Hack & Fix, Hands on ColdFusion Security Training
1 like1,133 views
This document provides an agenda for a ColdFusion security training session presented by Pete Freitag and David Epler. It includes introductions to the presenters and their backgrounds in ColdFusion and security. The agenda covers common ColdFusion vulnerabilities like file uploads, SQL injection, path traversals, and cross-site scripting. It also demonstrates the OWASP ZAP security tool and provides a sneak peek at a new ColdFusion security analyzer called Raijin/Blizzard. Hands-on lessons are included to allow participants to try exploiting vulnerabilities.
Hack & Fix, Hands on ColdFusion Security Training
- 1. Hack & Fix Hands on ColdFusion Security Training Pete Freitag, Foundeo Inc. David Epler, AboutWeb LLC
- 2. About Pete • 17+Years ColdFusion Experience • Job: Foundeo Inc. Consulting & Products • CFSummit Gold Sponsor • HackMyCF / FuseGuard • blog: petefreitag.com • twitter: @pfreitag foundeo
- 3. • 15+ years ColdFusion experience • Job: AboutWeb - Security Architect • Several Security Certs: GWAPT, CEH • Learn CF in a Week - Security • OWASP Zed Attack Proxy (ZAP) Evangelist • blog: dcepler.net • twitter: @dcepler About David
- 4. Agenda • About theVM • File UploadVulnerabilities • SQL Injection • Path Traversals • Cross Site Scripting • OWASP ZAP • Sneak Peak - ColdFusion Raijin/Blizzard
- 5. About theVM • Ubuntu Linux (don’t worry) • ColdFusion 11 • MySQL • Username / password: cf / cf • CF Admin Username / password: admin / cf
- 6. VM Setup • Open Terminal • cd /var/www/hackabletype • git config —global user.email “cfsummit” • git pull • sudo a2dismod autoindex • sudo service apache2 restart
- 7. Guiding Principals • Defense In Depth • Principal of Least Privilege • Avoid Security by Obscurity • Validation can save your bacon • Even the best developers write insecure code.
- 9. File Uploads HackableType:Try to upload and execute a CFM file. photo (cc) flickr user armchairbuilder 2012
- 10. File Uploads Rule #1 Never trust a MIME type
- 11. Never trust a MIME • CF9 and below use the MIME type passed by the browser / client. • Attacker can send any MIME type. • CF10+ can perform server side file inspection (when strict=true, default). • We can still get around this.
- 12. File Uploads Rule #2 AlwaysValidate The File Extension
- 13. Always validate file extension • CF10 allows you to specify a file extension list in the accept attribute. • You can also validate cffile.ServerFileExt • Do both.
- 14. File Uploads Rule #3 Never upload directly to webroot
- 15. POST /upload.cfm GET /photos/photo.cfm Server Hacker Hacker uses a load tool to make repeated concurrent requests. The attacker will be able to execute photo.cfm before it is deleted.
- 16. Don't upload to web root • File can be executed before it's validated. • Upload outside root, eg GetTempDirectory ram://, s3, etc. • Upload directly to S3: http:// www.petefreitag.com/item/833.cfm
- 17. Additional Tips • Ensure upload directory can only serve static files. Sandbox / file extension whitelist on web server. • Consider keeping files outside webroot and serve with cfcontent or mod_xsendfile • Specify mode on unix (eg 640 rw-r——) • secureupload.cfc: https://github.com/ foundeo/cfml-security
- 18. SQL Injection
- 19. TweetPic from someone that did not responsibly disclose issue to site owner that has SQL Injection
- 20. SQL Injection <cfquery name="news"> SELECT id, title, story FROM news WHERE id = #url.id# </cfquery> news.cfm?id=1;delete+from+news
- 21. SQL Injection • The solution - use parameters (eg cfqueryparam) whenever possible. • Validate and sanitize when you can't • ORDER BY column • SELECT TOP 10 • ORM: make sure HQL statements are parameterized
- 22. SQL Injection Try the lesson
- 24. Path Traversal Risk • Attacker can read any file CF has permission to read • Configuration files • System Files • Logs • Remote code execution possible in some cases.
- 25. HackableType Try the path traversal lesson
- 26. Preventing Path Traversals • Avoid file paths derived from user input. • Strip and validate any variables used in paths. Dots and slashes are dangerous. • Beware of null bytes • On windows use multiple drive letters to separate application from OS, CF, logs, etc.
- 27. Path Traversal Bonus Round Can you use the path traversal lesson to perform remote code execution?
- 28. Path Traversal • Possible Remote Code Execution via cfinclude • CF11+ added Application.cfc and ColdFusion administrator setting: this.compileExtForInclude="cfm";
- 31. XSS • XSS holes give attackers a CMS to create any content. • Can be used to steal sessions • Phish for passwords or other info.
- 32. XSS Types • Reflected • Persistant • DOM
- 34. Reflected XSS Try the lesson
- 35. Preventing XSS • Strip out dangerous characters • < > ' " ( ) ; # • Escape dangerous characters • CF10+ EncodeForHTML, etc.
- 36. Preventing XSS Context Method HTML encodeForHTML(variable) HTML Attribute encodeForHTMLAttribute(variable) JavaScript encodeForJavaScript(variable) CSS encodeForCSS(variable) URL encodeForURL(variable)
- 37. XSS in HTML • Preventing XSS when allowing users to enter HTML is difficult. • AntiSamy -> isSafeHTML getSafeHTML • ScrubHTML
- 38. XSS Utils • Encoders • ESAPI: http:// www.petefreitag.com/ item/788.cfm • OWASP Encoder: http://owasp-java- encoder.googlecode.c om • Sanitizers • AntiSamy: http:// www.petefreitag.com/ item/760.cfm • ScrubHTML: https:// github.com/foundeo/ cfml-security
- 39. OWASP ZAP • An easy to use web application penetration testing tool • Completely free and Open Source • OWASP flagship project • Included in major security distributions • Kali, Samurai WTF, etc.
- 40. Why use ZAP? • Ideal for beginners, developers • also used by professional pen testers • Point and shoot via Quick Start Tab • Manual penetration testing • As a debugger • As part of larger security program • Automated security regression tests
- 41. Main ZAP Features • Intercepting Proxy • Active and Passive Scanners • Traditional and AJAX spiders • Forced browsing • Fuzzing • Cross Platform • built on Java (requires 1.7+)
- 44. Content-Security-Policy • HTTP Response Header dictates what assets can be loaded. For example: • script-src 'self'; • script-src 'self' cdn.example.com; • script-src 'none'; • script-src 'unsafe-inline';
- 45. CSP Directives • default-src • script-src • style-src • img-src • connect-src • font-src • object-src • media-src • frame-src • sandbox • report-uri
- 46. CSP 1.0 Browser Support http://caniuse.com/#feat=contentsecuritypolicy
- 47. CSP 1.0 Browser Support • Chrome 25+ • FireFox 23+ • Safari 7+ • IE Edge 12+ • Partial Support in IE10+ (sandbox)
- 48. CSP Level 2 • Notable Enhancements • Nonce • Hash • form-action directive
- 49. CSP Lesson • Hint: content-security-policy.com
- 50. Want More? • Scope Injection Lesson • CSRF Lesson