UCF STIG Viewer Logo

ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62519 CF11-05-000200 SV-77009r1_rule High
Description
Information can be either unintentionally or maliciously disclosed if not protected during preparation for transmission. An easy way to protect data during preparation for transmission is to use non-default identifiers for data. An example is for JavaScript Object Notation (JSON) to use a prefix other than the default "JSON" prefix, signifying to an attacker an array of data is following. JSON is a lightweight data-interchange format.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-12-31

Details

Check Text ( C-63323r1_chk )
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu.

If the "Prefix serialized JSON with" is unchecked, this is a finding.
Fix Text (F-68439r1_fix)
Navigate to the "Settings" page under the "Server Settings" menu. Check "Prefix serialized JSON with" and select the "Submit Changes" button.