CFUNITED – The premier ColdFusion conference ColdFusion Application Security The Top Ten Most Critical Web Application Security Vulnerabilities

June 28 th – July 1 st 2006 Adam Wayne Lehman  U.S. Department of State Adobe Developers User Group Manager  Senior Developer with the U.S. Department of State / IRM Business Center  Certified Advanced ColdFusion MX 7 Developer  10 years of web development experience  Adrocknaphobia.com

June 28 th – July 1 st 2006 Overview  OWASP  Top 10 Web Application Vulnerabilities

June 28 th – July 1 st 2006 OWASP  The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted  Research security topics  Produce guidelines and standards

June 28 th – July 1 st 2006 OWASP Top 10 Project  Represents a broad consensus about what the most critical web application security flaws are  Available in 5 languages  Listed as a key best practice by the U.S. Defense Information Systems Agency (DISA)

June 28 th – July 1 st 2006 OWASP Web Application Security Vulnerabilities Top 10

June 28 th – July 1 st 2006 #10 Insecure Configuration Mangement  Having a strong server configuration standard is critical to a secure web application. Few, if any, server products are secure out of the box.

June 28 th – July 1 st 2006 #10 Insecure Configuration Mangement  Establish a configuration baseline for ColdFusion Do not deploy the ColdFusion Administrator or Sample applications to a production environment Do not deploy RDS to a production environment  Establish a configuration baseline for the server operating system  Utilize Security Scanning Tools

June 28 th – July 1 st 2006 #9 Denial of Service (DoS Attacks)  Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

June 28 th – July 1 st 2006 #9 Denial of Service (DoS Attacks)  Keep ColdFusion/JRun up-to-date with all security related patches.  Utilize server or hardware solutions  Minimize the amount of resources used per session  Minimize unnecessary access to the database and other expensive resources.  Check your error handlers

June 28 th – July 1 st 2006 #8 Insecure Storage  Web applications frequently use cryptographic functions to protect information and credentials. While encryption has become relatively easy to implement and use, developers still frequently make mistakes while integrating it into a web application.

June 28 th – July 1 st 2006 #8 Insecure Storage  Protect sensitive data Passwords Credit Card Numbers Social Security Numbers *  Encrypt data before you store it  User built-in ColdFusion functions hash() encrypt() * Do you really need to store the information?

June 28 th – July 1 st 2006 #8 Insecure Storage - hash()  Creates a "fingerprint" or unique identifier for the original string.  It is not possible to convert the hash result back to the source string.  hash() does not require a key.  Use a hash rather than encryption for validating data such as password.

June 28 th – July 1 st 2006 #8 Insecure Storage – encrypt()  Uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string.  The security of the encrypted string depends on maintaining the secrecy of the key.  Use encryption rather than a hash when storing information that needs to be used in it’s original format such as credit card numbers.

June 28 th – July 1 st 2006 #8 Insecure Storage - Algorithims  Compatibility Algorithm CFMX_COMPAT  Block Encryption Algorithms AES BLOWFISH DES DESEDE  Password Based Encryption Algorithms PBEWithMD5AndDES PBEWithMD5AndTripleDES  CFMX 7 provides the ability to install any additional Java Cryptology Extension (JCE) security providers

June 28 th – July 1 st 2006 #7 Improper Error Handling  Web applications frequently generate error conditions during normal operation.  Error messages must include Meaningful messages for user  Error messages may include Diagnostic information for the site maintainer  Error messages should never include Useful information to an attacker

June 28 th – July 1 st 2006 #7 Improper Error Handling  CF Administrator Do not Enable Robust Exception Information Do not Enable Debugging Define a Site-wide Error Handler  Define Application-wide Error Handlers

June 28 th – July 1 st 2006 #6 Injection Flaws  Injection flaws allow attackers to relay malicious code through a web application to another system. Whole scripts can be injected into poorly designed web applications and executed.  Attacks are commonly aimed at the operating system and the database (SQL injection)

June 28 th – July 1 st 2006 #6 Injection Flaws - System  Setup a sandbox to limit access to All other operating system functions

June 28 th – July 1 st 2006 #6 Injection Flaws - Database  Carefully validate the data provided to ensure that it does not contain any malicious content.   Limit database permissions

June 28 th – July 1 st 2006 #5 Buffer Overflows  Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code – effectively taking over the machine.

June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Cross-site scripting (sometimes referred to as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user.  Two Categories Stored Reflective

June 28 th – July 1 st 2006 MySpace and XSS  Samy Stored XSS Worm Attack, October 2005 Amassed 1,000,000+ friends  GodOfTheNoose Stored XSS Work Attack, December 2005 Utilized unsanitized variables & Flash Infected 450,000+ users

June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Enable Global Script Protection ColdFusion Administrator  Checkbox enables protection for all scopes Application.cfc  THIS.scriptProtect Allowed values  None  All  Comma-delimited list of scopes

June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Encode user supplied output with a UDF like HTMLTrans() Download HTMLTrans() from CFLib.org  Install web server filters URL Scan (IIS)

June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.

June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Passwords Enforce Complexity Limit Invalid Login Attempts Change Controls Stored hashed in the database

June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Authenticate via SSL  Transmit Session IDs over SSL  Do not pass Session IDs in the URL  Use J2EE Sessions

June 28 th – July 1 st 2006 #2 Broken Access Control  Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.

June 28 th – July 1 st 2006 #2 Broken Access Control  Centralize Authorization  Insecure Id’s  Harden Access to Administrative Functionality

June 28 th – July 1 st 2006 #1 Unvalidated Input  Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.  May cause Cross Site Scripting Flaws Injection Flaws Buffer Overflows

June 28 th – July 1 st 2006 #1 Unvalidated Input  Validation techniques Mask onBlur onSubmit onServer Hidden form field isValid function &

June 28 th – July 1 st 2006 #1 Unvalidated Input  isValid() function  Syntax IsValid(type, value) isValid("range", value, min, max) isValid("regex" or "regular_expression", value, pattern)  Supports 20+ types All data types Formatted data  Credit card  SSN  Telephone  More…

June 28 th – July 1 st 2006 #1 Unvalidated Input  Validate from your model  view & server-side Client-side javascript

June 28 th – July 1 st 2006 Recommendations  Make security part of your SDLC Regularly perform security code reviews Include security in your test conditions  There is no such thing as too much security  Security must not sacrifice usability

June 28 th – July 1 st 2006 Other OWASP Projects  AJAX Security Project  WebScarab Project  Language specific Java PHP.NET  Code Review Project

June 28 th – July 1 st 2006 OWASP Local Chapters  70+ chapters worldwide  Free and open to anyone  Monthly meetings

June 28 th – July 1 st 2006 Online Resources  OWASP  ColdFusion Security Center  HTMLTrans()  Windows 2003 Security Guide ver2003/w2003hg/sgch00.mspx ver2003/w2003hg/sgch00.mspx  Adobe Security Topic Center

June 28 th – July 1 st 2006 Questions / Discussion