pf » Tag: security on Pete Freitag's Blog

Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.

To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer.

Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.

Firefox 2.0.0.5, which was released just the other day, now supports it.

I want to thank everyone who attended my sessions at CFUnited this year. I was particularly amazed by the turnout for Building Secure CFML Applications. Here are the slides for the presentation.

I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

Christian Matthies has recently setup an aggregator for web application security related blogs called Planet Web Security. Highly recommended for staying on top of the latest web application security threats and exploits.

With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.

I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.

PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.

If you have a crossdomain.

This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.

Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.

SecGuru has posted a cheat sheet for Web Application Security. There is also an earlier version of the cheat sheet as well.

This is a handy reference, but it is good to keep in mind that no book, or article about security is ever exaustive or conclusive.

Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].

In the document Ivan lists some of the possible effects of his proposal:

Eliminate Cross-Site Request Forgery.

Eliminate off-domain information leakage.

Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...

A friend of mine, Matt Finn, was telling me about a security issue he realized recently.

I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:

I'm speechless!

There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.

Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes.

SANS has published a list of the top 20 internet security vulnerabilities of 2005. The list is not however cumulative, it features security vulnerabilities that have been the most prevalent within the past year and a half.

It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag.

Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:

"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems.

Ivan Ristic, the author of Apache Security, and the mod_security Apache module, and Java Filter, is trying to create a spec called the Portable Web Application Firewall Rule Format.

I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.

Oracle has released a critical patch update for several of its products, (database server, enterprise manager, application server, e-business suite, workflow, forms, reports, JInitiator, developer suite, and express server).

Ivan has made two chapters from his book Apache Security available for download. He just released the chapter on secure php configuration, and the chapter on installation and configuration was previously made available.

WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).

What is HTTP Request Smuggling?

HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.

It occurred to me this morning that ScriptProtect can be a handy feature for globally protecting against SQL Injection Attacks

DISCLAIMER - just like its inability to protect against all forms of XSS attacks this solution may not protect you from all SQL Injection attacks.

ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.

I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).

Via Loose Wire - Someone has registered the domain googkle.com, the site attempts to install spyware, viruses, etc.

I Realized something when using Apache mod_rewrite for search engine safe url's, they also provide input type validation. I can use mod_rewrite to ensure that only integers are passed in my url in the id.

For example, on my site macread I use url's like: http://macread.

I read part of Real World Linux Security this weekend. It's a very detailed book that covers a wide range of security topics, from an author with lots of security experience.