Security with ColdFusion


Published on

Published in: Technology
1 Comment
  • Slide# 7 . encodeForSQL() isn't coldfusion function but available under ESAPI java library. I haven't luck to work with MS SQL but work fine with MySQL. Sample code you may find here.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security with ColdFusion

  1. 1. This is matter
  2. 2. My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog:
  3. 3. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  4. 4.  It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
  5. 5.  To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
  6. 6.  Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
  7. 7.         Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
  8. 8.  This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
  9. 9.  Sometime we supply crucial information in URL param without knowing importance.  For ex.: nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
  10. 10.  Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
  11. 11.  Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
  12. 12.  It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.    Implement role based security for each functionality.
  13. 13.  This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
  14. 14.  World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
  15. 15.  Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.