February 16, 2010
Request Filtering in IIS 7 Howto
I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.
February 04, 2010
Hands on ColdFusion Security Training
One of the best ways to really learn about something, is to roll up your sleeves, get your hands dirty. This is especially true for learning about security, it can be difficult to fully understand how attacks work by just reading about it.
January 29, 2010
ColdFusion 9 Solr Vulnerability - Are you at Risk?
Adobe just released a security bulletin APSB10-04 for ColdFusion 9. If you have the Solr Search Service running on a ColdFusion 9 server it binds the Solr Web Service to port 8983 on all IP addresses. Adobe has also released a Technote describing how to fix the issue.
December 10, 2009
CFLogin Security Considerations
If you use the cflogin tag to manage authentication you should consider setting loginstorage="session" in your Application.cfc or Application.cfm file for better security.
November 18, 2009
How to Get a Green SSL Certificate
Just as SSL Certificates were starting to become really inexpensive, they figured out a way to start charging more money again.
November 17, 2009
Slides for NYCFUG Security Presentation
Here are the slides for my Writing Secure CFML presentation given to the New York City ColdFusion Users Group November 10th, 2009. Enjoy.
November 12, 2009
FuseGuard Released - Protects your ColdFusion Apps
I am happy to announce today the release of FuseGuard Web Application Firewall for ColdFusion!FuseGuard 2.
November 10, 2009
Speaking at NYCFUG Tonight - Writing Secure CFML
I will be speaking at the New York City ColdFusion Users Group meeting tonight at 6:30pm on Writing Secure CFML.We will discuss several web application vulnerabilities that ColdFusion developers need to be aware of, and how to prevent them from being exploited in your Web Applications.
October 23, 2009
Howto Require SSL for ColdFusion Administrator
A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.
October 22, 2009
You May Need to Reapply CF Security Hotfix CVE-2009-1877
Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.
October 21, 2009
ColdFusion Server Security Scanner
My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.
October 20, 2009
Prefix Serialized JSON in ColdFusion
When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.
October 15, 2009
FCKeditor Access Denied
I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working.
October 08, 2009
IIS: Disabling Weak SSL Protocols and Ciphers
It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.Requirement 4.
September 30, 2009
Using Railo, Secure The railo-context
If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.
August 20, 2009
ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.Whether or not this hotfix is required on IIS has been a question posed by many.
August 18, 2009
ColdFusion Security Hotfixes Released
Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12.I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.
August 06, 2009
Security Tradeoffs
I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.
July 08, 2009
Hotfix for CF8 FCKeditor Vulnerability Released
Adobe has just released a security hotfix for the FCKeditor vulnerability in Coldfusion 8.Also of Note, Adobe's Terry Ryan posted a blog entry today detailing How to report a ColdFusion Security Issue to Adobe.
July 06, 2009
Hardening ColdFusion - cfObjective 2009 Presentation Slides
I've been meaning to post the slides the presentation I gave at cf.
July 06, 2009
Risks of FCKeditor Vulnerability in CF8
I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.
July 03, 2009
ColdFusion 8 FCKeditor Vulnerability
There have been a few stories about a vulnerability in FCKeditor that is bundled with ColdFusion 8, first on SANS and now on The Register.The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.
June 30, 2009
Firefox 3.5 Introduces Origin Header, Security Features
FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.
June 24, 2009
Tips for Secure File Uploads with ColdFusion
Allowing someone to upload a file on to your web server is a common requirement, but also a very risky operation. So here are some tips to help make this process more secure.Don't rely on cffile accept attribute
The accept attribute gives a terrible false sense of security.
April 09, 2009
Devnet Article on Securing CF From SQL Injection
I was just reading through this article on Adobe Devnet titled Secure your ColdFusion application against SQL injection attacks, and I have a few issues with the article.
March 26, 2009
Web Application Firewall for ColdFusion Launched
I'm excited to announce today the launch of Foundeo's latest product: the Foundeo Web Application Firewall for ColdFusion. The product can block or log malicious requests to your ColdFusion applications.
July 24, 2008
Mastering CFQUERYPARAM
If you haven't been using the cfqueryparam tag, chances are you had a baptism by fire this week. As you may have heard, lots of ColdFusion powered sites were targeted by hackers using SQL Injection this week.
November 16, 2007
Hash those Passwords
Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer.
July 31, 2007
ColdFusion 8 Security Whitepaper
Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.
July 19, 2007
Firefox Now Supports HttpOnly Cookies
You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.Firefox 2.0.0.5, which was released just the other day, now supports it.
July 09, 2007
ColdFusion Security Presentation Slides
I want to thank everyone who attended my sessions at CFUnited this year. I was particularly amazed by the turnout for Building Secure CFML Applications. Here are the slides for the presentation.
July 09, 2007
Announcing Web Application Firewall for ColdFusion
I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.
July 09, 2007
Web Application Security Blog Aggregator
Christian Matthies has recently setup an aggregator for web application security related blogs called Planet Web Security. Highly recommended for staying on top of the latest web application security threats and exploits.
May 29, 2007
CFPARAM for Simple String Validation
With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.
November 02, 2006
The Dangers of Flash's crossdomain.xml
PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.If you have a crossdomain.
November 02, 2006
Web Application Vulnerabilities trump Buffer Overflows
This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.
June 30, 2006
Web Application Security Cheat Sheet
SecGuru has posted a cheat sheet for Web Application Security. There is also an earlier version of the cheat sheet as well.This is a handy reference, but it is good to keep in mind that no book, or article about security is ever exaustive or conclusive.
June 28, 2006
Secure Browsing Mode
Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].In the document Ivan lists some of the possible effects of his proposal:
Eliminate Cross-Site Request Forgery.
Eliminate off-domain information leakage.
June 10, 2006
Amazon CTO on Security
Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...
May 17, 2006
Web Form Security and the Middle Man
A friend of mine, Matt Finn, was telling me about a security issue he realized recently.
May 02, 2006
How To Scream Unsecured
I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:I'm speechless!
April 21, 2006
How to Break Web Software
There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.
January 27, 2006
Secure Forms
Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.
December 06, 2005
Howto Disable the Server Header in IIS
Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.
December 06, 2005
20 ways to Secure your Apache Configuration
Here are 20 things you can do to make your apache configuration more secure.Disclaimer: The thing about security is that there are no guarantees or absolutes.
November 23, 2005
Top 20 Internet Security Vulnerabilities of 2005
SANS has published a list of the top 20 internet security vulnerabilities of 2005. The list is not however cumulative, it features security vulnerabilities that have been the most prevalent within the past year and a half.
October 13, 2005
MySpace Hacked with CSRF and XSS
It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.
October 07, 2005
Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:Always, always set autocomplete="off" in the input tag.
September 09, 2005
RDS Security Problems?
Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems.
August 29, 2005
Portable Web Application Firewall Rule Format
Ivan Ristic, the author of Apache Security, and the mod_security Apache module, and Java Filter, is trying to create a spec called the Portable Web Application Firewall Rule Format.
July 25, 2005
ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.
July 19, 2005
Oracle Critical Updates
Oracle has released a critical patch update for several of its products, (database server, enterprise manager, application server, e-business suite, workflow, forms, reports, JInitiator, developer suite, and express server).
June 13, 2005
Free Chapters in Apache Security
Ivan has made two chapters from his book Apache Security available for download. He just released the chapter on secure php configuration, and the chapter on installation and configuration was previously made available.
June 10, 2005
HTTP Request Smuggling (HRS)
WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).What is HTTP Request Smuggling?
HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.
May 18, 2005
Detecting SQL Injection with ScriptProtect
It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection AttacksWARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.
May 17, 2005
ScriptProtect in ColdFusion MX 7 not a catch all
ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.
May 11, 2005
Cross Site Request Forgery (CSRF) Attacks
I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).
April 27, 2005
Please do not go to this website!
Via Loose Wire - Someone has registered the domain googkle.com, the site attempts to install spyware, viruses, etc.
February 17, 2005
Apache mod_rewrite URLs Also Provide Validation
I Realized something when using Apache mod_rewrite for search engine safe url's, they also provide input type validation. I can use mod_rewrite to ensure that only integers are passed in my url in the id.For example, on my site macread I use url's like: http://macread.
August 18, 2003
Real World Linux Security
I read part of Real World Linux Security this weekend. It's a very detailed book that covers a wide range of security topics, from an author with lots of security experience.
