Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure ColdFusion Applications

Published byBeryl Brown Modified over 6 years ago

Similar presentations

Presentation on theme: "Building Secure ColdFusion Applications"— Presentation transcript:

1 Building Secure ColdFusion Applications
Presented By Pete Freitag Principal Consultant, Foundeo Inc.

2 The Plan: Unchecked Input File Uploads XSS - Cross Site Scripting
SQL Injection Cross Site Request Forgery CRLF Injection Session Hijacking

3 A Hot Topic Source:

4 Unchecked Input The Cause of Most Security Problems
Server Side Validation IsValid Function Regular Expressions

5 What Are The Inputs? URL Variables FORM Variables Cookies
HTTP Request Headers (CGI Scope) User Agent Referrer Other Headers

6 Uploading Files A common task that can be very dangerous.

7 Example: File Uploads

8 Best Practices for File Uploads
Upload to a directory outside the web root or to a static content server. Always Check the File Extension cffile.serverFileExt Use the “accept” attribute, but never trust it.

9 Cross Site Scripting Attacker crafts a request that executes a client side script. Usually JavaScript Flash Applet IFRAME ActiveX

10 What’s So Bad About XSS Stealing Cookies Phishing

11 XSS Examples

12 ScriptProtect ColdFusion MX 7 Introduced ScriptProtect feature.
Catches many but not all XSS attacks. Enabled globally or at the application level. Configurable Regular Expressions WEB-INF/cfusion/lib/neo-security.xml

13 Preventing XSS Escape HTML Tags and Quotes XMLFormat()
Escapes double quotes, single quotes and <tags>. HTMLEditFormat() Escapes <tags> and double quotes but not single quotes.

14 SQL Injection Very Dangerous Very Easy to Prevent
Execute ANY SQL Statement Or ANY Program! xp_cmdshell Very Easy to Prevent

15 Classic SQL Injection Example
<cfquery datasource=”db” name=”news”> SELECT title, story FROM news WHERE id = #url.id# </cfquery> /news.cfm?id=8;DELETE+FROM+news

16 Preventing SQL Injection
<cfquery datasource=”db” name=”news”> SELECT title, story FROM news WHERE id = <cfqueryparam value=”#url.id#” cfsqltype=”cf_sql_integer”> </cfquery>

17 CFQUERYPARAM Can and should be used in WHERE Clauses INSERT Statements
UPDATE Statements All variables in your query Where allowed

18 Cross Site Request Forgery
How “samy”, a MySpace user made 1 million friends in less than 20 hours.

19 Cross Site Request Forgery
Samy found a clever way to execute javascript on his MySpace profile page. Whenever a MySpace user visited his profile samy’s script would add himself as a friend on their profile. For a few hours Samy caused MySpace to shut down for “maintenance”.

20 Cross Site Request Forgery
Takes advantage of a logged in user. Performs a privileged action on their behalf.

21 CSRF + XSS You don’t need an XSS hole to perform a Cross Site Request Forgery (CSRF). However, with an XSS hole, HTTP POST requests can be executed behind the scenes with AJAX. CSRF could be performed by an IFRAME on a malicious web site.

22 Mitigating CSRF Attacks
Server Side Confirmations Require HTTP POST when performing operations. Don’t allow foreign HTTP referrers. Require password for sensitive operations. Include a hash in the form based on authenticated user’s credentials.

23 CRLF Injection CRLF = Chr(13) & Chr(10) CFHEADER
<cfheader name=”Content-Type” value=”#url.type#”>

24 Session Hijacking If an attacker knows a user’s session id(s) (CFTOKEN & CFID) they can impersonate the user.

25 Ways Session ID’s are Compromised
Passing CFID & CFTOKEN in query string. CFLOCATION does this by default, use addtoken=”false” Cookies can be stolen with cross site scripting attacks. Traffic sniffing

26 Ways to Prevent Hijacking
Use SSL Don’t put session ids in the URL Use long session ids Enable “Use UUID for CFTOKENs” Integrity checking

27 Don’t Disclose Server Details
Error messages may show: File Paths Source Code Database Table and Column Names Use a Global Error Handler or CFERROR

28 Require SSL / HTTPS Prevent sniffing
Browsers run at a higher security level lowering success rates on some attacks. Secure cookies <cfcookie secure=”true” ...>

29 In Short: Validate Inputs!!

30 Thanks. Questions?

Download ppt "Building Secure ColdFusion Applications"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Security.

PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Lecture 16. OWASP: The Open Web Application Security Project https://www.owasp.org/index.php/Top_10_2013-Top_10.

Lecture 16. OWASP: The Open Web Application Security Project
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google