Thursday, July 29, 2010

CFML Security


Pete Freitag

http://www.petefreitag.com/

http://foundeo.com/security/ --- might think about getting this - will stop the SQLInjection attempts



Use CFQUERYPARAM - more secure, more performance.

~~~~~~~~~~~~
Path Traversal -

avoid/protect referencing pages
site.com/go.cfm?page=hello.cfm
Can becomre
site.com/go.cfm?page=../../some/file.txt


~~~~~~~~~~
CRLF Inection
CRLF=\r\n %0d%0A

You can insert a header into a page by adjusting things pushed into a content type.

NOTE: This can drop into CFMAIL by adding a content-type in a form -- WE SHOULD CHECK FOR THIS.

Solution is like this:

cfset form.subject=ReReplace(form.subject,"[\r\n]","","ALL")
~~~~~
Insecure File Upload

You can upload files that are actually CFM. Not just check content type, check filename and upload outside the webroot.

--- GREAT COMMAND: ab
Apache Benchmark - useful for doing quick/dirty load test and performance.


~~~
Use whitelists over blacklists
ALLOW jpg,pdf,png
instead of
BLOCK cfm cfc jsp



~~~~~

SQL INJECTION

Allows sql commands into the URL ?id=1234;SOME SQL HERE
Demos of how they work.


uSe CFQUERYPARAM

(yeah we know, but the demos were pretty cool!)

One place to check is SELECT TOP n

Change to:

SELECT TOP #int(Val(n))#

Val() returns 0 when it can't recognize a number (this could be useful in the degree symbol problem)

~~~~~

XSS Hacking

You can put a script snippet in a URL

page.cfm?name=bob <script>replace a div</script>

Make sure you escape characters (use XMLFormat ) or OWASP (ESAPI)

http://www.owasp.org/index.php/Main_Page

This provides a Valid/Safe HTML validator: AntiSamy

http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks

Which we could use for the forecasters.

~~~~~~~

SESSION HACKING
use addtoken=false in cflocation
use UUID fro CFToekn
Use HTTPOnly session cookies
Use Secure cookies for SSL
Use SSL
Cookie path attribute.


CROSS SITE REQUEST FORGERY
Hard to explain.
Solution, use POST for submits.
CHeck that referers of forms are your own site.
Compare hidden form variable with session variable


SUMMARY:
Validate Everything
Become a regexpert
Check ALL inputs
Be paranoid
Keep Learning











Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)