DOCSLIB.ORG

Coldfusion 11 Developer Security Guide

Coldfusion 11 Developer Security Guide

ColdFusion 11 Developer Security Guide Pete Freitag Adobe documentation - Confidential Contents Overview ....................................................................................................................................................... 4 Testing ....................................................................................................................................................... 4 Code Reviews ............................................................................................................................................ 4 Defense in Depth ...................................................................................................................................... 4 Principal of Least Privilege ........................................................................................................................ 4 SQL Injection ................................................................................................................................................. 5 Vulnerable Code Example ......................................................................................................................... 5 Secure Code Example ................................................................................................................................ 5 Cross Site Scripting (XSS) ............................................................................................................................... 7 Vulnerable Code Example ......................................................................................................................... 7 Secure Code Example ................................................................................................................................ 7 Content Security Policy ............................................................................................................................. 8 Additional XSS Resources .......................................................................................................................... 8 Uploading Files .............................................................................................................................................. 9 Vulnerable Code ........................................................................................................................................ 9 Secure Code Example ................................................................................................................................ 9 File Path Injection ....................................................................................................................................... 11 Vulnerable Code ...................................................................................................................................... 11 Mitigation Steps ...................................................................................................................................... 11 Encryption & Cryptography ........................................................................................................................ 12 Cryptography Suggestions ...................................................................................................................... 12 Additional Resources .............................................................................................................................. 12 Error Handling ............................................................................................................................................. 13 Additional Resources .............................................................................................................................. 14 Validation .................................................................................................................................................... 15 Canonicalization ...................................................................................................................................... 15 ColdFusion Validation ............................................................................................................................. 15 Client Side Validation .............................................................................................................................. 16 Additional Resources .............................................................................................................................. 16 Adobe documentation - Confidential Adobe documentation - Confidential Cross Site Request Forgeries ....................................................................................................................... 17 Vulnerable Code ...................................................................................................................................... 17 Preventing CSRF Attacks ......................................................................................................................... 17 Require HTTP POST ................................................................................................................................. 18 Check Referrer and Origin Headers ........................................................................................................ 19 Additional CSRF Resources ..................................................................................................................... 19 Cookies ........................................................................................................................................................ 20 The secure attribute................................................................................................................................ 20 The HttpOnly attribute............................................................................................................................ 20 The path attribute ................................................................................................................................... 20 The domain attribute .............................................................................................................................. 21 The expires attribute ............................................................................................................................... 21 Additional Cookie Resources .................................................................................................................. 21 Sessions ....................................................................................................................................................... 22 Preventing Session Hijacking .................................................................................................................. 22 Authentication & Authorization .................................................................................................................. 24 Password Storage .................................................................................................................................... 24 Auditing & Logging .................................................................................................................................. 24 Multi-factor Authentication .................................................................................................................... 25 Remember Me Cookies ........................................................................................................................... 25 Forgot Password Features ...................................................................................................................... 25 Authorization Controls ............................................................................................................................ 25 Role Based Authorization ........................................................................................................................ 26 Authentication Resources ....................................................................................................................... 27 PDF .............................................................................................................................................................. 28 Vulnerable Code Example ....................................................................................................................... 28 Secure Code Example .............................................................................................................................. 28 Additional Suggestions to Improve Security ............................................................................................... 29 Additional Resources & References ........................................................................................................ 29 Adobe documentation - Confidential Adobe documentation - Confidential Overview In this guide, I will discuss several vulnerabilities that pertain to web applications. Most of the vulnerabilities discussed in this guide are not unique to ColdFusion. However, the mitigation techniques discussed are ColdFusion-specific. Following best practices such as validation, testing, code reviews, defense in depth, and the principle of least privilege can provide a broad increase in security across your applications. Testing It is always important to test code before it reaches a production server. Setting

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    30 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us