8. Lockdown Guide
• Lockdown guide absolutely needs to be used for any public facing ColdFusion
Server
• Guide released for each version of ColdFusion since 9
• ColdFusion 10
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
• ColdFusion 11
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
• ColdFusion 2016
http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-
guide.pdf
• Go to Pete’s session next in Jasmine F
B104 – Bulletproof Your ColdFusion Server With The Lockdown Guide
16. Security Analyzer
• Vulnerability Types
• SQL Injection
• XSS Attack
• PDF XSS Attack
• CSRF Attack
• CFLocation Validation
• Cookie Validation
• Passwords
• File Upload Validation
• Get vs Post
• File Injection
17. Security Analyzer
• Enterprise Only
• Does not work in Developer or Standard Edition
• Does not work with ColdFusion built into ColdFusion Builder
• ColdFusion Server 2016 needs to be installed with Developer Profile
• RDS is required
• Need access to port 8500 or
• Create virtual mapping for /CFIDE and modify uriworkermap.properties for given connector to
remove ! in front of /CFIDE/* = cfusion
• Keep update versions of ColdFusion and ColdFusion Builder in sync
• Communication changed between Release, Update 1, and Update 2
• Updates improve detection cases
22. Cross Site Scripting (XSS)
• Enables attackers to inject client-side script into web pages
• Session Hijacking
• Phishing for passwords or other info
• Several types
• Persistent (Stored)
• Non-Persistent (Reflected)
• DOM-based
27. Cross Site Scripting (XSS)
• WYSIWYG HTML editors
• ColdFusion 11 added support HTML Sanitization using OWASP AntiSamy
• isSafeHTML(inputString, [policyFile], [throwOnError])
• getSafeHTML(inputString, [policyFile], [throwOnError])
• ColdFusion’s default policy based on Slashdot policy from project
https://code.google.com/archive/p/owaspantisamy/downloads
31. SQL Injection – Partially Fixed
• <cfqueryparam> was introduced in ColdFusion 4.5
• Still missing in a lot of old code and too many developers do not use it
34. Cross-site Request Forgery
• Causes a user’s web browser to perform an unwanted action on a trusted site for
which the user is currently authenticated
• Could result in a transfer of funds, changing a password, or purchasing an item
• Impact vary greatly based on the privileges of the user
• Occurs without knowledge of the target user, until the unauthorized transaction
has been committed
35. Cross-site Request Forgery
• Random Token
• CSRFGenerateToken([key], [forceNew])
• Generates a random token and stores it in the session
• CSRFVerifyToken(token, [key])
• Validates the passed in token against the token stored in the session
• Must have session variables enabled
36. Session Management
• SessionRotate()
• Creates a new session and copies session scope into this new session, then invalidates the old
session
• Used after a valid login to prevent session fixation
• SessionInvalidate()
• Clears session scope and makes the current session identifiers no longer valid
• Only works with ColdFusion sessions (CFID/CFToken), does not work with JEE
sessions (JSESSIONID)
• SessionRotate for JEE sessions - http://www.petefreitag.com/item/829.cfm
38. Security Analyzer Commandline
• Adobe only built access to Security Analyzer through ColdFusion Builder
But…
• Using new commandline abilities in ColdFusion 2016 built a solution
• Available on GitHub, https://github.com/dcepler/cf-cmdline-sec-ana
• Requires ColdFusion Server 2016 Update 2 or higher
• Allows for integration of the Security Analyzer into source code commit hooks
and build processes