Fixinator and Foundeo Security Bundle

coldfusion I'm pleased to announce that Fixinator and the Foundeo CFML Continuous Security Bundle are both avaliable to purchase.

This entry was:

csrfVerifyToken does not invalidate the token

coldfusion When you are using csrfGenerateToken and csrfVerifyToken with unique categories, the token that is generated remains valid until another token is generated with the forceNew argument set to true.

This entry was:

Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z

web Have you ever noticed a cookie in Chrome Developer Tools showing a Expires / Max-Age value of 1969-12-31T23:59:59.000Z?

Such a cookie is known as a browser session cookie it will persist for as long as the browser is open.

This entry was:

SameSite Cookies with IIS

coldfusion java web SameSite cookies are a great technique for mitigating Cross Site Request Forgery attacks. The only downside is that not all browsers support them yet (ahem... looking at you IE).

This entry was:

Announcing FuseGuard Version 3

coldfusion After many hours in development and testing we are proud to announce the release of FuseGuard 3! FuseGuard 3 ships with 11 new filters, 1 new logger and several additional improvements to better protect your CFML applications.

This entry was:

Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151

java Starting with Java 1.8.0_151 and 1.8.0_152 there is a new somewhat easier way to enable the unlimited strength jurisdiction policy for the JVM. Without enabling this you cannot use AES-256 for example.

First download the JRE, I like to use the server-jre for servers.

This entry was:

Java 9 Security Enhancements

java With the General Availability release of Java 9 scheduled for today, I thought it would be appropriate to go over the new features that pertain to security.

Implement HTTP/2 Client

This entry was:

CFSummit 2016 Slides

coldfusion Here are my slides from the Adobe ColdFusion Summit 2016 conference in Las Vegas:

Bulletproof Your ColdFusion Server With The Lockdown Guide - this presentation was an overview of the ColdFusion Lockdown guide and gives some insights and tips.

This entry was:

Securing Legacy CFML - dev.Objective() 2016 Slides

coldfusion Back from another great dev.Objective() conference in Minneapollis. This year Foundeo was a sponsor, and I spoke on Securing Legacy CFML Code. Find the slides here.

This entry was:

HackMyCF Adds SSL/TLS Scanner

coldfusion web I'm pleased to announce a feature of HackMyCF that I've been excited about for a while: SSL / TLS Scanning.

If you stay up to date with security news you know that there have been a large number of vulnerabilities or weaknesses discovered in SSL or TLS protocols and implementations.

This entry was:

Scope Injection in CFML

coldfusion Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

This entry was:

Apache Security Patches on CentOS / RHEL

web Those familiar with RedHat Enterprise Linux (RHEL) or CentOS servers may notice that when you update a Apache (or most any other package) on a RedHat / CentOS based server it still reports the same version number.

This entry was:

FuseGuard 2.4 Released

coldfusion I'm pleased to announce the availability of FuseGuard (Web App Firewall For CFML) version 2.4 today! In addition Ortus Solutions (Luis Majano and the folks behind ColdBox) have also announced Ortus FuseGuard Module - a ColdBox module for FuseGuard.

This entry was:

New HackMyCF Features

coldfusion HackMyCF, my company's ColdFusion (and Railo too) server security scanner was recently updated with some cool new features for our paid subscribers.

This entry was:

Blocking .svn and .git Directories on Apache or IIS

web One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.

Blocking .svn and .

This entry was:

Firefox Aurora now Supports Content Security Policy 1.0

web Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header X-Content-Security-Policy.

This entry was:

Writing Secure CFML cfObjective 2013 Slides

coldfusion Here are the slides to my cf.Objective() 2013 presentation Writing Secure CFML, thanks to those who attended. Please stop by the Foundeo Inc. booth and say hi, if you are at the conference.

I will be speaking on Locking Down ColdFusion tomorrow (Friday) at 10:10

This entry was:

J2EE Sessions in CF10 Uses Secure Cookies

coldfusion This week I helped out a client resolve an issue due to a change in behavior from CF9 to CF10. CF10 automatically adds the secure flag to cookies when the request is over a secure HTTPS channel.

This entry was:

Learn about ColdFusion Security at cfObjective 2013

coldfusion For the past two-three months ColdFusion has been increasingly targeted by attackers, as many have found out the hard way. Because my company Foundeo Inc.

This entry was:

Session Loss and Session Fixation in ColdFusion

coldfusion I often find myself explaining how the session fixation security hotfix (APSB11-04) might cause session loss under certain circumstances, so I figured it was time for a blog entry explaining it.

This entry was:

Understanding HashDos and postParameterLimit

coldfusion I received a question today about the postParameterLimit that was added to ColdFusion 8,9 by security hotfix APSB12-06 and exists in ColdFusion 10 by default (it is also configurable in the CF10 administrator).

This entry was:

ColdFusion 10 Security Enhancements Presentation

coldfusion I've given a couple presentations now on the security enhancements in ColdFusion 10. The most recent was today at the Adobe ColdFusion Developer 2012, but I've also given it two other times for a Carahsoft webinar, and for the Carahsoft ColdFusion 10 Preview event in Washington DC.

This entry was:

Setup ColdFusion 9.0.1 Fully Patched

coldfusion Adobe this week released a security hotfix for the HashDos vulnerability for ColdFusion versions 8.0 through 9.0.1. Today I was setting up a new secure ColdFusion instance for a client, and I though I'd document the steps needed to go from ColdFusion 9.0 to ColdFusion 9.0.

This entry was:

HashDOS and ColdFusion

coldfusion java Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as hashdos.

This entry was:

HackMyCF Updated for APSB11-29 Security Hotfix

coldfusion Adobe released a security hotfix APSB11-29 for ColdFusion 8 and 9 on Tuesday, which fixes two XSS (Cross Site Scripting) vulnerabilities (CVE-2011-2463 and CVE-2011-4368). One vulnerability exists in cfform and the other in RDS.

This entry was:

Adobe eSeminar on FuseGuard

coldfusion Adobe has asked me to do an online e-seminar: Protecting ColdFusion Applications with FuseGuard thursday November 3rd at 10am PT / 1pm ET.

If you're curious about FuseGuard and how it works please head over to and register now!

This entry was:

Determining Which Cumulative Hotfixes are Installed on ColdFusion

coldfusion It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which cumulative (non security) hotfixes you have installed, and which ones you don't.

This entry was:

Adding Two Factor Authentication to ColdFusion Administrator

coldfusion A few months back I was researching two/multi factor authentication solutions to employ to meet PCI compliance, I came across a somewhat new company called DuoSecurity.

This entry was:

Bug Loading Scripts for CFFileUpload and CFMediaPlayer

coldfusion It has recently come to my attention that there are some hard coded references to /CFIDE/scripts/ in some of the JS files that are used by the new (in CF9) tags CFFileUpload and CFMediaPlayer.

This entry was:

Client Variable Cookie CFGLOBALS Includes Session Ids

coldfusion I was recently conducting a CFML security review for a client and realized that when you have client variables set to use Cookies, the session ID's (eg CFIDE and CFTOKEN) are included in the CFGLOBALS cookie.

This entry was:

Maximum Security CFML - cfObjective Slides

coldfusion What a great conference cf.Objective() was this year! The quality of presentations was really good and I think that is due both to the speakers and the content advisory board led by Bob Silverberg and including Barney Boisvert, Dan Wilson, Emily Christiansen, Jason Dean, Kurt Wiersma, Marc Esher.

This entry was:

ColdFusion Lockdown Series - Multiple Partitions

coldfusion One of the most frequent questions I get about the Adobe ColdFusion 9 Lockdown Whitepaper is:

Why do you suggest using 3 partitions when installing ColdFusion?

This entry was:

ColdFusion's Builtin Enterprise Security API

coldfusion One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.

This entry was:

Recent ColdFusion Security Hotfix Updated Today

coldfusion Adobe has updated the security hotfix that was released last month (February 2011) APSB11-04. The technote states that all users should re-apply the hotfix:

Adobe has received a few issues with the Security Hot fix released on February 8, 2011.

This entry was:

Java 1.6.0_24 Released Patches DOS Vulnerability

java As mentioned last week, a pretty serious Denial Of Service vulnerability in the Java Virtual Machine was disclosed. It is important that you look into resolving this issue if you run any java based server side applications (including ColdFusion).

Yesterday Oracle released Java 1.6.

This entry was:

Important Java Security Patch Released

coldfusion java Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.

I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.

This entry was:

HackMyCF Scanner Updated

coldfusion Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:

Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server.

This entry was:

Changing the ColdFusion CFIDE Scripts Location

coldfusion One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ (for CF11 and below) or /cf_scripts/scripts/ (for CF2016+) folders is in it's default location.

This entry was:

Announcing HackMyCF Paid Subscriptions

coldfusion Hopefully you are now aware of the service I created in October 2009 called HackMyCF, it's been used to help secure over 3000 ColdFusion servers! If you're not familiar, it is a scanner that looks for security vulnerabilities on your server.

This entry was:

HTTP Strict Transport Security

web An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).

This entry was:

Setting up HTTPOnly Session Cookies for ColdFusion

coldfusion Internet Explorer pioneered a great security feature for cookies called HTTPOnly, when this flag is set the browser does not allow JavaScript to access the cookie. Now that all modern browsers support this flag it can reduce the risk of session hijacking due to cross site scripting.

This entry was:

Path Traversal Vulnerability Security Hotfix for ColdFusion Released

coldfusion Adobe released a security hotfix for a path traversal vulnerability in ColdFusion administrator (CVE-2010-2861, APSB10-18). On the Adobe security bulletin page it lists affected software versions: ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX.

This entry was:

Using AntiSamy with ColdFusion

coldfusion How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.

This entry was:

Writing Secure CFML Slides from CFUnited 2010

coldfusion As promised I just published the slides for my Writing Secure CFML presentation at CFUnited 2010.

You can even watch a recording of the presentation brought to you by Tim Cunningham of

This entry was:

Locking Down ColdFusion Presentation Slides

coldfusion The slides for my 2010 CFUnited presentation Locking Down ColdFusion are now available. The presentation is based on the ColDFusion 9 Lockdown Guide whitepaper that I wrote for Adobe. It covers various techniques to make your ColdFusion installation more secure.

This entry was:

Cross Domain Data Theft using CSS

web FireFox (3.6.7) released today fixed an interesting security vulnerability called Cross Domain Data Theft using CSS discovered by Google security researcher Chris Evans.

This entry was:

10 Ideas to Improve Security in ColdFusion 10

coldfusion I do a lot of work related to security in ColdFusion and I've been keeping a list of ideas and features that could make a future version of ColdFusion more secure.

This entry was:

CFMeetup Thursday: Intro to FuseGuard and Web Application Firewalls

coldfusion I will be presenting at the ColdFusion Meetup online user group this Thursday (June 17th) at Noon Eastern Time. The topic: Introduction to FuseGuard and Web Application Firewalls.

This entry was:

How to Disable Robust Exception Information on Railo

coldfusion As you know one of the first things you should do on a production ColdFusion server is disable robust exception information (this includes things like source code, and file path disclosures in error messages), in the ColdFusion Administrator.

This entry was:

Is your ColdFusion Administrator Actually Public?

coldfusion Every so often I get an email back from someone who ran saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true.

This entry was: Now Detects BlazeDS Vulnerability

coldfusion I've just finished updating the ColdFusion security scanner to detect the BlaseDS Vulnerability APSB10-05 announced in February 2010. As you hopefully know, this vulnerability also effects ColdFusion 7-9, because it has BlaseDS installed by default.

This entry was:

How to tell if a site takes security seriously

misc Here are some easy ways you can tell if a particular site is serious about security:

This entry was:

Last Day to win Free ColdFusion Security Training

coldfusion As you may have heard, Jason Dean and I are teaching a cf.Objective() pre-conference one-day hands on ColdFusion security training class. We are giving away a seat to the class, and today March 23rd is the last day to enter (you must enter by 5pm Eastern Time), you can enter once per day.

This entry was:

Request Filtering in IIS 7 Howto

web I've been doing some security work in Windows 2008 recently for a client, one feature I've really come to like in IIS 7 is Request Filtering.

You can configure Request Filtering at the server wide level, and then override or enhance the filtering at a site / application level.

This entry was:

Hands on ColdFusion Security Training

coldfusion One of the best ways to really learn about something, is to roll up your sleeves, get your hands dirty. This is especially true for learning about security, it can be difficult to fully understand how attacks work by just reading about it.

This entry was:

ColdFusion 9 Solr Vulnerability - Are you at Risk?

coldfusion Adobe just released a security bulletin APSB10-04 for ColdFusion 9. If you have the Solr Search Service running on a ColdFusion 9 server it binds the Solr Web Service to port 8983 on all IP addresses. Adobe has also released a Technote describing how to fix the issue.

This entry was:

CFLogin Security Considerations

coldfusion If you use the cflogin tag to manage authentication you should consider setting loginstorage="session" in your Application.cfc or Application.cfm file for better security.

This entry was:

How to Get a Green SSL Certificate

web Just as SSL Certificates were starting to become really inexpensive, they figured out a way to start charging more money again.

This entry was:

Slides for NYCFUG Security Presentation

coldfusion Here are the slides for my Writing Secure CFML presentation given to the New York City ColdFusion Users Group November 10th, 2009. Enjoy.

This entry was:

FuseGuard Released - Protects your ColdFusion Apps

coldfusion I am happy to announce today the release of FuseGuard Web Application Firewall for ColdFusion!

FuseGuard 2.

This entry was:

Speaking at NYCFUG Tonight - Writing Secure CFML

coldfusion I will be speaking at the New York City ColdFusion Users Group meeting tonight at 6:30pm on Writing Secure CFML.

We will discuss several web application vulnerabilities that ColdFusion developers need to be aware of, and how to prevent them from being exploited in your Web Applications.

This entry was:

Howto Require SSL for ColdFusion Administrator

coldfusion A good security practice is to require SSL for ColdFusion administrator access (an even better practice is to limit access to localhost). This should only take less than five minutes on either Apache or IIS.

This entry was:

You May Need to Reapply CF Security Hotfix CVE-2009-1877

coldfusion Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.

This entry was:

ColdFusion Server Security Scanner

coldfusion My company Foundeo Inc. released a new free web service today called HackMyCF that allows you to scan your ColdFusion server to detect the absence of recent ColdFusion security hotfixes as well as other security problems.

This entry was:

Prefix Serialized JSON in ColdFusion

coldfusion When ColdFusion 8 added the ability to return data from remote functions formatted with JSON they also added some settings that allow you to put a prefix on the JSON string.

This entry was:

FCKeditor Access Denied

coldfusion I have a client using the standalone FCKEditor on his server (not the one in /CFIDE/ it is located at /FCKeditor/), but after installing the security hotfix for ColdFusion 8's builtin FCKeditor, the file manager for uploading and inserting images stopped working.

This entry was:

IIS: Disabling Weak SSL Protocols and Ciphers

web It's no secret by now that if your web site sees credit card numbers (even if they are passed to a third party gateway) you need to comply with the PCI DSS standards.

Requirement 4.

This entry was:

Using Railo, Secure The railo-context

coldfusion If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

This entry was:

ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only

coldfusion There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many.

This entry was:

ColdFusion Security Hotfixes Released

coldfusion Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12.

I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.

This entry was:

Security Tradeoffs

misc I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.

This entry was:

Hotfix for CF8 FCKeditor Vulnerability Released

coldfusion Adobe has just released a security hotfix for the FCKeditor vulnerability in Coldfusion 8.

Also of Note, Adobe's Terry Ryan posted a blog entry today detailing How to report a ColdFusion Security Issue to Adobe.

This entry was:

Hardening ColdFusion - cfObjective 2009 Presentation Slides

coldfusion I've been meaning to post the slides the presentation I gave at cf.

This entry was:

Risks of FCKeditor Vulnerability in CF8

coldfusion I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.

This entry was:

ColdFusion 8 FCKeditor Vulnerability

coldfusion There have been a few stories about a vulnerability in FCKeditor that is bundled with ColdFusion 8, first on SANS and now on The Register.

The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.

This entry was:

Firefox 3.5 Introduces Origin Header, Security Features

web FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.

For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends.

This entry was:

Tips for Secure File Uploads with ColdFusion

coldfusion Allowing someone to upload a file on to your web server is a common requirement, but also a very risky operation. So here are some tips to help make this process more secure.

Don't rely on cffile accept attribute

The accept attribute gives a terrible false sense of security.

This entry was:

Devnet Article on Securing CF From SQL Injection

coldfusion I was just reading through this article on Adobe Devnet titled

Secure your ColdFusion application against SQL injection attacks, and I have a few issues with the article.

This entry was:

Web Application Firewall for ColdFusion Launched

coldfusion I'm excited to announce today the launch of Foundeo's latest product: the Foundeo Web Application Firewall for ColdFusion. The product can block or log malicious requests to your ColdFusion applications.

This entry was:


coldfusion If you haven't been using the cfqueryparam tag, chances are you had a baptism by fire this week. As you may have heard, lots of ColdFusion powered sites were targeted by hackers using SQL Injection this week.

This entry was:

Hash those Passwords

web Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.

To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer.

This entry was:

ColdFusion 8 Security Whitepaper

coldfusion Adobe has published a whitepaper called: ColdFusion 8 Product Security Briefing, which outlines the results of an independent security audit from Information Risk Management Plc.

This entry was:

Firefox Now Supports HttpOnly Cookies

web You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1.

Firefox, which was released just the other day, now supports it.

This entry was:

ColdFusion Security Presentation Slides

coldfusion I want to thank everyone who attended my sessions at CFUnited this year. I was particularly amazed by the turnout for Building Secure CFML Applications. Here are the slides for the presentation.

This entry was:

Announcing Web Application Firewall for ColdFusion

coldfusion I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

This entry was:

Web Application Security Blog Aggregator

web Christian Matthies has recently setup an aggregator for web application security related blogs called Planet Web Security. Highly recommended for staying on top of the latest web application security threats and exploits.

This entry was:

CFPARAM for Simple String Validation

coldfusion With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.

I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.

This entry was:

The Dangers of Flash's crossdomain.xml

web PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.

If you have a crossdomain.

This entry was:

Web Application Vulnerabilities trump Buffer Overflows

web This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.

Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.

This entry was:

Web Application Security Cheat Sheet

web SecGuru has posted a cheat sheet for Web Application Security. There is also an earlier version of the cheat sheet as well.

This is a handy reference, but it is good to keep in mind that no book, or article about security is ever exaustive or conclusive.

This entry was:

Secure Browsing Mode

web Ivan Ristic has posted a proposal on his blog called: Secure Browsing Mode [PDF].

In the document Ivan lists some of the possible effects of his proposal:

Eliminate Cross-Site Request Forgery.

Eliminate off-domain information leakage.

This entry was:

Amazon CTO on Security

web Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding)...

This entry was:

Web Form Security and the Middle Man

web A friend of mine, Matt Finn, was telling me about a security issue he realized recently.

This entry was:

How To Scream Unsecured

web I was considering purchasing something from a foreign site today (I'm not going to name names), but then I noticed this link on the order form page:

I'm speechless!

This entry was:

How to Break Web Software

books web There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.

This entry was:

Secure Forms

web Chris Shiflett, the author of Essential PHP Security posted a cool idea on his blog about secure forms. His idea was to have browsers show visually that a form action is secure (going to a HTTPS page). A good idea, I hope to see that implemented.

This entry was:

Howto Disable the Server Header in IIS

web Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article.

This entry was:

20 ways to Secure your Apache Configuration

web Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes.

This entry was:

Top 20 Internet Security Vulnerabilities of 2005

apple databases linux misc web SANS has published a list of the top 20 internet security vulnerabilities of 2005. The list is not however cumulative, it features security vulnerabilities that have been the most prevalent within the past year and a half.

This entry was:

MySpace Hacked with CSRF and XSS

web It seams that someone recently hacked, the ColdFusion powered community site with millions of users.

This entry was:

Turn off autocomplete for credit card input

web Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag.

This entry was:

RDS Security Problems?

coldfusion Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:

"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems.

This entry was:

Portable Web Application Firewall Rule Format

web Ivan Ristic, the author of Apache Security, and the mod_security Apache module, and Java Filter, is trying to create a spec called the Portable Web Application Firewall Rule Format.

This entry was:

ServerTokens Prod, ServerSignature Off

web I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.

This entry was:

Oracle Critical Updates

databases Oracle has released a critical patch update for several of its products, (database server, enterprise manager, application server, e-business suite, workflow, forms, reports, JInitiator, developer suite, and express server).

This entry was:

Free Chapters in Apache Security

books Ivan has made two chapters from his book Apache Security available for download. He just released the chapter on secure php configuration, and the chapter on installation and configuration was previously made available.

This entry was:

HTTP Request Smuggling (HRS)

web WatchFire has released a white paper on HTTP Request Smuggling - a new type of attack that targets multi-layer HTTP stacks (proxies, caches, firewalls).

What is HTTP Request Smuggling?

HTTP Request Smuggling (HRS) is a new hacking technique that targets HTTP devices.

This entry was:

Detecting SQL Injection with ScriptProtect

coldfusion databases It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection Attacks

WARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.

This entry was:

ScriptProtect in ColdFusion MX 7 not a catch all

coldfusion ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.

This entry was:

Cross Site Request Forgery (CSRF) Attacks

web I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).

This entry was:

Please do not go to this website!

misc web Via Loose Wire - Someone has registered the domain, the site attempts to install spyware, viruses, etc.

This entry was:

Apache mod_rewrite URLs Also Provide Validation

coldfusion web I Realized something when using Apache mod_rewrite for search engine safe url's, they also provide input type validation. I can use mod_rewrite to ensure that only integers are passed in my url in the id.

For example, on my site macread I use url's like: http://macread.

This entry was:

Real World Linux Security

linux I read part of Real World Linux Security this weekend. It's a very detailed book that covers a wide range of security topics, from an author with lots of security experience.

This entry was: