ColdFusion Application Security: The Next Step Jason Dean www.12robots.com Boston ColdFusion User Group September 16 th, 2009.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Twin Cities ColdFusion User Group Intro to Application Security Part 2 October 1st, 2008 Jason Dean

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

JavaScript, Fourth Edition

Online ColdFusion Meetup ColdFusion Application Security: Beyond SQL Injection January 22 nd, 2009 Jason Dean

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

Chapter 8 Cookies And Security JavaScript, Third Edition.

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Regular Expression (continue) and Cookies. Quick Review What letter values would be included for the following variable, which will be used for validation.

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler

Mark Dixon 1 03 – Passing Data between pages: Forms, Sessions, & Query Strings.

Cookies & Session Web Technology

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.

COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

Date : 2/12/2010 Web Technology Solutions Class: Adding Security and Authentication Features to Your Application.

ASP.Net, Web Forms and Web Controls 1 Outline Session Tracking Cookies Session Tracking with HttpSessionState.

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7

The Basics of HTTP Jason Dean

Web2.0 Secure Development Practice Bruce Xia

How to maintain state in a stateless web Shirley Cohen

PHP and Sessions. Session – a general definition The GENERAL definition of a session in the “COMPUTER WORLD” is: The interactions (requests and responses)

 A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests.

ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.

©SoftMooreSlide 1 Cookies. ©SoftMooreSlide 2 Cookies Basic idea –web application sends a simple name/value pair to the client –when the client connects.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Cookies and Sessions in PHP. Arguments for the setcookie() Function There are several arguments you can use i.e. setcookie(‘name’, ‘value’, expiration,

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

Cookies Tutorial Cavisson Systems Inc..

Building Secure ColdFusion Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Welcome! To the ETS – Create Client Account & Maintenance

Vulnerability Chaining Every Low Issue Has its big impact

19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

ITM 352 Cookies.

Cookies and Sessions in PHP

14-мавзу. Cookie, сеанс, FTP и технологиялари

Web Systems Development (CSC-215)

An Introduction to Web Application Security

CS5220 Advanced Topics in Web Programming Secure REST API

Presentation transcript:

ColdFusion Application Security: The Next Step Jason Dean Boston ColdFusion User Group September 16 th, 2009

Web Application Developer with the Minnesota Department of Health (MDH)‏ User Group Manager of the MDH CFUG Web Development Blogger ( Veteran of the U.S. Coast Guard Who I am

The Next Steps Request Forgeries Password Security Cookie Misuse/Exploits Session Management

Request Forgeries Hackers writing checks for your users to cash

That was confusing EXAMPLE deletePage.cfm?pageid=#pageID#

Request Forgeries Kay Bob Heh. The website is down!!! ??? Brrrriiiiiiinnnng Brrriiiinnnng Brrrrrriiinnng

Request Forgeries So What Happened?

Request Forgeries Kay Bob muwhahaha hackerForm.post();

So what can we do about it? The receiving action page/method probably:  Receives the request  Checks to make sure the user is authorized  Confirms that the ID is valid  Performs the action

How do we fix it?

How do we fix it? <cfif NOT StructKeyExists(form, "CSRFToken") OR NOT StructkeyExists(session.deleteForm, "CSRFToken") OR NOT StructkeyExists(session.deleteForm, "tokenExpires") OR NOT IsDate(session.deleteForm.tokenExpires) OR NOT session.deleteForm.CSRFToken EQ form.CSRFToken OR NOT DateDiff("s",Now(),session.deleteForm.tokenExpires) GT 0> Action Page/Method

Request Forgeries Question?

Password Security

Achieving a Secure Password Not Username Change Regularly Minimum Length Special Characters AlphaNumericLowercaseUppercase Not a Date Password1!

Password Security Right for the Site

Password Hashing What is it? Why Do it?

Hashing Example #hash1# #hash2# #hash3#

Hashing Example 472D46CB829018F9DBD65FB8479A49BB C2AF2111FF9C02C4EEE016CBCDF0D033 21AB8E7B12BA1793AB A5CD

Stronger Hashing Example In our previous example we had: Now let's add:

MD5 Result 472D46CB829018F9DBD65FB8479A49BB CBD672C9AAF85A22968C7BCF9FF90EED 10F1C46CAF873486E530570E7A298BBB

SHA-256 Result 7FA8A6E9FDE2F4E1DFE6FB029AF47C9633D4B7A616A42C3B2889C5226A 20238D ECB12086B0B57E445BED6C67EF6EB6C4F5A F9EF76E3E CA7EEBEE13499DB9C C7E3B63C5F76F1B0A16DE18DDA7 E7704E

SHA-512 Result 27166A235CD42FB7E5A45CB89F DCDC779E1697DB D4D05537E63FD3815B596511C8704C50791C7BA3C504CAB516E62 2BDC6EC09C9 8C205EA4105BE9D89D44E84B4D00BCD52A FEE63D99300AB4B2 3F2C30B77D6F7FD64D1B902F9BE85373D EA58EDA174AD4589 2FDE0A56F0EF04 791FEDFCA713F52A42DDA F5D8F5BC85953F385DF8D7835A7B32 FBFD16047C213883D46DC0834DB7A6F2549EAF7AB8CF264C8A6C9082 A2D0B5A420FFD

Hashing Question?

Password Salting Because users make stupid passwords

Salting Example Value 1 Hashed: #hash1# Value 2 Hashed: #hash2# Value 1 Salted and Hashed: #hash1Salted# Value 2 Salted and Hashed: #hash2Salted#

Salting Example Output Value 1 Hashed: 2AC9CB7DC02B3C0083EB70898E549B63 Value 2 Hashed: 2AC9CB7DC02B3C0083EB70898E549B63 Value 1 Salted and Hashed: BAD4613B67109FD512580E3E Value 2 Salted and Hashed: 3BB315CF3BA C79832C939098

Password Hashing and Salting Question?

Session Management

What is a session? HTTP/ OK index.cfm GET index.cfm HTTP/1.1 SessionID=3 SessionID=1 SessionID=2 Cookie: SessionID=3 Cookie: SessionID=1 Cookie: SessionID=2 Set-Cookie: SessionID=1 Cookie: SessionID=1 sessionid=0a30b0926a39d5d c552e387712

Session Token Types ColdFusion CFID & CFTOKEN Weak by default Can be made strong Persistent by default Can be set Session-Only Easier to manipulate token cookies Cannot be invalidated JEE JSESSIONID Strong by Default Session-Only by default Can be shared with JEE applications Can be invalidated

Session Persistence Sessions can be persisted in 3 ways In the URL String – In POST request In a Cookie

Manipulating CF Token Cookies In Application.cfc: <cfheader name="Set-Cookie" value="CFID=#session.CFID#;secure=true;HTTPOnly" /> <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;secure=true;HTTPOnly" />

Manipulating JEE Token Cookies In Application.cfc: header = "jsessionid" & "=" & session.sessionid & ";domain=" & domain & ";path=" & path & ";" & secure & ";" & HTTPOnly; response.addHeader("Set-Cookie", header);

Session Logout (ColdFusion) In UserService.cfc: In Application.cfc:

Session Logout (J2EE) In UserService.cfc:

Session Management Question?

Cookie Security

Cookie Parameters Name Value Expires Path Domain Secure HTTPOnly

Cookie Domain and Path 12robots.awesomebloggers.com domain=”.awesomebloggers.com” hacker.awesomebloggers.com domain=”.12robots.awesomebloggers.com” Path=”/” path=”/12robots”

Setting the HTTPOnly Flag

Questions? Please ask your questions now Comments? Jason Dean