pf » Tag: security on Pete Freitag's Blog
November 16, 2007
Hash those Passwords
Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer.
July 31, 2007
ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
July 19, 2007
Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.Firefox 2.0.0.5, which was released just the other day, now supports it.
July 09, 2007
ColdFusion Security Presentation Slides
I want to thank everyone who attended my sessions at CFUnited this year. I was particularly amazed by the turnout for Building Secure CFML Applications. Here are the slides for the presentation.
July 09, 2007
Announcing Web Application Firewall for ColdFusion
I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.
July 09, 2007
Web Application Security Blog Aggregator
Christian Matthies has recently setup an aggregator for web application security related blogs called Planet Web Security. Highly recommended for staying on top of the latest web application security threats and exploits.
May 29, 2007
CFPARAM for Simple String Validation
With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.
November 02, 2006
The Dangers of Flash's crossdomain.xml
PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.If you have a crossdomain.
November 02, 2006
Web Application Vulnerabilities trump Buffer Overflows
This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.
June 30, 2006
Web Application Security Cheat Sheet
SecGuru has posted a cheat sheet for Web Application Security. There is also an earlier version of the cheat sheet as well.This is a handy reference, but it is good to keep in mind that no book, or article about security is ever exaustive or conclusive.
June 28, 2006
Secure Browsing Mode
Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].In the document Ivan lists some of the possible effects of his proposal:
Eliminate Cross-Site Request Forgery.
Eliminate off-domain information leakage.
June 10, 2006
Amazon CTO on Security
Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...
May 17, 2006
Web Form Security and the Middle Man
May 02, 2006
How To Scream Unsecured
I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:I'm speechless!
April 21, 2006
How to Break Web Software
There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.
January 27, 2006
Secure Forms
Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.
December 06, 2005
Howto Disable the Server Header in IIS
Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.
December 06, 2005
20 ways to Secure your Apache Configuration
Here are 20 things you can do to make your apache configuration more secure.Disclaimer: The thing about security is that there are no guarantees or absolutes.
November 23, 2005
Top 20 Internet Security Vulnerabilities of 2005
SANS has published a list of the top 20 internet security vulnerabilities of 2005. The list is not however cumulative, it features security vulnerabilities that have been the most prevalent within the past year and a half.
October 13, 2005
MySpace Hacked with CSRF and XSS
It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.
October 07, 2005
Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:Always, always set autocomplete="off" in the input tag.
September 09, 2005
RDS Security Problems?
Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems.
August 29, 2005
Portable Web Application Firewall Rule Format
Ivan Ristic, the author of Apache Security, and the mod_security Apache module, and Java Filter, is trying to create a spec called the Portable Web Application Firewall Rule Format.
July 25, 2005
ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.
July 19, 2005
Oracle Critical Updates
Oracle has released a critical patch update for several of its products, (database server, enterprise manager, application server, e-business suite, workflow, forms, reports, JInitiator, developer suite, and express server).
June 13, 2005
Free Chapters in Apache Security
Ivan has made two chapters from his book Apache Security available for download. He just released the chapter on secure php configuration, and the chapter on installation and configuration was previously made available.
June 10, 2005
HTTP Request Smuggling (HRS)
WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).What is HTTP Request Smuggling?
HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.
May 18, 2005
Detecting SQL Injection with ScriptProtect
It occurred to me this morning that ScriptProtect can be a handy feature for globally protecting against SQL Injection AttacksDISCLAIMER - just like its inability to protect against all forms of XSS attacks this solution may not protect you from all SQL Injection attacks.
May 17, 2005
ScriptProtect in ColdFusion MX 7 not a catch all
ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.
May 11, 2005
Cross Site Request Forgery (CSRF) Attacks
I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).
April 27, 2005
Please do not go to this website!
Via Loose Wire - Someone has registered the domain googkle.com, the site attempts to install spyware, viruses, etc.
February 17, 2005
Apache mod_rewrite URLs Also Provide Validation
I Realized something when using Apache mod_rewrite for search engine safe url's, they also provide input type validation. I can use mod_rewrite to ensure that only integers are passed in my url in the id.For example, on my site macread I use url's like: http://macread.
August 18, 2003
Real World Linux Security
I read part of Real World Linux Security this weekend. It's a very detailed book that covers a wide range of security topics, from an author with lots of security experience.
Subscribe to my RSS Feed:
RSS
RSS
Pete Freitag is a software engineer, and web developer located in




