become a security rockstar with coldfusion 2016

David EplerSecurity Architect

AboutWeb

Become a Security Rockstar with ColdFusion 2016

Agenda

• Installation• SecureProfile• LockdownGuide• OtherConsiderations

• Updates• ColdFusionUpdates• SupportLifeCycle

• SecurityAnalyzer• CodingPractices

• Cross-siteScripting(XSS)• SQLInjection• Cross-siteRequestForgery(CSRF)• SessionManagement

Installation

Installation

• EnsureColdFusionis installedwithcorrectprofilefortheenvironmentitwillbeused

https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html

Profiles

https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html

Secure Profile

CFSCRIPTS Directory

• InColdFusion2016CFIDEaccessisnowremovedfromthewebserverandisonlyaccessibletolocalhostonport8500

• Followingdirectoriesarenowcontainedincf_scripts• CFIDE/scripts• CFIDE/classes• CFIDE/cfclient

Lockdown Guide

• LockdownguideabsolutelyneedstobeusedforanypublicfacingColdFusionServer

• GuidereleasedforeachversionofColdFusionsince9• ColdFusion10

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf• ColdFusion11

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf• ColdFusion2016

http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf

• GotoPete’ssessionnextinJasmineFB104–BulletproofYourColdFusionServerWithTheLockdownGuide

Other Considerations

• Securingotherpartsofthewebstack• OperatingSystem• WebServer• DatabaseServer

• Usingadditionalguidelines• MicrosoftBaselineSecurityAnalyzer• CISSecurityBenchmarks• DISASTIGs• Othervendorguidelines

Updates

Updates

• Updateprocess• Alwaysapplyandtestondevelopmentandtest/stagingenvironmentsfirst• Updateasquicklyandreasonablypossible

• Notificationofupdates• viaColdFusionAdministrator• blogs.coldfusion.com• Twitter/Facebook• AdobeSecurityNotificationService

https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration

ColdFusion Updates

Support Life Cycle

https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63

Security Analyzer

Security Analyzer

• IntegratedintoColdFusionBuilder2016toenabledeveloperstoavoidcommonsecuritypitfallsandvulnerabilitieswhilewritingColdFusioncode

• Highlightsthevulnerablecodeintheeditor• Classifiesthevulnerabilitytype• Severitylevelofthevulnerability• Suggestionsonhowtofixthevulnerability• Exportreport

Security Analyzer

• VulnerabilityTypes• SQLInjection• XSSAttack• PDFXSSAttack• CSRFAttack• CFLocationValidation• CookieValidation• Passwords• FileUploadValidation• GetvsPost• FileInjection

Security Analyzer

• EnterpriseOnly• DoesnotworkinDeveloperorStandardEdition• DoesnotworkwithColdFusionbuiltintoColdFusionBuilder• ColdFusionServer2016needstobeinstalledwithDeveloperProfile• RDSisrequired

• Needaccesstoport8500or• Createvirtualmappingfor/CFIDEandmodifyuriworkermap.propertiesforgivenconnectorto

remove!infrontof/CFIDE/*=cfusion

• KeepupdateversionsofColdFusionandColdFusionBuilderinsync• CommunicationchangedbetweenRelease,Update1,andUpdate2

• Updatesimprovedetectioncases

Security Analyzer Workflow

Security AnalyzerDemo

Coding Practices

Coding Practices

• Justupgradingtolatestversionwillnotsecureyourcode• NeedtouselanguageenhancementsintroducedsinceColdFusion10

• Reviewingcodeinuse• Trainingdeveloperstousemoresecurecodingpractices• Securitybestpracticeschangeovertime

Cross Site Scripting (XSS)

• Enablesattackerstoinjectclient-sidescriptintowebpages• SessionHijacking• Phishingforpasswordsorotherinfo

• Severaltypes• Persistent(Stored)• Non-Persistent(Reflected)• DOM-based

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

• Oldencodingfunctions

Context Example

HTML <p>Hi#htmlEditFormat(url.name)#</p>

HTMLAttribute <divid="#htmlEditFormat(url.name)#"/>

JavaScript <script>x='#jsStringFormat(url.name)#’</script> <aonmouseover=“foo(#jsStringFormat(url.name)#)"/>

CSS <divstyle="font-family:#form.fontname#"/>

URL <ahref=“index.cfm?id=#urlEncodedFormat(cookie.id)#"/>

Cross Site Scripting (XSS)

• NewOWASPESAPIencodersavailableinColdFusion10+

• ReplacehtmlEditFormat,jsStringFormat,andurlEncodedFormat

Context Example

HTML <p>Hi#encodeForHTML(url.name)#</p>

HTMLAttribute <divid="#encodeForHTMLAttribute(url.name)#"/>

JavaScript <script>x=’#encodeForJavascript(url.name)#’</script> <aonmouseover=“foo(#encodeForJavaScript(url.name)#)"/>

CSS <divstyle="font-family:#encodeForCSS(form.fontname)#"/>

URL <ahref=“index.cfm?id=#encodeForURL(cookie.id)#"/>

Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

• WYSIWYGHTMLeditors

• ColdFusion11addedsupportHTMLSanitizationusingOWASPAntiSamy• isSafeHTML(inputString,[policyFile],[throwOnError])• getSafeHTML(inputString,[policyFile],[throwOnError])

• ColdFusion’sdefaultpolicybasedonSlashdotpolicyfromprojecthttps://code.google.com/archive/p/owaspantisamy/downloads

SQL Injection

TweetPicfromsomeonethatdidnotresponsiblydiscloseissuetositeownerthathasSQLInjection

SQL Injection

• Allowsattackertodoanyofthefollowing:• Downloadalldataindatabase• ModifyorDeletealldataindatabase• Executestoredproceduresorprocessesinsomecases

SQL Injection

SQL Injection – Partially Fixed

• <cfqueryparam>wasintroducedinColdFusion4.5• Stillmissinginalotofoldcodeandtoomanydevelopersdonotuseit

SQL Injection – Fixed

SQL Injection

• SQLInjectionisnotlimitedto<cfquery>

• Storedprocedures• Use<cfprocparam>• Donotuseexecinside<cfquery>

• ORMExecuteQuery()andQueryExecute()

Cross-site Request Forgery

• Causesauser’swebbrowsertoperformanunwantedactiononatrustedsiteforwhichtheuseriscurrentlyauthenticated• Couldresultinatransferoffunds,changingapassword,orpurchasinganitem• Impactvarygreatlybasedontheprivilegesoftheuser

• Occurswithoutknowledgeofthetargetuser,untiltheunauthorizedtransactionhasbeencommitted

Cross-site Request Forgery

• RandomToken

• CSRFGenerateToken([key],[forceNew])• Generatesarandomtokenandstoresitinthesession

• CSRFVerifyToken(token,[key])• Validatesthepassedintokenagainstthetokenstoredinthesession

• Musthavesessionvariablesenabled

Session Management

• SessionRotate()• Createsanewsessionandcopiessessionscopeintothisnewsession,theninvalidatestheold

session• Usedafteravalidlogintopreventsessionfixation

• SessionInvalidate()• Clearssessionscopeandmakesthecurrentsessionidentifiersnolongervalid

• OnlyworkswithColdFusionsessions(CFID/CFToken),doesnotworkwithJEEsessions(JSESSIONID)• SessionRotateforJEEsessions-http://www.petefreitag.com/item/829.cfm

One more thing

Security Analyzer Commandline

• AdobeonlybuiltaccesstoSecurityAnalyzerthroughColdFusionBuilder

But…

• UsingnewcommandlineabilitiesinColdFusion2016builtasolution• AvailableonGitHub,https://github.com/dcepler/cf-cmdline-sec-ana• RequiresColdFusionServer2016Update2orhigher

• AllowsforintegrationoftheSecurityAnalyzerintosourcecodecommithooksandbuildprocesses

Security Analyzer Commandline Demo

Q&A - Thanks

• Blog:https://www.dcepler.net• Email:depler@aboutweb.com• Twitter:@dcepler• GitHub:https://github.com/dcepler

Pleaseremembertocompletesessionsurvey

Thank you!