David EplerSecurity Architect
AboutWeb
Become a Security Rockstar with ColdFusion 2016
Agenda
• Installation• SecureProfile• LockdownGuide• OtherConsiderations
• Updates• ColdFusionUpdates• SupportLifeCycle
• SecurityAnalyzer• CodingPractices
• Cross-siteScripting(XSS)• SQLInjection• Cross-siteRequestForgery(CSRF)• SessionManagement
Installation
Installation
• EnsureColdFusionis installedwithcorrectprofilefortheenvironmentitwillbeused
https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html
Profiles
https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html
Secure Profile
CFSCRIPTS Directory
• InColdFusion2016CFIDEaccessisnowremovedfromthewebserverandisonlyaccessibletolocalhostonport8500
• Followingdirectoriesarenowcontainedincf_scripts• CFIDE/scripts• CFIDE/classes• CFIDE/cfclient
Lockdown Guide
• LockdownguideabsolutelyneedstobeusedforanypublicfacingColdFusionServer
• GuidereleasedforeachversionofColdFusionsince9• ColdFusion10
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf• ColdFusion11
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf• ColdFusion2016
http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf
• GotoPete’ssessionnextinJasmineFB104–BulletproofYourColdFusionServerWithTheLockdownGuide
Other Considerations
• Securingotherpartsofthewebstack• OperatingSystem• WebServer• DatabaseServer
• Usingadditionalguidelines• MicrosoftBaselineSecurityAnalyzer• CISSecurityBenchmarks• DISASTIGs• Othervendorguidelines
Updates
Updates
• Updateprocess• Alwaysapplyandtestondevelopmentandtest/stagingenvironmentsfirst• Updateasquicklyandreasonablypossible
• Notificationofupdates• viaColdFusionAdministrator• blogs.coldfusion.com• Twitter/Facebook• AdobeSecurityNotificationService
https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration
ColdFusion Updates
Support Life Cycle
https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
Security Analyzer
Security Analyzer
• IntegratedintoColdFusionBuilder2016toenabledeveloperstoavoidcommonsecuritypitfallsandvulnerabilitieswhilewritingColdFusioncode
• Highlightsthevulnerablecodeintheeditor• Classifiesthevulnerabilitytype• Severitylevelofthevulnerability• Suggestionsonhowtofixthevulnerability• Exportreport
Security Analyzer
• VulnerabilityTypes• SQLInjection• XSSAttack• PDFXSSAttack• CSRFAttack• CFLocationValidation• CookieValidation• Passwords• FileUploadValidation• GetvsPost• FileInjection
Security Analyzer
• EnterpriseOnly• DoesnotworkinDeveloperorStandardEdition• DoesnotworkwithColdFusionbuiltintoColdFusionBuilder• ColdFusionServer2016needstobeinstalledwithDeveloperProfile• RDSisrequired
• Needaccesstoport8500or• Createvirtualmappingfor/CFIDEandmodifyuriworkermap.propertiesforgivenconnectorto
remove!infrontof/CFIDE/*=cfusion
• KeepupdateversionsofColdFusionandColdFusionBuilderinsync• CommunicationchangedbetweenRelease,Update1,andUpdate2
• Updatesimprovedetectioncases
Security Analyzer Workflow
Security AnalyzerDemo
Coding Practices
Coding Practices
• Justupgradingtolatestversionwillnotsecureyourcode• NeedtouselanguageenhancementsintroducedsinceColdFusion10
• Reviewingcodeinuse• Trainingdeveloperstousemoresecurecodingpractices• Securitybestpracticeschangeovertime
Cross Site Scripting (XSS)
• Enablesattackerstoinjectclient-sidescriptintowebpages• SessionHijacking• Phishingforpasswordsorotherinfo
• Severaltypes• Persistent(Stored)• Non-Persistent(Reflected)• DOM-based
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
• Oldencodingfunctions
Context Example
HTML <p>Hi#htmlEditFormat(url.name)#</p>
HTMLAttribute <divid="#htmlEditFormat(url.name)#"/>
JavaScript <script>x='#jsStringFormat(url.name)#’</script> <aonmouseover=“foo(#jsStringFormat(url.name)#)"/>
CSS <divstyle="font-family:#form.fontname#"/>
URL <ahref=“index.cfm?id=#urlEncodedFormat(cookie.id)#"/>
Cross Site Scripting (XSS)
• NewOWASPESAPIencodersavailableinColdFusion10+
• ReplacehtmlEditFormat,jsStringFormat,andurlEncodedFormat
Context Example
HTML <p>Hi#encodeForHTML(url.name)#</p>
HTMLAttribute <divid="#encodeForHTMLAttribute(url.name)#"/>
JavaScript <script>x=’#encodeForJavascript(url.name)#’</script> <aonmouseover=“foo(#encodeForJavaScript(url.name)#)"/>
CSS <divstyle="font-family:#encodeForCSS(form.fontname)#"/>
URL <ahref=“index.cfm?id=#encodeForURL(cookie.id)#"/>
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
• WYSIWYGHTMLeditors
• ColdFusion11addedsupportHTMLSanitizationusingOWASPAntiSamy• isSafeHTML(inputString,[policyFile],[throwOnError])• getSafeHTML(inputString,[policyFile],[throwOnError])
• ColdFusion’sdefaultpolicybasedonSlashdotpolicyfromprojecthttps://code.google.com/archive/p/owaspantisamy/downloads
SQL Injection
TweetPicfromsomeonethatdidnotresponsiblydiscloseissuetositeownerthathasSQLInjection
SQL Injection
• Allowsattackertodoanyofthefollowing:• Downloadalldataindatabase• ModifyorDeletealldataindatabase• Executestoredproceduresorprocessesinsomecases
SQL Injection
SQL Injection – Partially Fixed
• <cfqueryparam>wasintroducedinColdFusion4.5• Stillmissinginalotofoldcodeandtoomanydevelopersdonotuseit
SQL Injection – Fixed
SQL Injection
• SQLInjectionisnotlimitedto<cfquery>
• Storedprocedures• Use<cfprocparam>• Donotuseexecinside<cfquery>
• ORMExecuteQuery()andQueryExecute()
Cross-site Request Forgery
• Causesauser’swebbrowsertoperformanunwantedactiononatrustedsiteforwhichtheuseriscurrentlyauthenticated• Couldresultinatransferoffunds,changingapassword,orpurchasinganitem• Impactvarygreatlybasedontheprivilegesoftheuser
• Occurswithoutknowledgeofthetargetuser,untiltheunauthorizedtransactionhasbeencommitted
Cross-site Request Forgery
• RandomToken
• CSRFGenerateToken([key],[forceNew])• Generatesarandomtokenandstoresitinthesession
• CSRFVerifyToken(token,[key])• Validatesthepassedintokenagainstthetokenstoredinthesession
• Musthavesessionvariablesenabled
Session Management
• SessionRotate()• Createsanewsessionandcopiessessionscopeintothisnewsession,theninvalidatestheold
session• Usedafteravalidlogintopreventsessionfixation
• SessionInvalidate()• Clearssessionscopeandmakesthecurrentsessionidentifiersnolongervalid
• OnlyworkswithColdFusionsessions(CFID/CFToken),doesnotworkwithJEEsessions(JSESSIONID)• SessionRotateforJEEsessions-http://www.petefreitag.com/item/829.cfm
One more thing
Security Analyzer Commandline
• AdobeonlybuiltaccesstoSecurityAnalyzerthroughColdFusionBuilder
But…
• UsingnewcommandlineabilitiesinColdFusion2016builtasolution• AvailableonGitHub,https://github.com/dcepler/cf-cmdline-sec-ana• RequiresColdFusionServer2016Update2orhigher
• AllowsforintegrationoftheSecurityAnalyzerintosourcecodecommithooksandbuildprocesses
Security Analyzer Commandline Demo
Q&A - Thanks
• Blog:https://www.dcepler.net• Email:[email protected]• Twitter:@dcepler• GitHub:https://github.com/dcepler
Pleaseremembertocompletesessionsurvey
Thank you!