Firefox Aurora now Supports Content Security Policy 1.0

web Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header X-Content-Security-Policy.

This entry was:

HackMyCF Scanner Updated

coldfusion Yesterday I added some additional functionality to the HackMyCF ColdFusion Server Security Scanner:

Now Checks for an exposed WEB-INF directory - The content in the WEB-INF folder should not be served up to the public. If it is under the web root, it must be blocked by the web server.

This entry was:

Using AntiSamy with ColdFusion

coldfusion How do you protect your code from Cross Site Scripting (XSS) when your business requirements state that the user must be able to input HTML? This can be a difficult problem to solve and XSS is very difficult to filter against because there are hundreds of attack vectors.

This entry was:

Risks of FCKeditor Vulnerability in CF8

coldfusion I've had a chance to look at the FCKeditor code a little bit in order to determine what the risks actually are of this vulnerability.

This entry was:

Tips for Secure File Uploads with ColdFusion

coldfusion Allowing someone to upload a file on to your web server is a common requirement, but also a very risky operation. So here are some tips to help make this process more secure.

Don't rely on cffile accept attribute

The accept attribute gives a terrible false sense of security.

This entry was:

Announcing Web Application Firewall for ColdFusion

coldfusion I'm proud to announce a Web Application Firewall for ColdFusion, a new product that I have been working on. This product detects malicious requests (such as SQL Injection, Cross Site Scripting, etc) and then logs, filters, or blocks the request.

This entry was:

CFPARAM for Simple String Validation

coldfusion With the addition of a dozen new type values for the cfparam tag in ColdFusion 7, it has become a handy tool for validation.

I have a little trick for those of you who are using earlier versions of ColdFusion that don't support the new types for validation.

This entry was:

Web Application Vulnerabilities trump Buffer Overflows

web This should be an eye opener to many. In September Mitre reported that web application vulnerabilities are claiming the top three spots on their CVE request list, beating out Buffer Overflows.

Cross Site Scripting (21.5%)SQL Injection (14%)PHP includes (9.5%)Buffer overflows (7.

This entry was:

How to Break Web Software

books web There is a good presentation on Google Video called How To Break Web Software - A look at security vulnerabilities in web software given by Mike Andrews to Google staff. Mike's book also happens to be called How to break web software.

This entry was:

MySpace Hacked with CSRF and XSS

web It seams that someone recently hacked, the ColdFusion powered community site with millions of users.

This entry was:

ScriptProtect in ColdFusion MX 7 not a catch all

coldfusion ColdFusion MX 7 has a new feature that lets you "lets you protect one or more variable scopes from cross site scripting (XSS) attacks". It can be turned on in the cfapplication tag using the scriptProtect attribute, or in the ColdFusion Administrator as a global setting.

This entry was:


did you hack my cf?