Become a Security Rockstar with ColdFusion 2016
1 like884 views
This document provides an overview of how to improve security when using ColdFusion 2016. It discusses installing ColdFusion with the secure profile, following the lockdown guide, applying updates, and using the new Security Analyzer tool. The Security Analyzer checks code for vulnerabilities like SQL injection, XSS, and CSRF. The document also recommends coding practices to avoid vulnerabilities, such as using ESAPI encoders and <cfqueryparam>. Proper session management and preventing attacks like XSS, SQL injection, and CSRF are also discussed.
![Cross Site Scripting (XSS)
• WYSIWYG HTML editors
• ColdFusion 11 added support HTML Sanitization using OWASP AntiSamy
• isSafeHTML(inputString, [policyFile], [throwOnError])
• getSafeHTML(inputString, [policyFile], [throwOnError])
• ColdFusion’s default policy based on Slashdot policy from project
https://code.google.com/archive/p/owaspantisamy/downloads](https://image.slidesharecdn.com/cf-security-rockstar-161114161235/85/Become-a-Security-Rockstar-with-ColdFusion-2016-27-320.jpg)
![Cross-site Request Forgery
• Random Token
• CSRFGenerateToken([key], [forceNew])
• Generates a random token and stores it in the session
• CSRFVerifyToken(token, [key])
• Validates the passed in token against the token stored in the session
• Must have session variables enabled](https://image.slidesharecdn.com/cf-security-rockstar-161114161235/85/Become-a-Security-Rockstar-with-ColdFusion-2016-35-320.jpg)
Become a Security Rockstar with ColdFusion 2016
- 1. David Epler Security Architect AboutWeb Become a Security Rockstar with ColdFusion 2016
- 2. Agenda • Installation • Secure Profile • Lockdown Guide • Other Considerations • Updates • ColdFusion Updates • Support Life Cycle • Security Analyzer • Coding Practices • Cross-site Scripting (XSS) • SQL Injection • Cross-site Request Forgery (CSRF) • Session Management
- 3. Installation
- 7. CFSCRIPTS Directory • In ColdFusion 2016 CFIDE access is now removed from the web server and is only accessible to localhost on port 8500 • Following directories are now contained in cf_scripts • CFIDE/scripts • CFIDE/classes • CFIDE/cfclient
- 8. Lockdown Guide • Lockdown guide absolutely needs to be used for any public facing ColdFusion Server • Guide released for each version of ColdFusion since 9 • ColdFusion 10 https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf • ColdFusion 11 https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf • ColdFusion 2016 http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown- guide.pdf • Go to Pete’s session next in Jasmine F B104 – Bulletproof Your ColdFusion Server With The Lockdown Guide
- 9. Other Considerations • Securing other parts of the web stack • Operating System • Web Server • Database Server • Using additional guidelines • Microsoft Baseline Security Analyzer • CIS Security Benchmarks • DISA STIGs • Other vendor guidelines
- 10. Updates
- 11. Updates • Update process • Always apply and test on development and test/staging environments first • Update as quickly and reasonably possible • Notification of updates • via ColdFusion Administrator • blogs.coldfusion.com • Twitter/Facebook • Adobe Security Notification Service https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration
- 15. Security Analyzer • Integrated into ColdFusion Builder 2016 to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code • Highlights the vulnerable code in the editor • Classifies the vulnerability type • Severity level of the vulnerability • Suggestions on how to fix the vulnerability • Export report
- 16. Security Analyzer • Vulnerability Types • SQL Injection • XSS Attack • PDF XSS Attack • CSRF Attack • CFLocation Validation • Cookie Validation • Passwords • File Upload Validation • Get vs Post • File Injection
- 17. Security Analyzer • Enterprise Only • Does not work in Developer or Standard Edition • Does not work with ColdFusion built into ColdFusion Builder • ColdFusion Server 2016 needs to be installed with Developer Profile • RDS is required • Need access to port 8500 or • Create virtual mapping for /CFIDE and modify uriworkermap.properties for given connector to remove ! in front of /CFIDE/* = cfusion • Keep update versions of ColdFusion and ColdFusion Builder in sync • Communication changed between Release, Update 1, and Update 2 • Updates improve detection cases
- 20. Coding Practices
- 21. Coding Practices • Just upgrading to latest version will not secure your code • Need to use language enhancements introduced since ColdFusion 10 • Reviewing code in use • Training developers to use more secure coding practices • Security best practices change over time
- 22. Cross Site Scripting (XSS) • Enables attackers to inject client-side script into web pages • Session Hijacking • Phishing for passwords or other info • Several types • Persistent (Stored) • Non-Persistent (Reflected) • DOM-based
- 23. Cross Site Scripting (XSS)
- 24. Cross Site Scripting (XSS) • Old encoding functions Context Example HTML <p>Hi #htmlEditFormat(url.name)#</p> HTML Attribute <div id="#htmlEditFormat(url.name)#" /> JavaScript <script>x='#jsStringFormat(url.name)#’</script> <a onmouseover=“foo(#jsStringFormat(url.name)#)"/> CSS <div style="font-family: #form.fontname#" /> URL <a href=“index.cfm?id=#urlEncodedFormat(cookie.id)#" />
- 25. Cross Site Scripting (XSS) • New OWASP ESAPI encoders available in ColdFusion 10+ • Replace htmlEditFormat, jsStringFormat, and urlEncodedFormat Context Example HTML <p>Hi #encodeForHTML(url.name)#</p> HTML Attribute <div id="#encodeForHTMLAttribute(url.name)#" /> JavaScript <script>x=’#encodeForJavascript(url.name)#’</script> <a onmouseover=“foo(#encodeForJavaScript(url.name)#)"/> CSS <div style="font-family: #encodeForCSS(form.fontname)#" /> URL <a href=“index.cfm?id=#encodeForURL(cookie.id)#" />
- 26. Cross Site Scripting (XSS)
- 27. Cross Site Scripting (XSS) • WYSIWYG HTML editors • ColdFusion 11 added support HTML Sanitization using OWASP AntiSamy • isSafeHTML(inputString, [policyFile], [throwOnError]) • getSafeHTML(inputString, [policyFile], [throwOnError]) • ColdFusion’s default policy based on Slashdot policy from project https://code.google.com/archive/p/owaspantisamy/downloads
- 29. SQL Injection • Allows attacker to do any of the following: • Download all data in database • Modify or Delete all data in database • Execute stored procedures or processes in some cases
- 30. SQL Injection
- 31. SQL Injection – Partially Fixed • <cfqueryparam> was introduced in ColdFusion 4.5 • Still missing in a lot of old code and too many developers do not use it
- 32. SQL Injection – Fixed
- 33. SQL Injection • SQL Injection is not limited to <cfquery> • Stored procedures • Use <cfprocparam> • Do not use exec inside <cfquery> • ORMExecuteQuery() and QueryExecute()
- 34. Cross-site Request Forgery • Causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated • Could result in a transfer of funds, changing a password, or purchasing an item • Impact vary greatly based on the privileges of the user • Occurs without knowledge of the target user, until the unauthorized transaction has been committed
- 35. Cross-site Request Forgery • Random Token • CSRFGenerateToken([key], [forceNew]) • Generates a random token and stores it in the session • CSRFVerifyToken(token, [key]) • Validates the passed in token against the token stored in the session • Must have session variables enabled
- 36. Session Management • SessionRotate() • Creates a new session and copies session scope into this new session, then invalidates the old session • Used after a valid login to prevent session fixation • SessionInvalidate() • Clears session scope and makes the current session identifiers no longer valid • Only works with ColdFusion sessions (CFID/CFToken), does not work with JEE sessions (JSESSIONID) • SessionRotate for JEE sessions - http://www.petefreitag.com/item/829.cfm
- 37. One more thing
- 38. Security Analyzer Commandline • Adobe only built access to Security Analyzer through ColdFusion Builder But… • Using new commandline abilities in ColdFusion 2016 built a solution • Available on GitHub, https://github.com/dcepler/cf-cmdline-sec-ana • Requires ColdFusion Server 2016 Update 2 or higher • Allows for integration of the Security Analyzer into source code commit hooks and build processes
- 40. Q&A - Thanks • Blog: https://www.dcepler.net • Email: [email protected] • Twitter: @dcepler • GitHub: https://github.com/dcepler Please remember to complete session survey
- 41. Thank you!