Coldfusion 11 Developer Security Guide
Total Page:16
File Type:pdf, Size:1020Kb
ColdFusion 11 Developer Security Guide Pete Freitag Adobe documentation - Confidential Contents Overview ....................................................................................................................................................... 4 Testing ....................................................................................................................................................... 4 Code Reviews ............................................................................................................................................ 4 Defense in Depth ...................................................................................................................................... 4 Principal of Least Privilege ........................................................................................................................ 4 SQL Injection ................................................................................................................................................. 5 Vulnerable Code Example ......................................................................................................................... 5 Secure Code Example ................................................................................................................................ 5 Cross Site Scripting (XSS) ............................................................................................................................... 7 Vulnerable Code Example ......................................................................................................................... 7 Secure Code Example ................................................................................................................................ 7 Content Security Policy ............................................................................................................................. 8 Additional XSS Resources .......................................................................................................................... 8 Uploading Files .............................................................................................................................................. 9 Vulnerable Code ........................................................................................................................................ 9 Secure Code Example ................................................................................................................................ 9 File Path Injection ....................................................................................................................................... 11 Vulnerable Code ...................................................................................................................................... 11 Mitigation Steps ...................................................................................................................................... 11 Encryption & Cryptography ........................................................................................................................ 12 Cryptography Suggestions ...................................................................................................................... 12 Additional Resources .............................................................................................................................. 12 Error Handling ............................................................................................................................................. 13 Additional Resources .............................................................................................................................. 14 Validation .................................................................................................................................................... 15 Canonicalization ...................................................................................................................................... 15 ColdFusion Validation ............................................................................................................................. 15 Client Side Validation .............................................................................................................................. 16 Additional Resources .............................................................................................................................. 16 Adobe documentation - Confidential Adobe documentation - Confidential Cross Site Request Forgeries ....................................................................................................................... 17 Vulnerable Code ...................................................................................................................................... 17 Preventing CSRF Attacks ......................................................................................................................... 17 Require HTTP POST ................................................................................................................................. 18 Check Referrer and Origin Headers ........................................................................................................ 19 Additional CSRF Resources ..................................................................................................................... 19 Cookies ........................................................................................................................................................ 20 The secure attribute................................................................................................................................ 20 The HttpOnly attribute............................................................................................................................ 20 The path attribute ................................................................................................................................... 20 The domain attribute .............................................................................................................................. 21 The expires attribute ............................................................................................................................... 21 Additional Cookie Resources .................................................................................................................. 21 Sessions ....................................................................................................................................................... 22 Preventing Session Hijacking .................................................................................................................. 22 Authentication & Authorization .................................................................................................................. 24 Password Storage .................................................................................................................................... 24 Auditing & Logging .................................................................................................................................. 24 Multi-factor Authentication .................................................................................................................... 25 Remember Me Cookies ........................................................................................................................... 25 Forgot Password Features ...................................................................................................................... 25 Authorization Controls ............................................................................................................................ 25 Role Based Authorization ........................................................................................................................ 26 Authentication Resources ....................................................................................................................... 27 PDF .............................................................................................................................................................. 28 Vulnerable Code Example ....................................................................................................................... 28 Secure Code Example .............................................................................................................................. 28 Additional Suggestions to Improve Security ............................................................................................... 29 Additional Resources & References ........................................................................................................ 29 Adobe documentation - Confidential Adobe documentation - Confidential Overview In this guide, I will discuss several vulnerabilities that pertain to web applications. Most of the vulnerabilities discussed in this guide are not unique to ColdFusion. However, the mitigation techniques discussed are ColdFusion-specific. Following best practices such as validation, testing, code reviews, defense in depth, and the principle of least privilege can provide a broad increase in security across your applications. Testing It is always important to test code before it reaches a production server. Setting