Posted in ColdFusion | Posted on 03-07-2011 | 3,521 views
This morning I received an email from Nadia asking the following:
I do check your website and also the Robots.com website for CF tips and info especially about security. I am A Ph.D. Student and am required to write a paper and try to submit it to the ACM Journal. I have had some experience with ColdFusion Security Fixes, at my previous job at JSC-NASA. I am thinking to write my paper about Preventive measure in CF against security threats in regards to SQL Injection, XSS and maybe CSRF Attacks and recommended steps to mitigate these vulnerabilities.I have two questions: I was wondering if you have links somewhere to these topics, like recent blogs or something. My other question would be would there be a more recently related CF Security problems and fixes that I can write about?
This is a topic that comes up pretty often. There is an official Adobe ColdFusion Security page: http://www.adobe.com/devnet/coldfusion/security.html. It's pretty bare but has the damn good lockdown guide by Pete Freitag. This PDF is more server related then code related, but I'd consider it required reading for any ColdFusion installation.
You mentioned robots.com. I assume you mean 12robots.com which is Jason Dean's blog. You can find his security category here: http://www.12robots.com/index.cfm/Security
Pete Freitag (author of the lockdown guide above) also has a security category for his blog: http://www.petefreitag.com/tag/security
Finally, I'd also mention UGTV - here is a search page for security: http://www.carehart.org/ugtv/list.cfm?search=security
Hopefully this is enough to get you started. Readers - please feel free to add more links.
The OWASP Top 10 site is a great place to learn about these specific attacks, plus a bunch more.
http://www.owasp.org/index.php/Category:OWASP_Top_...
I will explain further.
1. A lot of people think that <cfqueryparam> is the be-all-end-all solution to SQL Injection. It is not. Unless you never do anything dynamic outside of a WHERE clause you need to consider how you will protect your SQL statements if you want dynamic sort, joins, table names or columns.
2. XSS is a tricky one. A REALLY tricky one. It requires a through understanding of the executable contexts of an HTML page and how one might break out of a non-executable context and into an executable one. This is another one where people think they can solve their problems with a few simple functions. Unfortunately, that is not the case.
I have been working on a lengthy blog post about this, I will use this as motivation to finish it this week.
3. XSRF is just a confusing thing to think about. It can be exploited in a number of ways against different types of sites (i.e. Traditional, Ajaxy, Web Services). It takes some thinking about to understand what is happening. Fortunately, the mitigation is relatively easy, though can also be very time consuming to implement on a legacy site.
Feel free to hit me on the contact form of my site with questions. I'll help where I can.
If you have tried that already, I had been havign email problems on my site for a while so it is possible I didn't get your email. You can also try me at j a s o n (at@) 12robots . com (ignore all that whitespace)
I'll link to here from there.
Blog Post here: http://www.12robots.com/index.cfm/2010/10/29/Recor...
Recording here: http://tv.adobe.com/watch/max-2010-develop/securin...
What's Possible with XSS: http://www.12robots.com/index.cfm/2010/9/14/Whats-...
Mitigating XSS with ColdFusion - Part 1: Understanding HTML Contexts: http://www.12robots.com/index.cfm/2011/2/7/XSS-mit...
This series will have at least 2 or 3 more posts to really get everything that is needed to properly mitigate XSS risk.
[Add Comment] [Subscribe to Comments]