2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc.
2006 Adobe Systems Incorporated. All Rights Reserved. About Me ColdFusion Specialist at Adobe Solutions Engineer Technical Evangelist Member of the ColdFusion Product Team 10+ years of ColdFusion experience Previous Lives US Department of State Johns Hopkins University
2006 Adobe Systems Incorporated. All Rights Reserved. Overview OWASP Top 10 Web Application Vulnerabilities
2006 Adobe Systems Incorporated. All Rights Reserved. OWASP The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted Research security topics Produce guidelines and standards
2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Top 10 Project Represents a broad consensus about what the most critical web application security flaws are Available in 5 languages Listed as a key best practice by the U.S. Defense Information Systems Agency (DISA)
2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Web Application Security Vulnerabilities Top 10
2006 Adobe Systems Incorporated. All Rights Reserved. #10 Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. Few, if any, server products are secure out of the box. Examples Un-patched security flaws in the server software Unnecessary files Unnecessary services enabled Default accounts and/or default passwords Overly informative error messages
2006 Adobe Systems Incorporated. All Rights Reserved. #10 Insecure Configuration Management Establish a configuration baseline for ColdFusion Do not deploy the ColdFusion Administrator or Sample applications to a production environment Do not deploy RDS to a production environment Establish a configuration baseline for the server operating system Do not run ColdFusion under the System/Root user Utilize Security Scanning Tools
2006 Adobe Systems Incorporated. All Rights Reserved. #9 Denial of Service (DoS Attacks) Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
2006 Adobe Systems Incorporated. All Rights Reserved. #9 Denial of Service (DoS Attacks) Keep ColdFusion/JRun up-to-date with all security related patches. Utilize server or hardware solutions Minimize the amount of resources used per session Minimize unnecessary access to the database and other expensive resources. Check your error handlers
2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. While encryption has become relatively easy to implement and use, developers still frequently make mistakes while integrating it into a web application.
2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage Protect sensitive data Passwords Credit Card Numbers Social Security Numbers * Encrypt data before you store it User built-in ColdFusion functions hash() encrypt() * Do you really need to store the information
2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage - hash() Creates a "fingerprint" or unique identifier for the original string. It is not possible to convert the hash result back to the source string. hash() does not require a key. Use a hash rather than encryption for validating data such as password. Hash
2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage – encrypt() Uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string. The security of the encrypted string depends on maintaining the secrecy of the key. Use encryption rather than a hash when storing information that needs to be used in it’s original format such as credit card numbers. Encrypt
2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage - Algorithims Compatibility Algorithm CFMX_COMPAT Block Encryption Algorithms AES BLOWFISH DES DESEDE Password Based Encryption Algorithms PBEWithMD5AndDES PBEWithMD5AndTripleDES CFMX 7 provides the ability to install any additional Java Cryptology Extension (JCE) security providers
2006 Adobe Systems Incorporated. All Rights Reserved. #7 Improper Error Handling Web applications frequently generate error conditions during normal operation. Error messages must include Meaningful messages for user Error messages may include Diagnostic information for the site maintainer Error messages should never include Useful information to an attacker
2006 Adobe Systems Incorporated. All Rights Reserved. #7 Improper Error Handling CF Administrator Do not Enable Robust Exception Information Do not Enable Debugging Define a Site-wide Error Handler Define Application-wide Error Handlers
2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws Injection flaws allow attackers to relay malicious code through a web application to another system. Whole scripts can be injected into poorly designed web applications and executed. Attacks are commonly aimed at the operating system and the database (SQL injection) Injection vs. XSS
2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws - System Setup a sandbox to limit access to All other operating system functions
2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws - Database Carefully validate the data provided to ensure that it does not contain any malicious content. Limit database permissions
2006 Adobe Systems Incorporated. All Rights Reserved. #5 Buffer Overflows Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code – effectively taking over the machine.
2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws Cross-site scripting (sometimes referred to as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user. Two Categories Stored Reflective
2006 Adobe Systems Incorporated. All Rights Reserved. MySpace and XSS Samy Stored XSS Worm Attack, October 2005 Amassed 1,000,000+ friends GodOfTheNoose Stored XSS Work Attack, December 2005 Utilized unsanitized variables & Flash Infected 450,000+ users
2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws Enable Global Script Protection ColdFusion Administrator Checkbox enables protection for all scopes Application.cfc THIS.scriptProtect Allowed values None All Comma-delimited list of scopes
2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws Encode user supplied output with a UDF like HTMLTrans() Download HTMLTrans() from CFLib.org Install web server filters URL Scan (IIS)
2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management Even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.
2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management Passwords Enforce Complexity Limit Invalid Login Attempts Change Controls Stored hashed in the database
2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management Authenticate via SSL Transmit Session IDs over SSL Do not pass Session IDs in the URL Use J2EE Sessions
2006 Adobe Systems Incorporated. All Rights Reserved. #2 Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.
2006 Adobe Systems Incorporated. All Rights Reserved. #2 Broken Access Control Centralize Authorization Insecure Id’s Harden Access to Administrative Functionality
2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. May cause Cross Site Scripting Flaws Injection Flaws Buffer Overflows
2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input Validation techniques Mask onBlur onSubmit onServer Hidden form field isValid function &
2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input isValid() function Syntax IsValid(type, value) isValid("range", value, min, max) isValid("regex" or "regular_expression", value, pattern) Supports 20+ types All data types Formatted data Credit card SSN Telephone More…
2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input Validate from your model view & server-side Client-side javascript
2006 Adobe Systems Incorporated. All Rights Reserved. Recommendations Make security part of your SDLC Regularly perform security code reviews Include security in your test conditions There is no such thing as too much security
2006 Adobe Systems Incorporated. All Rights Reserved. Other OWASP Projects AJAX Security Project WebScarab Project Language specific Java PHP .NET Code Review Project
2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Local Chapters 70+ chapters worldwide Free and open to anyone Monthly meetings
2006 Adobe Systems Incorporated. All Rights Reserved. Online Resources OWASP ColdFusion Security Center HTMLTrans() Windows 2003 Security Guide mspx mspx
2006 Adobe Systems Incorporated. All Rights Reserved.