ColdFusion Summit Notes: Become a Security Rockstar with ColdFusion 2016, David Epler

October 17, 2016

Server update process -
always apply and test on development and test/staging env’s first
update as quickly and reasonably as possible

Notification of updates
blogs.coldfusion.com is the best place

Much nicer interface for this in CF10+

Also be aware of “lifecycle support” on the updates
“end of core support” and “end of extended support” dates for when Adobe will stop supporting that rev of CF

CF Security Analyzer
built into CF server to analyze the source code you tell it to

Caveats
MUST have an Enterprise license to run it
Not even available in Developer edition :(
Also not in Standard Edition nor in CF Builder’s built-in CF server
Can install your Enterprise KEY on a Dev server (or CF Builder, etc) but that’s a key/data hassle for Management
Also, it REQUIRES RDS to be Enabled
On a local dev that’s not an issue
On a centralized Dev server, RDS an be flagged as a security issue by various audits
Because it uses RDS, it must be installed in Developer mode. So installing it on a Prod server isn’t possible.
So basically installing the code Analyzer is a giant pain

No security tool is 100% accurate
All of them have either false negatives or false positives

Just upgrading to the latest version of CF will not make your CODE more secure
Need to make sure your developers are trained on how to write more secure code
The ideas of how you write secure code has changed over time
the threats and hack techniques have changed over time
as hackers improve and stay current, you must stay current and improve too
EVERYBODY has a Cross-Site Scripting vulnerability that must be addressed
Even PayPal, eBay, etc.

Scammers / Phishers love XSS attacks

Reflected —
Several types of XSS that exist
Used most often: reflected XSS
produce some sort of XSS, run that thru a URL shortener, then phish that URL that “looks good” and use it to exploit things

Persistent
Sometime stored in the database that’s used to exploit people

DOM based
something in how the JavaScript libraries interact.
Never actually transmitted back to the server
the hack is all done client-side

Entire /reddit channel where people post sites that have XSS holes open. YOUR site may be listed here!

Older versions of CF (CF9 and earlier) —
run the input the “encoding” functions
htmlEditFormat( url.name )
jsStringFormat( url.name )
urlEncodeFormat()

in CF10 a new suite of encoders were added w/ the OWASP API
specific encoders for specific areas where you’ll use a variable
encodeForHTML()
encodeForHTMLAttibute()
encodeForJavaScriot()
encodeForCSS()
encodeForURL()

in CF11, additional encoders were added for
XML, XPath and LDAP queries

WYSIWYG HTML editors
AntiSAMI
a way to sanitize HTMLinput that you can then store
take the input, run it thru a “policy”  of what you allow, and it will spit out the sanitized HTML for storing
isSafeHTML( inputString, [policyFile], [throwOnError] );
getSafeHTML( … )

SQL injection —
one of the most dangerous vulnerabilities
if i can SQJ inject yoru site, i can probably manipulate (or delete) your data
cant use cfqueryparam for ‘ORDER BY’, still have to use some sort of “variables.sortOrder” instead of “url.orderBy”

SQL injection not limited to CFQuery
Stored Procedures
- use CFProdParam

ORMExecuteQuery and QueryExecute()
it IS still possible to inject ORM if you don’t do the data bindings correctly

CSRF
Cross Site Request Forgery
we get the user to view a “constructed” URL and get the user to do something against a site where they are “authenticated”
Causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated
- could result in a transfer of funds, changing a password, or purchasing an item
- impact vary greatly based on privileges of the user

Occurs without knowledge of the target user, until the unauthorized transaction has been committed.

CF10 added:
(NEED to have Session Mgnt on for this to work)
CSRFGEnerateToken()
CSRFVerifyToken()
(these functions are a “random token defense”)
If you have a XSS vulnerability, this is worthless.  Hacker can just XSS-away your “secure” token so it’s no longer a defense

Session Management —
SessionRotate()
Creates a new session and copies session scope into this new session, then invalidates the old one
WHENEVER you log someone into your site you should EXPIRE their old session, and then give them a new one
Use SessionInvalidate() at ANY logout process, to remove the session entirely
Caveat: only works with the CFID/CFTOKEN login
For JSessionID, it’s more involved (check Pete Freitag’s blog post on how to do this. it’s more involved but it’s doable.)

Security Analyzer Command line —
Adobe built Security Analyzer so it only works in CF Builder
But in CF 2016 you can run CF code from the command line
So you can invoke the Code Analyzer from CLI via Dave’s GitHub project