Pete Freitag Pete Freitag

Web Application Firewall for ColdFusion Launched

Published on March 26, 2009
By Pete Freitag

I'm excited to announce today the launch of Foundeo's latest product: the Foundeo Web Application Firewall for ColdFusion. The product can block or log malicious requests to your ColdFusion applications. Including things like:

  • Cross Site Scripting / XSS
  • SQL Injection
  • Session Hijacking
  • Cross Site Request Forgery
  • CRLF Injection
  • Path Traversal Attacks
  • Password Dictionary Attacks

I think it is also important to address what this product is not. It is not a magic filter that can catch every possible hack attempt on your web applications. All you need is one security hole for a hacker to be successful. I want to make it very clear that this product should not be a substitute for secure coding practices. Infact we actually giving away a copy of our CFML Security Checklist with each copy the firewall we sell.

Because this product is written in CFML, there are some unique advantages, such as:

  • You can use it on most Shared Hosting Accounts
  • You can write your own custom Filters in CFML
  • You can interact with the firewall directly from within your ColdFusion web applications.
  • Configuration is done with CFML, no need to learn a new configuration language.

Twitter Contest - Win a Free Copy

We are also holding a twitter contest. Follow @foundeo on twitter by 4/1/09 for a chance to win. The winner will be picked randomly from all @foundeo followers on 4/1/09.

security firewall waf foundeo

Web Application Firewall for ColdFusion Launched was first published on March 26, 2009.

If you like reading about security, firewall, waf, or foundeo then you might also like:


The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.

Try Fixinator

The weekly newsletter for the CFML Community


Has this been tested against any of the services that perform PCI testing? Does it rewrite and convert all "domain" cookies to "host" cookies? How much overhead does it add? And finally, why does the enterprise version cost almost 4xs more than a Sonicwall Firewall appliance?
by James Moberg on 03/31/2009 at 5:39:26 PM UTC
@James - Yes it has been tested with services that perform PCI scans. We don't have any results to publish, but I think it fairs pretty well.

We don't have any It does not rewrite any cookies, it doesn't alter the request at all out of the box, but you could write filters that do that.

And the pricing on our enterprise version is actually much less than other WAF's, which can cost 10's of thousands of dollars. Also I don't think the Sonicwall appliance is a Web Application Firewall, but rather a more traditional network firewall.

Thank you for your interest.
by Pete Freitag on 04/01/2009 at 1:45:25 PM UTC
(PCI) I'll test it out of the box and let you know the results.

(no cookie rewrite) Good. Portcullis destroyed all domain level cookies and I had to quit protecting cookies as a result.

(Pricing) I googled WAF and found "Woman Acceptance Factor" [grin]... but the first 2 results for "web application framework" were 2 open source solutions, OWASP and ModSecurity. I don't know too much about their offerings yet, but is there any additional information available concerning CWAF apart from the single page of information? I'd like to learn more, but don't want to have to think about which questions to ask or spend too much time contrasting and comparing it with other products.

by James Moberg on 04/01/2009 at 2:38:20 PM UTC
@James - Sorry, WAF stands for Web Application Firewall. What sets a WAF apart from other firewalls is that they can detect attacks against your web application code. Things like SQL Injection, Cross Site Scripting, etc. They understand the HTTP protocol, whereas a network firewall may not know HTTP, only TCP/IP, ICMP, etc.

I will admit the product page is still a bit sparse, but if you request an evaluation you can learn more about our product from the documentation. Also feel free to contact foundeo: with any questions you might have.
by Pete Freitag on 04/01/2009 at 2:54:47 PM UTC
@David - I think there are some unique advantages to having this protection in the same layer as your application. You can interact with and invalidate the session, your application can communicate directly with the firewall, developers can write rules in the same language they use to write their applications, etc. There are certainly advantages to having a hardware front, or proxy front as well, I think this product has a niche.

One of the big differences is that our Firewall can be added and configured to the application by the developer. Setting up a proxy mod_security would have to be done by the systems and network administrator, who probably has much less knowledge of how the application actually works. In my opinion a WAF is best configured when it is done with a deep understanding of the web application it is protecting.

Also in many cases (most notably on shared hosts) you may not be able to external software or hardware. If you can run CFML you can use our firewall.

One final use case is blocking password dictionary attacks. Most WAF's can do this by seeing lots of password requests come in, but only the web application knows if it is an invalid username, or an invalid password. If someone is trying lots of invalid usernames you could provide a more aggressive blocking strategy. Sending this message from your CFML application to an external WAF can be difficult, sending a message to our WAF from your application is very easy.

All that being said this product is not a golden hammer, you need to pick the best tool for your needs.
by Pete Freitag on 04/06/2009 at 11:15:57 AM UTC
@David - Resource consumption depends on how it is configured, and server hardware. I would recommend downloading the evaluation, and giving it a spin in your environment. In general I think the resource consumption is low enough for there to be no noticeable difference, but it's best to just see for yourself.
by Pete Freitag on 04/07/2009 at 7:06:28 AM UTC
sir ! can you send me a evaluation version of FuseGuard 2.0?
by jack.lee on 11/06/2010 at 11:58:10 PM UTC
@Jack - You can download the evaluation copy here:
by Pete Freitag on 11/08/2010 at 11:25:01 AM UTC