Become a Security Rockstar with ColdFusion 2016
•
1 like•875 views
Become a Security Rockstar with ColdFusion 2016
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Become a Security Rockstar with ColdFusion 2016
Similar to Become a Security Rockstar with ColdFusion 2016 (20)
More from ColdFusionConference
Recently uploaded
Recently uploaded (20)
Become a Security Rockstar with ColdFusion 2016
- 1. David Epler Security Architect AboutWeb Become a Security Rockstar with ColdFusion 2016
- 2. Agenda • Installation • Secure Profile • Lockdown Guide • Other Considerations • Updates • ColdFusion Updates • Support Life Cycle • Security Analyzer • Coding Practices • Cross-site Scripting (XSS) • SQL Injection • Cross-site Request Forgery (CSRF) • Session Management
- 3. Installation
- 5. Profiles https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html
- 7. CFSCRIPTS Directory • In ColdFusion 2016 CFIDE access is now removed from the web server and is only accessible to localhost on port 8500 • Following directories are now contained in cf_scripts • CFIDE/scripts • CFIDE/classes • CFIDE/cfclient
- 8. Lockdown Guide • Lockdown guide absolutely needs to be used for any public facing ColdFusion Server • Guide released for each version of ColdFusion since 9 • ColdFusion 10 https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf • ColdFusion 11 https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf • ColdFusion 2016 http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown- guide.pdf • Go to Pete’s session next in Jasmine F B104 – Bulletproof Your ColdFusion Server With The Lockdown Guide
- 9. Other Considerations • Securing other parts of the web stack • Operating System • Web Server • Database Server • Using additional guidelines • Microsoft Baseline Security Analyzer • CIS Security Benchmarks • DISA STIGs • Other vendor guidelines
- 10. Updates
- 11. Updates • Update process • Always apply and test on development and test/staging environments first • Update as quickly and reasonably possible • Notification of updates • via ColdFusion Administrator • blogs.coldfusion.com • Twitter/Facebook • Adobe Security Notification Service https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration
- 15. Security Analyzer • Integrated into ColdFusion Builder 2016 to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code • Highlights the vulnerable code in the editor • Classifies the vulnerability type • Severity level of the vulnerability • Suggestions on how to fix the vulnerability • Export report
- 16. Security Analyzer • Vulnerability Types • SQL Injection • XSS Attack • PDF XSS Attack • CSRF Attack • CFLocation Validation • Cookie Validation • Passwords • File Upload Validation • Get vs Post • File Injection
- 17. Security Analyzer • Enterprise Only • Does not work in Developer or Standard Edition • Does not work with ColdFusion built into ColdFusion Builder • ColdFusion Server 2016 needs to be installed with Developer Profile • RDS is required • Need access to port 8500 or • Create virtual mapping for /CFIDE and modify uriworkermap.properties for given connector to remove ! in front of /CFIDE/* = cfusion • Keep update versions of ColdFusion and ColdFusion Builder in sync • Communication changed between Release, Update 1, and Update 2 • Updates improve detection cases
- 20. Coding Practices
- 21. Coding Practices • Just upgrading to latest version will not secure your code • Need to use language enhancements introduced since ColdFusion 10 • Reviewing code in use • Training developers to use more secure coding practices • Security best practices change over time
- 22. Cross Site Scripting (XSS) • Enables attackers to inject client-side script into web pages • Session Hijacking • Phishing for passwords or other info • Several types • Persistent (Stored) • Non-Persistent (Reflected) • DOM-based
- 23. Cross Site Scripting (XSS)
- 24. Cross Site Scripting (XSS) • Old encoding functions Context Example HTML <p>Hi #htmlEditFormat(url.name)#</p> HTML Attribute <div id="#htmlEditFormat(url.name)#" /> JavaScript <script>x='#jsStringFormat(url.name)#’</script> <a onmouseover=“foo(#jsStringFormat(url.name)#)"/> CSS <div style="font-family: #form.fontname#" /> URL <a href=“index.cfm?id=#urlEncodedFormat(cookie.id)#" />
- 25. Cross Site Scripting (XSS) • New OWASP ESAPI encoders available in ColdFusion 10+ • Replace htmlEditFormat, jsStringFormat, and urlEncodedFormat Context Example HTML <p>Hi #encodeForHTML(url.name)#</p> HTML Attribute <div id="#encodeForHTMLAttribute(url.name)#" /> JavaScript <script>x=’#encodeForJavascript(url.name)#’</script> <a onmouseover=“foo(#encodeForJavaScript(url.name)#)"/> CSS <div style="font-family: #encodeForCSS(form.fontname)#" /> URL <a href=“index.cfm?id=#encodeForURL(cookie.id)#" />
- 26. Cross Site Scripting (XSS)
- 27. Cross Site Scripting (XSS) • WYSIWYG HTML editors • ColdFusion 11 added support HTML Sanitization using OWASP AntiSamy • isSafeHTML(inputString, [policyFile], [throwOnError]) • getSafeHTML(inputString, [policyFile], [throwOnError]) • ColdFusion’s default policy based on Slashdot policy from project https://code.google.com/archive/p/owaspantisamy/downloads
- 29. SQL Injection • Allows attacker to do any of the following: • Download all data in database • Modify or Delete all data in database • Execute stored procedures or processes in some cases
- 30. SQL Injection
- 31. SQL Injection – Partially Fixed • <cfqueryparam> was introduced in ColdFusion 4.5 • Still missing in a lot of old code and too many developers do not use it
- 32. SQL Injection – Fixed
- 33. SQL Injection • SQL Injection is not limited to <cfquery> • Stored procedures • Use <cfprocparam> • Do not use exec inside <cfquery> • ORMExecuteQuery() and QueryExecute()
- 34. Cross-site Request Forgery • Causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated • Could result in a transfer of funds, changing a password, or purchasing an item • Impact vary greatly based on the privileges of the user • Occurs without knowledge of the target user, until the unauthorized transaction has been committed
- 35. Cross-site Request Forgery • Random Token • CSRFGenerateToken([key], [forceNew]) • Generates a random token and stores it in the session • CSRFVerifyToken(token, [key]) • Validates the passed in token against the token stored in the session • Must have session variables enabled
- 36. Session Management • SessionRotate() • Creates a new session and copies session scope into this new session, then invalidates the old session • Used after a valid login to prevent session fixation • SessionInvalidate() • Clears session scope and makes the current session identifiers no longer valid • Only works with ColdFusion sessions (CFID/CFToken), does not work with JEE sessions (JSESSIONID) • SessionRotate for JEE sessions - http://www.petefreitag.com/item/829.cfm
- 37. One more thing
- 38. Security Analyzer Commandline • Adobe only built access to Security Analyzer through ColdFusion Builder But… • Using new commandline abilities in ColdFusion 2016 built a solution • Available on GitHub, https://github.com/dcepler/cf-cmdline-sec-ana • Requires ColdFusion Server 2016 Update 2 or higher • Allows for integration of the Security Analyzer into source code commit hooks and build processes
- 40. Q&A - Thanks • Blog: https://www.dcepler.net • Email: depler@aboutweb.com • Twitter: @dcepler • GitHub: https://github.com/dcepler Please remember to complete session survey
- 41. Thank you!