Securing Your ColdFusion Web Applications<br />NVCFUG<br />December 2010<br />
HTTP Basic Authentication<br />First HTTP authentication mechanism<br />Easy to implement with .htaccess<br />Highly unsec...
Web Based Basic Authentication<br />Uses HTML form to gather login information<br />Easy to implement<br />Highly unsecure...
Secure Authentication<br />Uses HTML form and Javascript Hash() to gather login information<br />Easy to implement<br />Sl...
Federated Secure Authentication<br />Uses HTML form, random seed and Javascript Hash() to gather login information<br />Fo...
Encryption Algorithms<br />CFMX-COMPAT (default)<br />Basically a Crypt() function<br />Easy to decipher/break<br />DES<br...
Encryption Encodings<br />Base64<br />ASCII encoding<br />Good choice for binary storage/transfer<br />Requires URL encodi...
Advanced Encryption<br />Java Cryptography Extensions<br />Sun Unlimited Strength Jurisdiction Policy Files<br />The Legio...
Obfuscation Techniques<br />Hash()<br />One-way encryption<br />MD5<br />SHA1<br />Implementation<br />GET/POST of data<br...
Maintaining State<br />HTTP is a stateless protocol<br />State maintains key data for each unique session<br />Required fo...
Built-In Routines<br />CFML authentication framework<br />Uses SESSION variables for state management<br />OOP techniques ...
Other Considerations<br />Use email addresses as usernames<br />Password generation, recovery and change management <br />...
Putting It All Together<br />The login form<br />Username and password<br />MD5 Javascript hash()ing with random seed<br /...
Upcoming SlideShare
Loading in …5
×

Securing Your Web Applications in ColdFusion

1,417 views

Published on

This presentation was given last year at NVCFUG and covers topics of login/authentication security, obfuscation, encryption and more.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,417
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing Your Web Applications in ColdFusion

  1. 1. Securing Your ColdFusion Web Applications<br />NVCFUG<br />December 2010<br />
  2. 2. HTTP Basic Authentication<br />First HTTP authentication mechanism<br />Easy to implement with .htaccess<br />Highly unsecure mechanism<br />Username and password sent in clear text for each request to the server<br />Multiple brute-force applications are widely available to break HTTP Basic Authentication<br />
  3. 3. Web Based Basic Authentication<br />Uses HTML form to gather login information<br />Easy to implement<br />Highly unsecure mechanism<br />Username and password sent in clear text<br />
  4. 4. Secure Authentication<br />Uses HTML form and Javascript Hash() to gather login information<br />Easy to implement<br />Slightly more secure mechanism<br />Username sent in clear text (or MD5 hashed)<br />Password sent as MD5 hash<br />Hashed password protects password disclosure but can still be used to force authentication<br />
  5. 5. Federated Secure Authentication<br />Uses HTML form, random seed and Javascript Hash() to gather login information<br />Forces a pre-authentication cookie and/or referrer data to ensure login from proper site<br />Hashes the password with random seed<br />Protects password hash from recovery<br />Uses random session ID’s for each request<br />Highly secure mechanism<br />
  6. 6. Encryption Algorithms<br />CFMX-COMPAT (default)<br />Basically a Crypt() function<br />Easy to decipher/break<br />DES<br />Very Basic Encryption<br />Easy to decipher/break<br />AES/DESEDE<br />Basic Encryption<br />Moderately difficult to decipher/break<br />BLOWFISH<br />Enhanced Encryption<br />Very difficult to decipher/break<br />
  7. 7. Encryption Encodings<br />Base64<br />ASCII encoding<br />Good choice for binary storage/transfer<br />Requires URL encoding<br />HEX<br />HEX encoding<br />Better choice for passing GET/POST data<br />Requires no URL encoding<br />UU <br />UUEncode – default CFML encoding<br />A good choice for backwards compatibility with older applications and technologies<br />
  8. 8. Advanced Encryption<br />Java Cryptography Extensions<br />Sun Unlimited Strength Jurisdiction Policy Files<br />The Legion of the Bouncy Castle extensions<br />Twofish, Skipjack, Serpent, S/MIME, HMAC-SHA1 encryptions<br />MD2, MD4, RipeMDxxx, SHA-224 and Tiger hashes<br />
  9. 9. Obfuscation Techniques<br />Hash()<br />One-way encryption<br />MD5<br />SHA1<br />Implementation<br />GET/POST of data<br />FORM and URL parameter names<br />Database table and column names<br />
  10. 10. Maintaining State<br />HTTP is a stateless protocol<br />State maintains key data for each unique session<br />Required for authentication mechanisms<br />Randomizing state session ID’s<br />Session (State) Management<br />SESSION variables<br />COOKIES<br />
  11. 11. Built-In Routines<br />CFML authentication framework<br />Uses SESSION variables for state management<br />OOP techniques easily implemented<br /><cflogin><br />Defines code to execute for session login<br /><cfloginuser><br />Defines user and role information for current session<br /><cflogout><br />Logs a user out of the system<br />IsUserInRole()<br />Checks the user’s role(s)<br />getAuthUser()<br />Queries the user’s session information<br />
  12. 12. Other Considerations<br />Use email addresses as usernames<br />Password generation, recovery and change management <br />Use multiple encryption algorithms for different areas of the application<br />Use combined encryption algorithms for highly secure data storage<br />Apply secure/federated authentication to non-form based interactions (e.g. Webservices, Flex/AIR RIA’s)<br />
  13. 13. Putting It All Together<br />The login form<br />Username and password<br />MD5 Javascript hash()ing with random seed<br />The authenticator<br />Compare user/pass with encrypted database entries<br />The session manager<br />Handesuser information from the authenticator<br />Manages sessions and maintains state<br />User management<br />Change password<br />Admin user management<br />Password recovery<br />

×