Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com.

Published byRonald Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com."— Presentation transcript:

1 Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com

2 Securing a Fusebox Application 1.Understand Fusebox terminology 2.Understand your users 3.Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm 4.Finally, Understand Secured SQL Statements

3 1. Fusebox Terminology  Home Application  Circuit Applications  Fusebox  Fuseactions  Fuses

4 Home Application  This is made up of many circuit applications  Example: SecretAgents.com

5 Circuit Applications  A section of a larger application  Example: SecretAgents.com/members

6 The Fusebox  This controls what a user is attempting to do  The default web server template Index.cfm is the “Fusebox”

7 Fuseactions  This is a single action that the user is attempting to perform  Allows for one or more Fuses in each Fuseaction

8 Fuses  One of the.cfm files containing the code needed to run a Fuseaction  File naming convention: dsp_file.cfm (display) act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)

9 2. Who Are Your Users?  Public Users  Registered Public Users  Registered Private Users

10 Public Users  Any user in the world who has not identified him/herself  Examples: –Reading threads in a forum –Viewing products –Reading news articles

11 Registered Public Users  A user whom has freely registered  These users can do certain public tasks that need to be associated with the user Examples: –Posting a thread to a forum –Purchasing products –Suggest news article

12 Registered Private Users  These are groups of users that have been granted access to private areas of a site Examples: –Moderating a forums –Editing product data –Editing news articles

13 3. Fusebox Security  App_Login.cfm – When a user is attempting to login  App_Logout.cfm – When a user is attempting to Logout  App_Secure.cfm – Securing an entire Circuit Application or Fuseaction

14 Security Database Tables  These tables can be defined by you  My Suggestion: –Three tables: Users, Groups, User_Groups

15 App_Login.cfm  This file can be defined by you  Verify the user is who they say they are  Assign them their #Client.User_ID#  Assign them their list of Groups: #Client.User_Groups#  Return them to where they should be with

16 App_Logout.cfm  This file can be defined by you  Reset CFID/CFTOKENS if coming from another site  Remove Client Variables  Set/Delete CFID/CFTOKEN cookies  App_Logout.cfm is commonly called in App_globals.cfm

17 App_Secure.cfm  This file can be defined by you  Used for verifying Registered Public and Private users  If the user does not have permissions it will send them to your login form

18 Security Variables  #Client.User_id# defines “who” the user is, needed for Registered Public and Registered Private, this needs to be set by your login script  #Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script  #Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm

19 How to Use App_secure.cfm  How to secure a Circuit application  How to secure a Fuseaction  How to secure an area of a Fuse

20 Securing a Circuit Application  If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm  Assign the necessary groups to the “groups” attribute of App_Secure.cfm

21 Securing a Fuseaction  For each Fuseaction that needs to be secured, call App_Secure.cfm in the CFCASE statement with the necessary groups

22 Securing an Area of a Fuse  Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area

23 4. Secured SQL Statements  Even if a user belongs to a group, they should only be able to edit or delete “their” data  Associate new records (inserts) with #client.User_ID#, or other User specific variables  Verify edits/deletes with #client.User_id#, or other User specific variables

24 User Specific Insert Statement  Associate #client.User_ID# to an Insert Statement when necessary

25 Secured Update Statement  Verify #client.User_ID# in an Update Statement when necessary

26 Secured Delete Statement  Verify #client.User_ID# in an Delete Statement when necessary

27 Fusebox Makes Security Simple  The structure of Fusebox makes security simple.  Focus on securing: –Entire Circuit Applications –Individual Fuseactions –Areas of a Fuse –User specific records in the database

Download ppt "Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com."

Similar presentations

Update Online Results System Project Supervisor: Ian Storey.

Update Online Results System Project Supervisor: Ian Storey.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.

GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
Understand Database Security Concepts

Understand Database Security Concepts
Web Database Programming Connecting Database to Web.

Web Database Programming Connecting Database to Web.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.

Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.

Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.

The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.
Prelude to Fusebox The Basics: - Variable scopes: session/client/application/request/attributes/caller Custom Tags URLToken.

Prelude to Fusebox The Basics: - Variable scopes: session/client/application/request/attributes/caller Custom Tags URLToken.
Prelude to Fusebox Prerequisite Understanding: / Variable scopes: session/client/application/request/attributes/caller Custom tags URLToken If you don’t.

Prelude to Fusebox Prerequisite Understanding: / Variable scopes: session/client/application/request/attributes/caller Custom tags URLToken If you don’t.
Web Application Development. Define ER model in QSEE Generate SQL Create Database mySQL Write Script to use TableEditor class Process to create A simple.

Web Application Development. Define ER model in QSEE Generate SQL Create Database mySQL Write Script to use TableEditor class Process to create A simple.

Similar presentations

Ads by Google