ColdFusion Code Security - PowerPoint PPT Presentation

About This Presentation
Title:

ColdFusion Code Security

Description:

Use CFID / CFToken from URL or create your own cookies ... Don't use too many cookies ... Consider (also/instead) having cookies go away after browser closing ... – PowerPoint PPT presentation

Number of Views:160
Avg rating:3.0/5.0
Slides: 44
Provided by: michae1560
Category:

less

Transcript and Presenter's Notes

Title: ColdFusion Code Security


1
ColdFusion Code Security
  • Michael Smith
  • President
  • TeraTech, Inc
  • ColdFusion, database VB custom development and
    training.
  • http//www.teratech.com
  • 800-447-9120

2
Speaker Information
  • Who am I?
  • Michael Smith
  • President of TeraTech, Inc Rockville MD
  • http//www.teratech.com/
  • ttWebReportServer, CFXGraphicserver
  • MDCFUG, CFUN-02, Fusebox Conf
  • Articles in CFDJ, Fusion Authority

3
Introduction
  • The ColdFusion security challenge
  • Keeping hackers out
  • While still letting users and friendly apps in
  • Balance security vs easy of use

4
ColdFusion Security
  • Here is what we will be covering
  • Error handling
  • Form Validation
  • Page parameter validation
  • User Authentication
  • Members Only
  • Encryption and passwords

5
Not covered in this talk
  • Server security
  • Database security
  • Hardware security
  • Operating system security
  • TeraTechs CF201 Class covers more security
    topics than we can cover in an hour.

6
Error handling
  • Always have an error handler in Application.cfm
  • Never display default CF errors - gives out SQL
    information and template paths
  • Instead email error to admin
  • Dont explain why attempt failed
  • Standard processing time

7
Error handling code
  • In Application.cfm
  • ltcferror type"EXCEPTION" template"error_exceptio
    n.cfm" mailto"Request.ErrorNotifyEmail"gt
  • ltCFMAIL to"error.MailTo"
  • from"info_at_teratech.com"
  • subject"ColdFusion Error"gt
  • error.RemoteAddress
  • error.Template
  • error.DateTime
  • error.Diagnostics
  • lt/CFMAILgt

8
Form Validation
  • Why it is important
  • Underscore validation
  • CFFORM validation
  • Javascript validation
  • CF validation
  • SQL validation
  • Fake form submits

9
Why is validation important?
  • Malicious exploits are possible
  • Bad data may be entered
  • Server crashes
  • Hacker can force an error message

10
Underscore Validation
  • AKA Form-level validation
  • Easiest to implement
  • ltInput TypeHidden Namefield_required
    valueError messagegt
  • Runs on the server based on this hidden parameter
    from the form page
  • Trusts the browser that the form variable is
    passed
  • Effectively client-side, although actual
    validation occurs on the server

11
CFFORM Validation
  • Automagically generates form-level validation and
    javascript validation
  • Works well enough in simple forms
  • Does not adapt well for complex forms, need for
    complex validation, javascript, etc.
  • Generally roll-your-own is preferred
  • Still trusts browser

12
Javascript Validation
  • Available many places
  • Swipe from the source code generated by CFForm
  • http//builder.com/
  • Totally browser dependent
  • With CF Form, wont even submit if javascript not
    present
  • Effectively useless with 508
  • BUT! Least server traffic

13
CF Validation
  • Occurring on the ACTION page, on the server side
  • Need not trust the browser
  • 508 compliant, browser independent
  • A little more complicated to write, but necessary
    on public sites

14
Authentication
  • Stateless web - any page can call another - this
    is good for open sites
  • Hacker pages call your page with false data
  • Use CGI. HTTP_REFERER to control who calls you
  • Use CGI. CF_TEMPLATE_PATH application.cfm control
    what is run.

Warning - Can be spoofed by browser
15
Fake form submits
  • Hacker copies your HTML source to their machine,
    edits form fields and submits to your action
    page.
  • They can now edit your hidden fields or remove
    fields to generate error messages
  • Hidden form field token
  • Check HTTP_REFERER is in your domain

16
Fake URLs
  • Hacker edits your URL to get data they shouldnt
    see or to force page error.
  • Protect URLs with checksum eg hash() function.

17
Fake cookies
  • Cookies can be faked too they are just in text
    file on client machine
  • Dont assume cookie value is valid
  • For top security add checksum to cookie.

18
Page Validation
  • URL and Form parameters used in SQL
  • SELECT FROM EMP WHERE ID USERID
  • Extra SQL commands on SQL Server
  • http//myserver/page.cfm?ID_VAR73BDELETE20FROM
    20MyCustomerTable
  • VBA functions - shell() on Access
  • xp_cmdshell in SQL Server
  • Use VAL() on parameters or check for and or
    use ltCFQUERYPARAMgt
  • Encrypt Variables
  • Checksum URLs

19
CFQUERYPARAM
  • Code example
  • ltCFQUERY NAME"getFirst" DATASOURCE"cfsnippets"gt
    SELECT FROM courses WHERE Course_IDltCFQUERYPARA
    M VALUE"Course_ID" CFSQLType"CF_SQL_INTEGER"gt
    lt/CFQUERYgt
  • Also runs faster SQL too cached query plan.

20
Protect CFINCLUDE and CFMODULE files
  • Dont let CFINCLUDE and CFMODULE files be run
    standalone they may do bad things or generate
    error messages
  • Protect using a naming convention/ subdirectory
    and test in application.cfm of CGI.script_name
  • Especially important for Fusebox applications
    with many include files

21
Code to protect CFINCLUDE files
  • For Fusebox In Application.cfm
  • ltCFIF CGI.script_name contains index.cfmgt
  • lt!--- ok to run ---gt
  • ltCFELSEgt
  • ltCFABORT SHOWERROR"Protected page"gt
  • lt/CFIFgt
  • Non-Fusebox check filename/directory

22
Code Defensively
  • Assume bad things will happen and code for them
  • Always code the CFELSE and CFDEFAULTCASE
  • Check input parameters exist using CFPARAM, they
    are of correct type and are that they are in
    range.
  • E.g. ltCFPARAM NAME"" TYPE"numericgt

23
Datasource password
  • Dont put datasource userid and password in CF
    Admin if any template is compromised hacker can
    destroy data
  • Dont hardcode in every CFQUERY call
  • Use request variables in application.cfm and
    encrypt it
  • Or for super security set up user accounts in
    Oracle and have users enter userid/password when
    they logon.

24
Input massaging
  • Textarea field may be stored to database for
    redisplay
  • Bad users may enter JavaScript or CF functions
    into your text hoping you will use evaluate() on
    them.
  • Strip them out using a regular expression.

25
CFCONTENT
  • CFCONTENT can be misused to send back your source
    code eg filename/path in URL
  • Store files it sends in directory outside of
    webroot.

26
Logins
  • Use Strong SSL where available
  • http//www.thawte.com/
  • Require at least 8 chr password
  • Consider requiring numbers in password
  • Consider forcing regular password changes
    depending on application
  • Strong form validation
  • Consider blocking accounts after multiple failed
    attempts

27
Authentication
  • Protected Header code
  • In your application.cfm or header.cfm to be
    included in every page.
  • ltCFIF cgi.script_name contains "/intranet/"gt
  • ltcfif left(CGI.REMOTE_ADDR,11) is not
    "123.456.789"gt
  • ltcfif not isdefined("session.authorized")gt
  • ltCFLOCATION URLhttp//www.teratech.com/logon.cfm
    gt
  • ltcfabortgt
  • ltcfelsegt
  • ltcfset session.authorized TRUEgt
  • lt/cfifgt
  • lt/cfifgt
  • Your protected links here lt/cfifgt

Warning - spoofed IP numbers will get around this
code
28
Members Only
  • Session, client and cookies
  • Refresh issues
  • Timeouts
  • Remember me

29
Session, client and cookies
  • Client Management
  • Use short timeouts. (conflicts with 508)
  • Consider rolling your own security
  • Use CFID / CFToken from URL or create your own
    cookies
  • Store information in database with a table to
    keep track of ID/Token combinations against user
    Ids
  • Most flexible method

30
Session, client and cookies
  • Client Management
  • If you use session management (as enabled with
    CFApplication)
  • Lock your usageltCFLOCK scopeSessiongt
  • Limit session timeout, minutes not hours
  • Consider passing session vars into request vars
    at top and bottom of page

31
Session, client and cookies
  • Client Management
  • Use client variables in place of session
    variables where you do not need to store complex
    values
  • Configure storage so that variables are stored in
    a DB, NOT the registry
  • Use WDDX if you have the occasional need for a
    complex variable
  • Dont use too many cookies
  • Manually test for timeout less than 2 hours
    client.last_access_datetime

32
Timeouts
  • Use as short a timeout as practical
  • Dont want users annoyed
  • Do want to protect against trouble
  • Consider (also/instead) having cookies go away
    after browser closing
  • This is the default with cookies if you do not
    specify a time
  • If you create your own session management, you
    can do more

33
Session Tracking
  • Who is logged on now
  • Keep track of login times to see whos logged in
    now, can record activity and determine based on
    last activity or logoff option
  • Variable and structure dump
  • Use CF_Dump or CF5 CFDump tags to output all
    session variables or all cookies, etc.
  • http//www.smart-objects.com/docs.cfm?fcf_dump.ht
    m

34
Session hang over
  • User logs in then closes browser without logging
    out.
  • Hacker uses browser and if the session has not
    timed out they are logged in as previous user
  • Use CFCOOKIE on CFID and CFTOKEN to set these
    session cookies to expire immediately on browser
    close.

35
Remember Me
  • Sites with Login functions often have Remember
    Me option
  • Be careful - want to be clear what this option
    means
  • Use ltCFCookiegt to set your own cookie
  • Store something other than username / password or
    a flag - consider some random values
  • Dont turn option on by default

36
Members Only
  • Summary
  • Session variables can still be used, with locks,
    but Client or Cookies are preferable
  • Use ltCFLOCATIONgt after insert/cfmail to avoid
    issues
  • Short timeouts for login - experiment
  • Remember Me is easy with Cookie

37
Back button hacking
  • Hacker uses back button to view sensitive
    information from a users browser
  • Consider disabling back button, especially on
    logout
  • ltCFHEADER NAME"Expires" VALUE"06 Nov 1994
    084937 GMT"gt
  • ltCFHEADER NAME"Pragma" VALUE"no-cache"gt
  • ltCFHEADER NAME"cache-control" VALUE"no-cache,
    no-store, must-revalidate"gt

38
Encryption
  • Encrypt source so even if downloaded can not be
    read
  • Be aware that decryption programs exist
  • Encrypt sensitive data such as credit card
    numbers in database using CF encrypt() and
    decrypt().
  • Consider storing hash() of password instead of
    plain text.

39
Hashing passwords
  • ltCFQUERY NAME"CheckPerson" DATASOURCE"UserData"gt
    SELECT PasswordHash FROM SecureData WHERE
    UserIDltCFQUERYPARAM VALUE"UserID"
    CFSQLType"CF_SQL_CHARVAR"gt lt/CFQUERYgt
  • ltCFIF Hash(Form.Password) IS NOT
    CheckPerson.PasswordHashgt
  • ltCFLOCATION URL"unauthenticated.cfm"gt
  • ltCFELSEgt
  • ltCFLOCATION URL"authenticated.cfm"gt
  • lt/CFIFgt

40
Refresh Issues
  • If delete/insert/update pages are refreshed, or
    other action pages, problems occur hacker sees
    error message.
  • Immediately ltCFLOCATIONgt after one of these
    actions to avoid this
  • Use the addtokenyes parameter to keep any
    session changes across pages

41
Resources
  • http//www.allaire.com/developer/securityzone/
  • http//www.macromedia.com/v1/developer/securityzon
    e/
  • http//www.houseoffusion.com/ Security section

42
What Security Means
  • Security is hard because a hacker only needs one
    window to be open to get in while the poor
    webmaster must work on closing dozens of holes.
  • Security is a way of thinking - how can they get
    in...
  • More knowledge is power - dont keep security
    tips secret!

43
Next Steps
  • Conduct a security audit
  • Download Michael Dinowitzs http//www.houseoffusi
    on.com/ MunchkinLAN to test your site for holes
  • Remove CFDOCS
  • Validate pages
  • Authenticate pages
  • TeraTechs CF201 class
  • Questions? Email me at michael_at_teratech.com
Write a Comment
User Comments (0)
About PowerShow.com