Title

ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data. (Cat I impact)

Discussion

Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission. An easy way to protect data during preparation for transmission is to use non-default identifiers for data. An example is for JavaScript Object Notation (JSON) to use a prefix other than the default "JSON" prefix, signifying to an attacker an array of data is following. JSON is a lightweight data-interchange format.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Prefix serialized JSON with" is unchecked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Check "Prefix serialized JSON with" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237223r641764_rule

Vulnerability ID: V-237223

Group Title: SRG-APP-000441-AS-000258

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.