• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security with ColdFusion

Security with ColdFusion






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Security with ColdFusion Security with ColdFusion Presentation Transcript

    • This is matter
    • My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog: http://www.thecfguy.com
    • 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
    •  It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
    •  To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
    •  Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
    •         Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
    •  This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
    •  Sometime we supply crucial information in URL param without knowing importance.  For ex.: http://www.example.com/customer/userinvoice.cfm?i nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
    •  Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
    •  Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
    •  It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.  http://www.example.com/guest/profile  http://www.example.com/user/profile  Implement role based security for each functionality.
    •  This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
    •  World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
    •  Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. http://www.example.com/redirect.cfm?nexturl=badgu yssite.com Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.