SlideShare a Scribd company logo

Security with ColdFusion

Download as PPTX, PDF
I
isummation

This document discusses 10 common web application security vulnerabilities and provides advice on how to prevent them. It covers injection attacks, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, lack of access controls, cross-site request forgery, use of outdated components, and unvalidated redirects/forwards. The document provides technical recommendations for securing ColdFusion applications against each vulnerability.

Technology
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
This is matter
My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog: http://www.thecfguy.com
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
 It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
 To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
Security with ColdFusion
 Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
        Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
 This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
 Sometime we supply crucial information in URL param without knowing importance.  For ex.: http://www.example.com/customer/userinvoice.cfm?i nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
 Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
 Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
 It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.  http://www.example.com/guest/profile  http://www.example.com/user/profile  Implement role based security for each functionality.
 This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
 World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
 Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. http://www.example.com/redirect.cfm?nexturl=badgu yssite.com Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.

More Related Content

PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PDF
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PPTX
Cross site request forgery(csrf)
Ai Sha
 
PDF
Esoteric xss payloads
Riyaz Walikar
 
PPTX
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Pentesting RESTful webservices
Mohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Cross site request forgery(csrf)
Ai Sha
 
Esoteric xss payloads
Riyaz Walikar
 
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 

What's hot (20)

PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
PPTX
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
PPTX
Spring Security 3
Jason Ferguson
 
PDF
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
PDF
Testing REST Web Services
Jan Algermissen
 
PDF
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
PPTX
Web Hacking Intro
Aditya Kamat
 
PPTX
Unified authentication using azure acs
Chris Love
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPTX
Pci compliance writing secure code
Miva
 
PPT
Spring Security Introduction
Mindfire Solutions
 
PPTX
Security asp.net application
ZAIYAUL HAQUE
 
PPT
Proxy Caches and Web Application Security
Tim Bass
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PDF
Securty Testing For RESTful Applications
Source Conference
 
PDF
OWASPTop 10
InnoTech
 
PPTX
Spring Security
Boy Tech
 
PDF
Getting Single Page Application Security Right
Philippe De Ryck
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Spring Security 3
Jason Ferguson
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
Testing REST Web Services
Jan Algermissen
 
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
Web Hacking Intro
Aditya Kamat
 
Unified authentication using azure acs
Chris Love
 
Common Web Application Attacks
Ahmed Sherif
 
Pci compliance writing secure code
Miva
 
Spring Security Introduction
Mindfire Solutions
 
Security asp.net application
ZAIYAUL HAQUE
 
Proxy Caches and Web Application Security
Tim Bass
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Securty Testing For RESTful Applications
Source Conference
 
OWASPTop 10
InnoTech
 
Spring Security
Boy Tech
 
Getting Single Page Application Security Right
Philippe De Ryck
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Ad

Viewers also liked (20)

PDF
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
DOC
Ukurankul
Moch Subhaan
 
PPSX
Cancer 2011
Sonja Upham
 
PPTX
Social Media Strategy
Ankur Kumar Srivastava
 
PPSX
CASA ALEGRE TERRASSA
Rafael Aroztegui Peñarroya
 
PPTX
NTT Com Asia - Our Values
Joyce Tai
 
PPT
Vasse 150910 wayne
VasseSep2010
 
PDF
Twitter
Katalogador
 
PDF
Quick Time7 User Guide
julio2charter.net
 
PDF
Final faculty presentation
stoliros
 
PPTX
인터넷마케팅 과제
hyunjung89
 
PDF
Punchd: Loyalty cards on your smart phone
500 Startups
 
PDF
Gim peus
Katalogador
 
PDF
Family tree
35150
 
PPT
pengurusan rekod murid
Opie Mohamad
 
PPT
Kerajaan orang khmer
Opie Mohamad
 
PDF
Triduo Sr. Angela Vallese_3 giorno ita
Maike Loes
 
PPTX
Mayu info
Javier Santos
 
PDF
Installing mandriva linux mandriva community wiki
Adolfo Nasol
 
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Ukurankul
Moch Subhaan
 
Cancer 2011
Sonja Upham
 
Social Media Strategy
Ankur Kumar Srivastava
 
CASA ALEGRE TERRASSA
Rafael Aroztegui Peñarroya
 
NTT Com Asia - Our Values
Joyce Tai
 
Vasse 150910 wayne
VasseSep2010
 
Twitter
Katalogador
 
Quick Time7 User Guide
julio2charter.net
 
Final faculty presentation
stoliros
 
인터넷마케팅 과제
hyunjung89
 
Punchd: Loyalty cards on your smart phone
500 Startups
 
Gim peus
Katalogador
 
Family tree
35150
 
pengurusan rekod murid
Opie Mohamad
 
Kerajaan orang khmer
Opie Mohamad
 
Triduo Sr. Angela Vallese_3 giorno ita
Maike Loes
 
Mayu info
Javier Santos
 
Installing mandriva linux mandriva community wiki
Adolfo Nasol
 
Ad

Similar to Security with ColdFusion (20)

PPT
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
PPSX
Web Security
Supankar Banik
 
PPT
Website Security
Carlos Z
 
PPT
Website Security
MODxpo
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
DOCX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PDF
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PPTX
Php security common 2011
10n Software, LLC
 
ODP
Security In PHP Applications
Aditya Mooley
 
PPT
OWASP Top10 2010
Tommy Tracx Xaypanya
 
PPTX
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
PDF
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
PPTX
ASP.NET Web Security
SharePointRadi
 
PPT
Phpnw security-20111009
Paul Lemon
 
PPT
Intro to Web Application Security
Rob Ragan
 
PPT
Jan 2008 Allup
llangit
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPT
PHPUG Presentation
Damon Cortesi
 
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
Web Security
Supankar Banik
 
Website Security
Carlos Z
 
Website Security
MODxpo
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
Owasp top 10_openwest_2019
Sean Jackson
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
Php & Web Security - PHPXperts 2009
mirahman
 
Php security common 2011
10n Software, LLC
 
Security In PHP Applications
Aditya Mooley
 
OWASP Top10 2010
Tommy Tracx Xaypanya
 
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
ASP.NET Web Security
SharePointRadi
 
Phpnw security-20111009
Paul Lemon
 
Intro to Web Application Security
Rob Ragan
 
Jan 2008 Allup
llangit
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PHPUG Presentation
Damon Cortesi
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Approach and Philosophy of On baking technology
30anthuong17
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

Security with ColdFusion

  • 2. My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog: http://www.thecfguy.com
  • 3. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  • 4.  It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
  • 5.  To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
  • 7.  Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
  • 8.         Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
  • 9.  This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
  • 10.  Sometime we supply crucial information in URL param without knowing importance.  For ex.: http://www.example.com/customer/userinvoice.cfm?i nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
  • 11.  Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
  • 12.  Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
  • 13.  It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.  http://www.example.com/guest/profile  http://www.example.com/user/profile  Implement role based security for each functionality.
  • 14.  This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
  • 15.  World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
  • 16.  Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. http://www.example.com/redirect.cfm?nexturl=badgu yssite.com Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.