Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com.

Slides:



Advertisements
Similar presentations
Update Online Results System Project Supervisor: Ian Storey.
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
Understand Database Security Concepts
Web Database Programming Connecting Database to Web.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
ASP.NET Programming with C# and SQL Server First Edition
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Printing Terminology. Requirements for Network Printing At least one computer to operate as the print server Sufficient RAM to process documents Sufficient.
Sql Server Advanced Features MIS 424 Professor Sandvig.
Overview What is SQL Server? Creating databases Administration Security Backup.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.
Prelude to Fusebox The Basics: - Variable scopes: session/client/application/request/attributes/caller Custom Tags URLToken.
Prelude to Fusebox Prerequisite Understanding: / Variable scopes: session/client/application/request/attributes/caller Custom tags URLToken If you don’t.
Web Application Development. Define ER model in QSEE Generate SQL Create Database mySQL Write Script to use TableEditor class Process to create A simple.
Web Application Development. Tools to create a simple web- editable database QSEE MySQL (or PHPMyAdmin) PHP TableEditor.
Welcome message. The background image would be an image of Electronic Circuit And have a flash action script to animate 0 and 1. This site would be for.
An Introduction to Fusebox 3.0 Fusebox 3.0. An Introduction to Fusebox 3.0 The Fusebox Philosophy There are two ways of constructing a software design:
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.
Chapter 6 SAS ® OLAP Cube Studio. Section 6.1 SAS OLAP Cube Studio Architecture.
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.
Feedback #2 (under assignments) Lecture Code:
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
CSE 3330 Database Concepts Stored Procedures. How to create a user CREATE USER.. GRANT PRIVILEGE.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Chapter 9 Building the Shopping cart Objective Creating Shopping cart using session Variable. Creating a shopping cart using a database table. Use the.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
2. SQL Security Objectives –Learn SQL Server 2000 components Contents –Understanding the Authentication Process –Understanding the Authorization Process.
Install Appaserver ©Tim Riley. Apache Group ©Tim Riley Add yourself to the apache group. Both the apache user and group are called “www-data”. This step.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.
Chapter Fourteen Access Databases and SQL Programming with Microsoft Visual Basic th Edition.
NMD202 Web Scripting Week5. What we will cover today PHP & MySQL Displaying Dynamic Pages Exercises Modifying Data PHP Exercises Assignment 1.
XP New Perspectives on Microsoft Office FrontPage 2003 Tutorial 7 1 Microsoft Office FrontPage 2003 Tutorial 8 – Integrating a Database with a FrontPage.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Hubnet Training One Health Network South East Asia Network Overview | Public and Members-only Pages; Communicating and Publishing using Blogs and News.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
NSF DUE ; Wen M. Andrews J. Sargeant Reynolds Community College Richmond, Virginia.
© 2007 by Prentice Hall2-1 Introduction to Oracle 10g Chapter 2 Overview of SQL and SQL*Plus James Perry and Gerald Post.
A Guide to SQL, Eighth Edition Chapter Six Updating Data.
The Need for Speed! Steve Nelson. Internet Startup Failure 2000 More Internet startups failed this year than ever before Why did this happen? How can.
CPSC 203 Introduction to Computers T59 & T64 By Jie (Jeff) Gao.
Building CF Applications with Fusebox Steve Nelson CTO, Zero-G Commerce, Inc. member, Team Allaire Chairman of Fusebox.org.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Chapter 6 Virtual Private Databases
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
Fusebox Not Just For Breakfast Anymore! An Introduction to Fusebox Author: Fred T. Sanders, Instant Knowledge Some Content unscrupulously taken from Steve.
7.5 Using Stored-Procedure and Triggers NAME MATRIC NUM GROUP Muhammad Azwan Bin Khairul Anwar CS2305A Muhammad Faiz Bin Badrol Shah CS2305B.
1 c6212 Advanced Database and Client Server MS SQL Server 2000 Stored Procedures and Parameters What ? Why ? How ?
COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.
Introduction to Dynamic Web Programming
Chapter 6: Community Features.
PHP Overview PHP: Hypertext Preprocessor Server-Side Scripting
Chapter 13 Security Methods Part 3.
Creating and Managing Database Tables
CS3220 Web and Internet Programming SQL and MySQL
February 11-13, 2019 Raleigh, NC.
CS3220 Web and Internet Programming SQL and MySQL
Presentation transcript:

Advanced Fusebox: Securing a Fusebox Application By Steve Nelson SecretAgents.com

Securing a Fusebox Application 1.Understand Fusebox terminology 2.Understand your users 3.Understand how to use App_Secure.cfm, App_login.cfm, App_logout.cfm 4.Finally, Understand Secured SQL Statements

1. Fusebox Terminology  Home Application  Circuit Applications  Fusebox  Fuseactions  Fuses

Home Application  This is made up of many circuit applications  Example: SecretAgents.com

Circuit Applications  A section of a larger application  Example: SecretAgents.com/members

The Fusebox  This controls what a user is attempting to do  The default web server template Index.cfm is the “Fusebox”

Fuseactions  This is a single action that the user is attempting to perform  Allows for one or more Fuses in each Fuseaction

Fuses  One of the.cfm files containing the code needed to run a Fuseaction  File naming convention: dsp_file.cfm (display) act_file.cfm (action) qry_file.cfm (query) and app_file.cfm (application)

2. Who Are Your Users?  Public Users  Registered Public Users  Registered Private Users

Public Users  Any user in the world who has not identified him/herself  Examples: –Reading threads in a forum –Viewing products –Reading news articles

Registered Public Users  A user whom has freely registered  These users can do certain public tasks that need to be associated with the user Examples: –Posting a thread to a forum –Purchasing products –Suggest news article

Registered Private Users  These are groups of users that have been granted access to private areas of a site Examples: –Moderating a forums –Editing product data –Editing news articles

3. Fusebox Security  App_Login.cfm – When a user is attempting to login  App_Logout.cfm – When a user is attempting to Logout  App_Secure.cfm – Securing an entire Circuit Application or Fuseaction

Security Database Tables  These tables can be defined by you  My Suggestion: –Three tables: Users, Groups, User_Groups

App_Login.cfm  This file can be defined by you  Verify the user is who they say they are  Assign them their #Client.User_ID#  Assign them their list of Groups: #Client.User_Groups#  Return them to where they should be with

App_Logout.cfm  This file can be defined by you  Reset CFID/CFTOKENS if coming from another site  Remove Client Variables  Set/Delete CFID/CFTOKEN cookies  App_Logout.cfm is commonly called in App_globals.cfm

App_Secure.cfm  This file can be defined by you  Used for verifying Registered Public and Private users  If the user does not have permissions it will send them to your login form

Security Variables  #Client.User_id# defines “who” the user is, needed for Registered Public and Registered Private, this needs to be set by your login script  #Client.User_Groups# contains a list of “Groups” the user belongs to, needed for Registered Private, this needs to be set by your login script  #Attributes.Groups# contains a list of groups allowed to access the area used in App_Secure.cfm

How to Use App_secure.cfm  How to secure a Circuit application  How to secure a Fuseaction  How to secure an area of a Fuse

Securing a Circuit Application  If every Fuseaction in a Circuit application needs to be secured, call App_Secure.cfm with CFMODULE at the top of index.cfm  Assign the necessary groups to the “groups” attribute of App_Secure.cfm

Securing a Fuseaction  For each Fuseaction that needs to be secured, call App_Secure.cfm in the CFCASE statement with the necessary groups

Securing an Area of a Fuse  Place a simple CFIF statement looking at the #client.user_groups# list to see if a user belongs to the appropriate group and may view the area

4. Secured SQL Statements  Even if a user belongs to a group, they should only be able to edit or delete “their” data  Associate new records (inserts) with #client.User_ID#, or other User specific variables  Verify edits/deletes with #client.User_id#, or other User specific variables

User Specific Insert Statement  Associate #client.User_ID# to an Insert Statement when necessary

Secured Update Statement  Verify #client.User_ID# in an Update Statement when necessary

Secured Delete Statement  Verify #client.User_ID# in an Delete Statement when necessary

Fusebox Makes Security Simple  The structure of Fusebox makes security simple.  Focus on securing: –Entire Circuit Applications –Individual Fuseactions –Areas of a Fuse –User specific records in the database

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.