'style'... --->
	<cfset s = replaceNoCase(s, "style", "style", "all")>	
	<!--- ...'meta'... --->
	<cfset s = replaceNoCase(s, "meta", "meta", "all")>
	<!--- Return it --->
	<cfreturn s>
</cffunction>

Further Reading