Announcing Web Application Firewall for ColdFusion
I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.
The firewall is written in CFML so you can easily use it with existing ColdFusion applications by including the firewall with a
CFINCLUDE in your
Application.cfm. You can also write your own filter by creating a CFC and adding it to the configuration.
There is still more work to be done on this product, but it should be ready "soon". If you are interested in beta testing please contact me. In addition, be sure to add your email address here for release date notification.
Update: the Web Application Firewall for ColdFusion has been released!
Like this? Follow me ↯Tweet Follow @pfreitag
Announcing Web Application Firewall for ColdFusion was first published on July 09, 2007.
If you like reading about security, firewall, coldfusion, csrf, xss, sql injection, vulnerabilities, or secure then you might also like:
- Web Application Vulnerabilities trump Buffer Overflows
- J2EE Sessions in CF10 Uses Secure Cookies
- Adobe eSeminar on FuseGuard
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
- Using AntiSamy with ColdFusion
- FuseGuard Released - Protects your ColdFusion Apps
- Risks of FCKeditor Vulnerability in ColdFusion 8
- Devnet Article on Securing CF From SQL Injection
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
The weekly newsletter for the CFML Community
It gives your ColdFusion applications the ability to communicate with the firewall directly. This might be handy for instance if you have determined in your own code that an IP is malicious, you could very easily add that to a temp block list at runtime. So you can have a dynamically configured firewall.
Also I think the biggest advantage is that it makes it really easy to install, you don't need administrator access to install it (like you would with mod_security), so it could be used on shared hosts, etc.
Another advantage is that you can write your rules in CFML, which is nice!
So I think mod_security has its place, and it's a great product. I think this product may meet the needs of a different group of people. I would say - use both if you can.
If you need a beta tester for an intranet (cfmx 7), I would like to test your software.
Is the web application firewall ready for beta? I was going to write something to prevent SQL injection, but if you the ready, I would like to test it.
That said, as others have noted, there are solutions that are generic (usually specific to a given web server). I list several of them at http://cf411.com/#sqlinject_wfw
I've also added a link to your tool, Pete. Hope it works out well for you.