Hi All,
To prevent crosssite scripting attacks I ticked the the check box "Enable Global Script Protection" in CF admin. But it is not working , I mean not able to prevent the scripting attacks.
Steps I followed
1] I executed the below URL.
https://xyz.abc.com/index.cfm?cardholder_number=&<script>alert(1)</script>
2] In the fornt end I got a javascript alert message as injected in the URL.
But this alert message should not come as I have enabled script protection in CF admin. Right????
Now I removed "&" (https://xyz.abc.com/index.cfm?cardholder_number=<script>alert(1)</script>) from the above URL then I was not getting the javascript alert message. Does this mean that script protection will not work if we are adding "&" to the URL????.
I searched the neo-security.xml and its looks like below.
<var name='CrossSiteScriptPatterns'><struct type='coldfusion.server.ConfigMap'><var name='<\s*(object|embed|script|applet|meta)'><string><InvalidTag</string></var></st ruct></var>
Can any one help me out to fix this.