csrfVerifyToken does not invalidate the token

coldfusion When you are using csrfGenerateToken and csrfVerifyToken with unique categories, the token that is generated remains valid until another token is generated with the forceNew argument set to true.

This entry was:

Firefox 3.5 Introduces Origin Header, Security Features

web FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.

For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.

This entry was:

Announcing Web Application Firewall for ColdFusion

coldfusion I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

This entry was:

The Dangers of Flash's crossdomain.xml

web PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.

If you have a crossdomain.

This entry was:

MySpace Hacked with CSRF and XSS

web It seams that someone recently hacked myspace.com, the ColdFusion powered community site with millions of users.

This entry was:

Cross Site Request Forgery (CSRF) Attacks

web I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).

This entry was:


did you hack my cf?