pf » Announcing Web Application Firewall for ColdFusion

July 09, 2007

Announcing Web Application Firewall for ColdFusion

I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

The firewall is written in CFML so you can easily use it with existing ColdFusion applications by including the firewall with a CFINCLUDE in your Application.cfm. You can also write your own filter by creating a CFC and adding it to the configuration.

There is still more work to be done on this product, but it should be ready "soon". If you are interested in beta testing please contact me. In addition, be sure to add your email address here for release date notification.

Update: the Web Application Firewall for ColdFusion has been released!

Permalink | Add Comment |

add to del.icio.us | Tags: security, firewall, coldfusion, csrf, xss, sql injection, vulnerabilities, secure

Related Entries

Web Application Vulnerabilities trump Buffer Overflows - November 2, 2006
Devnet Article on Securing CF From SQL Injection - April 9, 2009
Mastering CFQUERYPARAM - July 24, 2008
CFPARAM for Simple String Validation - May 29, 2007
How to Break Web Software - April 21, 2006

3 people found this page useful, what do you think?

Trackbacks

Trackback Address: 640/1B198E36CC0321FD51BBF73A09166C1B

Comments

On 07/09/2007 at 3:26:08 PM MDT Raymond Camden wrote:

I'd like to beta test (and review on the blog too).

On 07/09/2007 at 5:36:34 PM MDT Ed wrote:

I would like to be in the beta too.

On 07/10/2007 at 9:15:37 AM MDT Pete Freitag wrote:

Sure, I will contact you guys when I have the beta ready.

On 07/10/2007 at 12:13:02 PM MDT Brian wrote:

Pete - why would you use this over something like mod_security (assuming you have Apache)? Have you seen the rulesets maintained by the gotroot.com guys? It's a lot of serious work to stay up on top of things (depending on your scope).

On 07/10/2007 at 12:54:51 PM MDT Pete Freitag wrote:

Brian - I see some advantages to having the web application firewall run from within the ColdFusion web application, rather than in an outside layer.

It gives your ColdFusion applications the ability to communicate with the firewall directly. This might be handy for instance if you have determined in your own code that an IP is malicious, you could very easily add that to a temp block list at runtime. So you can have a dynamically configured firewall.

Also I think the biggest advantage is that it makes it really easy to install, you don't need administrator access to install it (like you would with mod_security), so it could be used on shared hosts, etc.

Another advantage is that you can write your rules in CFML, which is nice!

So I think mod_security has its place, and it's a great product. I think this product may meet the needs of a different group of people. I would say - use both if you can.

On 07/11/2007 at 9:15:53 AM MDT Bash (Bryan) wrote:

I'd be very interested in beta testing this product.

On 07/17/2007 at 7:27:14 PM MDT Gary Funk wrote:

Is this really a firewall or does it only see requests that come over port 80?

On 07/30/2007 at 8:02:09 AM MDT Pete Freitag wrote:

Gary it is a web application firewall for ColdFusion, so it only sees requests that are destined for your ColdFusion Application. So if your web app is running on port 80, then yes it will inspect those, if it's 443 then it will inspect those.

On 08/01/2007 at 6:53:53 AM MDT Patrick Whittingham wrote:

Pete -

If you need a beta tester for an intranet (cfmx 7), I would like to test your software.

On 10/17/2007 at 1:00:06 PM MDT Sumit Verma wrote:

Hi Pete,

Is the web application firewall ready for beta? I was going to write something to prevent SQL injection, but if you the ready, I would like to test it.

Thanks, Sumit

On 12/10/2007 at 11:33:09 PM MST big al wrote:

Bump... Any updates on when this product or beta might be available?

On 09/13/2008 at 8:14:14 PM MDT Charlie Arehart wrote:

Any news on the firewall, Pete? It's needed now as much as ever. :-)

That said, as others have noted, there are solutions that are generic (usually specific to a given web server). I list several of them at http://cf411.com/#sqlinject_wfw

I've also added a link to your tool, Pete. Hope it works out well for you.

On 04/02/2009 at 8:22:19 AM MST Pete Freitag wrote:

Just posting a comment to let everyone know that the product is now on sale: http://foundeo.com/security/