This document discusses 10 common web application security vulnerabilities and provides advice on how to prevent them. It covers injection attacks, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, lack of access controls, cross-site request forgery, use of outdated components, and unvalidated redirects/forwards. The document provides technical recommendations for securing ColdFusion applications against each vulnerability.

1. This is matter

2. My Name is Pritesh Patel working as Technical Project
Manager at iSummation Technologies Pvt. Ltd.
Twitter: @thecfguy
Blog: http://www.thecfguy.com

3. 1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Injection
Broken Authentication And Session Management
Cross-Site Scripting (XSS)
Insecure Direct object references
Security Misconfiguration
Sensitive Data Exposure
Missing Function level access control
Cross-Site Request Forgery (CSRF)
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards

4.  It’s security team duty to find it out. I am developer,
why should I care about?
 Site doesn’t have important data to hide.
 There is negligible change to attack on my site out of
millions of websites.

5.  To give little relax to your security team as gift.
 Every sites data is important or other sites hosted on
same server has.
 We always hope to win Jackpot out of billion, who
know you are lucky winner amongst millions.
 You should care for your/your company better
impression.

7.  Injection can be done at SQL, OS or LDAP but a web





developer SQL injection will discuss.
Best way to prevent it is, use <cfqueryparam> tag all your
dynamic value of query (or user input).
Use stored procedure as much as possible.
Escaping all user supplied input wherever you are not using
cfqueryparam.
Remove unnecessary previlige for ColdFusion datasource
from “Advance Setting”.
You can simply use ESAPI (now available with ColdFusion
9 latest patch) and encodeForSQL() function.


<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()>
<cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>

8. 







Keep username case INsensitive. (not for security but for user comfort.
Set password minimum length not shorter than 10 characters.
Maximum length should not be less than 20 characters.
Force for complex password.
On multiple incorrect attempt verify input placed by human.
Never store password in plain text, you did that right?
Re-authenticate on sensitive feature. (Like change password, delete account, edit account information
or payment information).
Use generic error message instead of indicating what exactly wrong.

Incorrect



Correct






“Test is wrong username”.
“Supplied password is wrong”.
“Login Failed: Incorrect username or password”.
User UUID for CFTOKEN.
Enable Jsession Id
Use httpOnly for session cookie.
Minimize session idle timeout.
Do not cache webpage for important information. Force page refresh when using through browser
back button.

9.  This javascript based attack. Easy to attack on any site and




hard to prevent it.
Simple rule to avoid XSS “Never trust on user input”.
Demo
ColdFusion 10 coming with inbuilt function based on
ESAPI to avoid XSS attack. ColdFusion 9 latest patch
already have ESAPI included in so you can create ESAPI
object and use it wherever needed.
Useful functions:




Encodeforhtml()
Encodeforhtmlattribute()
Encodeforcss()
Encodeforjavascript()

10.  Sometime we supply crucial information in URL
param without knowing importance.
 For ex.:
http://www.example.com/customer/userinvoice.cfm?i
nvoiceid=1233
 How to avoid:
 Add additional hashed key with passed parameters
which generated with user session id and compare
before giving access.

11.  Keep your software updated with latest patches.
 Always use custom error page instead of showing
stacktrace.
 Keep setting different for development and
production. And it should auto detect by IP/domain
instead of manual change.
 Disabled directory listing on your web application.

12.  Store your sensitive data (password, credit card) always
in encrypted format.
 Forced SSL redirection for non public page.
 Store sensitive data only if needed.
 Disable auto complete form for collecting sensitive
data and of course disabled caching of page.

13.  It is little similar to “Insecure Direct object References”.
Instead of form/url parameter look for full URL is also
have access control.
 http://www.example.com/guest/profile
 http://www.example.com/user/profile
 Implement role based security for each functionality.

14.  This attack allow to use functionality of user’s






authenticated area without knowing user’s permission.
Demo
Add CSRFToken to every request and compare it.
Use POST instead of GET method (though is not going to
prevent attack)
Check the referrer header. (This can be spoofed as well)
Check origin header. Unlike referer HTTP origin will be
present in HTTP request that originates from HTTPS url.
Challenge-Response:
 Captcha
 Re-Authenticate
 One-Time token

15.  World with lots of vulnerabilities. Before using any
third party component or software make sure
component do not have any known vulnerabilities.
 Monitor security patches or version release for your
components.

16.  Imagine if your user redirect to some malware site if




click on “next” button.
Sometime we use page to redirect. E.g.
http://www.example.com/redirect.cfm?nexturl=badgu
yssite.com
Try to avoid redirect/forward page.
Do not use user input for redirection parameter.
Fully validate url where you are redirecting.