Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc.

Published byMoris Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc."— Presentation transcript:

1 2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc.

2 2006 Adobe Systems Incorporated. All Rights Reserved. About Me  ColdFusion Specialist at Adobe  Solutions Engineer  Technical Evangelist  Member of the ColdFusion Product Team  10+ years of ColdFusion experience  Previous Lives  US Department of State  Johns Hopkins University

3 2006 Adobe Systems Incorporated. All Rights Reserved. Overview  OWASP  Top 10 Web Application Vulnerabilities

4 2006 Adobe Systems Incorporated. All Rights Reserved. OWASP  The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted  Research security topics  Produce guidelines and standards

5 2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Top 10 Project  Represents a broad consensus about what the most critical web application security flaws are  Available in 5 languages  Listed as a key best practice by the U.S. Defense Information Systems Agency (DISA)

6 2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Web Application Security Vulnerabilities Top 10

7 2006 Adobe Systems Incorporated. All Rights Reserved. #10 Insecure Configuration Management  Having a strong server configuration standard is critical to a secure web application. Few, if any, server products are secure out of the box.  Examples  Un-patched security flaws in the server software  Unnecessary files  Unnecessary services enabled  Default accounts and/or default passwords  Overly informative error messages

8 2006 Adobe Systems Incorporated. All Rights Reserved. #10 Insecure Configuration Management  Establish a configuration baseline for ColdFusion  Do not deploy the ColdFusion Administrator or Sample applications to a production environment  Do not deploy RDS to a production environment  Establish a configuration baseline for the server operating system  Do not run ColdFusion under the System/Root user  Utilize Security Scanning Tools

9 2006 Adobe Systems Incorporated. All Rights Reserved. #9 Denial of Service (DoS Attacks)  Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

10 2006 Adobe Systems Incorporated. All Rights Reserved. #9 Denial of Service (DoS Attacks)  Keep ColdFusion/JRun up-to-date with all security related patches.  Utilize server or hardware solutions  Minimize the amount of resources used per session  Minimize unnecessary access to the database and other expensive resources.  Check your error handlers

11 2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage  Web applications frequently use cryptographic functions to protect information and credentials. While encryption has become relatively easy to implement and use, developers still frequently make mistakes while integrating it into a web application.

12 2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage  Protect sensitive data  Passwords  Credit Card Numbers  Social Security Numbers *  Encrypt data before you store it  User built-in ColdFusion functions  hash()  encrypt() * Do you really need to store the information

13 2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage - hash()  Creates a "fingerprint" or unique identifier for the original string.  It is not possible to convert the hash result back to the source string.  hash() does not require a key.  Use a hash rather than encryption for validating data such as password. Hash

14 2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage – encrypt()  Uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string.  The security of the encrypted string depends on maintaining the secrecy of the key.  Use encryption rather than a hash when storing information that needs to be used in it’s original format such as credit card numbers. Encrypt

15 2006 Adobe Systems Incorporated. All Rights Reserved. #8 Insecure Storage - Algorithims  Compatibility Algorithm  CFMX_COMPAT  Block Encryption Algorithms  AES  BLOWFISH  DES  DESEDE  Password Based Encryption Algorithms  PBEWithMD5AndDES  PBEWithMD5AndTripleDES  CFMX 7 provides the ability to install any additional Java Cryptology Extension (JCE) security providers

16 2006 Adobe Systems Incorporated. All Rights Reserved. #7 Improper Error Handling  Web applications frequently generate error conditions during normal operation.  Error messages must include  Meaningful messages for user  Error messages may include  Diagnostic information for the site maintainer  Error messages should never include  Useful information to an attacker

17 2006 Adobe Systems Incorporated. All Rights Reserved. #7 Improper Error Handling  CF Administrator  Do not Enable Robust Exception Information  Do not Enable Debugging  Define a Site-wide Error Handler   Define Application-wide Error Handlers

18 2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws  Injection flaws allow attackers to relay malicious code through a web application to another system. Whole scripts can be injected into poorly designed web applications and executed.  Attacks are commonly aimed at the operating system and the database (SQL injection)  Injection vs. XSS

19 2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws - System  Setup a sandbox to limit access to   All other operating system functions

20 2006 Adobe Systems Incorporated. All Rights Reserved. #6 Injection Flaws - Database  Carefully validate the data provided to ensure that it does not contain any malicious content.   Limit database permissions

21 2006 Adobe Systems Incorporated. All Rights Reserved. #5 Buffer Overflows  Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code – effectively taking over the machine.

22 2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws  Cross-site scripting (sometimes referred to as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user.  Two Categories  Stored  Reflective

23 2006 Adobe Systems Incorporated. All Rights Reserved. MySpace and XSS  Samy  Stored XSS Worm Attack, October 2005  Amassed 1,000,000+ friends  GodOfTheNoose  Stored XSS Work Attack, December 2005  Utilized unsanitized variables & Flash  Infected 450,000+ users

24 2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws  Enable Global Script Protection  ColdFusion Administrator  Checkbox enables protection for all scopes  Application.cfc  THIS.scriptProtect   Allowed values  None  All  Comma-delimited list of scopes

25 2006 Adobe Systems Incorporated. All Rights Reserved. #4 Cross Site Scripting (XSS) Flaws  Encode user supplied output with a UDF like HTMLTrans()  Download HTMLTrans() from CFLib.org  Install web server filters  URL Scan (IIS)

26 2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management  Even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.

27 2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management  Passwords  Enforce Complexity  Limit Invalid Login Attempts  Change Controls  Stored hashed in the database

28 2006 Adobe Systems Incorporated. All Rights Reserved. #3 Broken Authentication and Session Management  Authenticate via SSL  Transmit Session IDs over SSL  Do not pass Session IDs in the URL  Use J2EE Sessions

29 2006 Adobe Systems Incorporated. All Rights Reserved. #2 Broken Access Control  Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.

30 2006 Adobe Systems Incorporated. All Rights Reserved. #2 Broken Access Control  Centralize Authorization  Insecure Id’s  Harden Access to Administrative Functionality

31 2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input  Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.  May cause  Cross Site Scripting Flaws  Injection Flaws  Buffer Overflows

32 2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input  Validation techniques  Mask  onBlur  onSubmit  onServer  Hidden form field  isValid function  &

33 2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input  isValid() function  Syntax  IsValid(type, value)  isValid("range", value, min, max)  isValid("regex" or "regular_expression", value, pattern)  Supports 20+ types  All data types  Formatted data  Credit card  SSN  Telephone  More…

34 2006 Adobe Systems Incorporated. All Rights Reserved. #1 Unvalidated Input  Validate from your model  view  &  server-side  Client-side javascript

35 2006 Adobe Systems Incorporated. All Rights Reserved. Recommendations  Make security part of your SDLC  Regularly perform security code reviews  Include security in your test conditions  There is no such thing as too much security

36 2006 Adobe Systems Incorporated. All Rights Reserved. Other OWASP Projects  AJAX Security Project  WebScarab Project  Language specific  Java  PHP .NET  Code Review Project

37 2006 Adobe Systems Incorporated. All Rights Reserved. OWASP Local Chapters  70+ chapters worldwide  Free and open to anyone  Monthly meetings

38 2006 Adobe Systems Incorporated. All Rights Reserved. Online Resources  OWASP www.owasp.org www.owasp.org  ColdFusion Security Center http://www.macromedia.com/devnet/coldfusion/security.html http://www.macromedia.com/devnet/coldfusion/security.html  HTMLTrans() http://www.cflib.org/udf.cfm?ID=945http://www.cflib.org/udf.cfm?ID=945  Windows 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00. mspx http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00. mspx

39 2006 Adobe Systems Incorporated. All Rights Reserved.

Download ppt "2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc."

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
1 Security in Application & SDLC Barkan Asaf Nov, 2006.

1 Security in Application & SDLC Barkan Asaf Nov, 2006.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Similar presentations

Ads by Google