Become a Security Rockstar with ColdFusion 2016

David Epler Security Architect 
AboutWeb
Become a Security Rockstar 
with ColdFusion 2016

Agenda
• Installation
• Secure Profile
• Lockdown Guide
• Other Considerations
• Updates
• ColdFusion Updates
• Support Life Cycle
• Security Analyzer
• Coding Practices
• Cross-site Scripting (XSS)
• SQL Injection
• Cross-site Request Forgery (CSRF)
• Session Management

Installation
• Ensure ColdFusion is 
installed with correct profile 
for the environment it will be used 
 
 
 
 
 
 
 
 
https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html

Profiles
https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html

CFSCRIPTS Directory
• In ColdFusion 2016 CFIDE access is now removed from the web server and is only
accessible to localhost on port 8500
• Following directories are now contained in cf_scripts
• CFIDE/scripts
• CFIDE/classes
• CFIDE/cfclient

Lockdown Guide
• Lockdown guide absolutely needs to be used for any public facing ColdFusion
Server
• Guide released for each version of ColdFusion since 9
• ColdFusion 10
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
• ColdFusion 11
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
• ColdFusion 2016
http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-
guide.pdf
• Go to Pete’s session next in Jasmine F
B104 – Bulletproof Your ColdFusion Server With The Lockdown Guide

Other Considerations
• Securing other parts of the web stack
• Operating System
• Web Server
• Database Server
• Using additional guidelines
• Microsoft Baseline Security Analyzer
• CIS Security Benchmarks
• DISA STIGs
• Other vendor guidelines

Updates
• Update process
• Always apply and test on development and test/staging environments first
• Update as quickly and reasonably possible
• Notification of updates
• via ColdFusion Administrator
• blogs.coldfusion.com
• Twitter/Facebook
• Adobe Security Notification Service
https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration

Support Life Cycle
https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63

Security Analyzer
• Integrated into ColdFusion Builder 2016 to enable developers to avoid common
security pitfalls and vulnerabilities while writing ColdFusion code
• Highlights the vulnerable code in the editor
• Classifies the vulnerability type
• Severity level of the vulnerability
• Suggestions on how to fix the vulnerability
• Export report

Security Analyzer
• Vulnerability Types
• SQL Injection
• XSS Attack
• PDF XSS Attack
• CSRF Attack
• CFLocation Validation
• Cookie Validation
• Passwords
• File Upload Validation
• Get vs Post
• File Injection

Security Analyzer
• Enterprise Only
• Does not work in Developer or Standard Edition
• Does not work with ColdFusion built into ColdFusion Builder
• ColdFusion Server 2016 needs to be installed with Developer Profile
• RDS is required
• Need access to port 8500 or
• Create virtual mapping for /CFIDE and modify uriworkermap.properties for given connector to
remove ! in front of /CFIDE/* = cfusion
• Keep update versions of ColdFusion and ColdFusion Builder in sync
• Communication changed between Release, Update 1, and Update 2
• Updates improve detection cases

Coding Practices
• Just upgrading to latest version will not secure your code
• Need to use language enhancements introduced since ColdFusion 10
• Reviewing code in use
• Training developers to use more secure coding practices
• Security best practices change over time

Cross Site Scripting (XSS)
• Enables attackers to inject client-side script into web pages
• Session Hijacking
• Phishing for passwords or other info
• Several types
• Persistent (Stored)
• Non-Persistent (Reflected)
• DOM-based

• Old encoding functions
Context Example
HTML <p>Hi #htmlEditFormat(url.name)#</p>
HTML Attribute <div id="#htmlEditFormat(url.name)#" />
JavaScript
<script>x='#jsStringFormat(url.name)#’</script> 
<a onmouseover=“foo(#jsStringFormat(url.name)#)"/>
CSS <div style="font-family: #form.fontname#" />
URL <a href=“index.cfm?id=#urlEncodedFormat(cookie.id)#" />

• New OWASP ESAPI encoders available in ColdFusion 10+
• Replace htmlEditFormat, jsStringFormat, and urlEncodedFormat
Context Example
HTML <p>Hi #encodeForHTML(url.name)#</p>
HTML Attribute <div id="#encodeForHTMLAttribute(url.name)#" />
JavaScript
<script>x=’#encodeForJavascript(url.name)#’</script> 
<a onmouseover=“foo(#encodeForJavaScript(url.name)#)"/>
CSS <div style="font-family: #encodeForCSS(form.fontname)#" />
URL <a href=“index.cfm?id=#encodeForURL(cookie.id)#" />

• WYSIWYG HTML editors
• ColdFusion 11 added support HTML Sanitization using OWASP AntiSamy
• isSafeHTML(inputString, [policyFile], [throwOnError])
• getSafeHTML(inputString, [policyFile], [throwOnError])
• ColdFusion’s default policy based on Slashdot policy from project
https://code.google.com/archive/p/owaspantisamy/downloads

SQL Injection
TweetPic from someone that  
did not responsibly disclose issue  
to site owner that has SQL Injection

SQL Injection
• Allows attacker to do any of the following:
• Download all data in database
• Modify or Delete all data in database
• Execute stored procedures or processes in some cases

SQL Injection – Partially Fixed
• <cfqueryparam> was introduced in ColdFusion 4.5
• Still missing in a lot of old code and too many developers do not use it

SQL Injection
• SQL Injection is not limited to <cfquery>
• Stored procedures
• Use <cfprocparam>
• Do not use exec inside <cfquery>
• ORMExecuteQuery() and QueryExecute()

Cross-site Request Forgery
• Causes a user’s web browser to perform an unwanted action on a trusted site for
which the user is currently authenticated
• Could result in a transfer of funds, changing a password, or purchasing an item
• Impact vary greatly based on the privileges of the user
• Occurs without knowledge of the target user, until the unauthorized transaction
has been committed

Cross-site Request Forgery
• Random Token
• CSRFGenerateToken([key], [forceNew])
• Generates a random token and stores it in the session
• CSRFVerifyToken(token, [key])
• Validates the passed in token against the token stored in the session
• Must have session variables enabled

Session Management
• SessionRotate()
• Creates a new session and copies session scope into this new session, then invalidates the old
session
• Used after a valid login to prevent session fixation
• SessionInvalidate()
• Clears session scope and makes the current session identifiers no longer valid
• Only works with ColdFusion sessions (CFID/CFToken), does not work with JEE
sessions (JSESSIONID)
• SessionRotate for JEE sessions - http://www.petefreitag.com/item/829.cfm

Security Analyzer Commandline
• Adobe only built access to Security Analyzer through ColdFusion Builder
But…
• Using new commandline abilities in ColdFusion 2016 built a solution
• Available on GitHub, https://github.com/dcepler/cf-cmdline-sec-ana
• Requires ColdFusion Server 2016 Update 2 or higher
• Allows for integration of the Security Analyzer into source code commit hooks
and build processes

Security Analyzer Commandline 
Demo

Q&A - Thanks
• Blog: https://www.dcepler.net
• Email: depler@aboutweb.com
• Twitter: @dcepler
• GitHub: https://github.com/dcepler
Please remember to complete session survey

Become a Security Rockstar with ColdFusion 2016

More Related Content

What's hot

Viewers also liked

Similar to Become a Security Rockstar with ColdFusion 2016

More from ColdFusionConference

Recently uploaded

Become a Security Rockstar with ColdFusion 2016