ColdFusion Security Resources

This post is more than 2 years old.

This morning I received an email from Nadia asking the following:

I do check your website and also the website for CF tips and info especially about security. I am A Ph.D. Student and am required to write a paper and try to submit it to the ACM Journal. I have had some experience with ColdFusion Security Fixes, at my previous job at JSC-NASA. I am thinking to write my paper about Preventive measure in CF against security threats in regards to SQL Injection, XSS and maybe CSRF Attacks and recommended steps to mitigate these vulnerabilities.

I have two questions: I was wondering if you have links somewhere to these topics, like recent blogs or something. My other question would be would there be a more recently related CF Security problems and fixes that I can write about?

This is a topic that comes up pretty often. There is an official Adobe ColdFusion Security page: It's pretty bare but has the damn good lockdown guide by Pete Freitag. This PDF is more server related then code related, but I'd consider it required reading for any ColdFusion installation.

You mentioned I assume you mean which is Jason Dean's blog. You can find his security category here:

Pete Freitag (author of the lockdown guide above) also has a security category for his blog:

Finally, I'd also mention UGTV - here is a search page for security:

Hopefully this is enough to get you started. Readers - please feel free to add more links.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Tom Chiverton posted on 3/7/2011 at 8:05 PM < apparently my comment is spam so I'm typing some more random junk in to try and trip the filter back the right way I hope it's enough this time.

Comment 2 by Jason Dean posted on 3/7/2011 at 8:07 PM

One of the best places to start learning about security is the OWASP site. The single bets way to figure out how to mitigate a risk is to understand WHY it is a risk and HOW it is exploited.

The OWASP Top 10 site is a great place to learn about these specific attacks, plus a bunch more.

Comment 3 by Jason Dean posted on 3/7/2011 at 8:18 PM

Another thing that I will point about about your security topics is that none of them are as simple as they may seem.

I will explain further.

1. A lot of people think that <cfqueryparam> is the be-all-end-all solution to SQL Injection. It is not. Unless you never do anything dynamic outside of a WHERE clause you need to consider how you will protect your SQL statements if you want dynamic sort, joins, table names or columns.

2. XSS is a tricky one. A REALLY tricky one. It requires a through understanding of the executable contexts of an HTML page and how one might break out of a non-executable context and into an executable one. This is another one where people think they can solve their problems with a few simple functions. Unfortunately, that is not the case.

I have been working on a lengthy blog post about this, I will use this as motivation to finish it this week.

3. XSRF is just a confusing thing to think about. It can be exploited in a number of ways against different types of sites (i.e. Traditional, Ajaxy, Web Services). It takes some thinking about to understand what is happening. Fortunately, the mitigation is relatively easy, though can also be very time consuming to implement on a legacy site.

Feel free to hit me on the contact form of my site with questions. I'll help where I can.

If you have tried that already, I had been havign email problems on my site for a while so it is possible I didn't get your email. You can also try me at j a s o n (at@) 12robots . com (ignore all that whitespace)

Comment 4 by Tom Chiverton posted on 3/7/2011 at 8:23 PM

Cheers Jason, I'd hoped I made that clear in my own post :-)
I'll link to here from there.

Comment 5 by Jason Dean posted on 3/7/2011 at 8:52 PM

Oh, I just remembered, my presentation at Adobe MAX last year specifically covered a lot of the OWASP Top 10 stuff and how they can be mitigated.

Blog Post here:

Recording here:

Comment 6 by Jason Dean posted on 3/7/2011 at 11:39 PM

Ok, I've been inspired to get to work in this. Two important posts can be found here:

What's Possible with XSS:

Mitigating XSS with ColdFusion - Part 1: Understanding HTML Contexts:

This series will have at least 2 or 3 more posts to really get everything that is needed to properly mitigate XSS risk.