Presentation is loading. Please wait.

Presentation is loading. Please wait.

ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development 800-447-9120.

Published byGriffin Flynn Modified over 8 years ago

Similar presentations

Presentation on theme: "ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development 800-447-9120."— Presentation transcript:

1 ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development http://www.teratech.com 800-447-9120

2 Introduction n ColdFusion security n Keeping hackers out n While still letting users and friendly apps in

3 ColdFusion Security Here is what we will be covering: n System software u OS-> FW -> WS -> DB -> CF n Page parameter validation n User Authentication n Security Resources

4 1.1 System software n a) Operating System/Webserver  Delete guest and administrator NT server userids (create a user name for administrator)  Get latest Service Packs  Patch ::$DATA and %20 source holes  Use IIS or Website directory security, possibly with CFAuth too.  Clean up the /CGI-BIN directory - dangerous sample scripts

5 1.2 System software n b) Database  Store database in separate directory from web root or PC.  Move from Access to SQL server – better security features  user ids and passwords that are hard to guess  Delete guest and sa userids  Only give the read/update/delete rights that you need.  Use stored procedures

6 1.3 System software n c) Firewall  Keeps bad IP packets out  By default keep it out  Prevents hackers from moving from machine to machine  Only open ports that are required - eg for SQL server  Prevent/Record Denial of Service  Proxy access to HTTP  Can get in way of development

7 1.4 System software n d) ColdFusion  Remove CFDOC dir from live servers  Remove Start/Stop page  Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT  Remove any unused CFX and CF tags  Use a dedicated server

8 2: Page Validation n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands http://myserver/page.cfm?ID_VAR=7%20DELETE%2 0FROM%20MyCustomerTable u | VBA functions - shell() n Use VAL() on parameters or check for ‘ and | n Encrypt Variables

9 3.1: Authentication n Stateless web - any page can call another - this is good for open sites n Hacker pages call your page with false data n Use CGI. HTTP_REFERER to control who calls you n Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. n Encrypting code n NT auth or LDAP

10 3.2: Authentication u Protected Header code In your application.cfm or header.cfm to be included in every page. Your protected links here

11 3.3: Error handling n Never display default CF errors - gives out SQL information n Email error to admin n Don’t explain why attempt failed n Standard processing time

12 4: Resources n http://www.allaire.com/developer/s ecurityzone/ n Tools you could use to analyze your NT servers u http://www.netect.comhttp://www.netect.com u http://www.webtrends.com/wsahttp://www.webtrends.com/wsa n NTSecurity http://ntsecurity.ntadvice.com/ http://ntsecurity.ntadvice.com/

13 Real Hacks n This spring several commercial ColdFusion sites were hacked or shutdown due to the CFDOCs hole. n Security is hard because a hacker only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.

14 What Security Means n Security is a way of thinking - how can they get in... n Get patches and read security bulletins - today’s secure system may be tomorrow's hack! n More knowledge is power - don’t keep security secret!

15 Next Steps n Conduct a security audit u Download Michael Dinowitz’s http://www.houseoffusion.com/ MunchkinLand.cfm to test your site for holes u Remove CFDOCS n Change database configuration and passwords n Validate pages n Authenticate pages

Download ppt "ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development 800-447-9120."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, 2001 www.acme-art.com A hacker stole credit card numbers from the online store’s database.

Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, A hacker stole credit card numbers from the online store’s database.
ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training. 800-447-9120.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training
ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training. 800-447-9120.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.

Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.

Similar presentations

Ads by Google