ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development 800-447-9120.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Implementing Tableau Server in an Enterprise Environment

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

Hacking Case Study Sungchul Hong. Acme Art, Inc. Case October 31, A hacker stole credit card numbers from the online store’s database.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training

ASP.NET Web Application Security Hannes Preishuber ppedv AG

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

System and Network Security Practices COEN 351 E-Commerce Security.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Evaluating Web Server Log Analysis Tools David Strom SD’98 2/13/98.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

OM. Brad Gall Senior Consultant

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Penetration Testing Training Day Capture the Flag Training.

The Art of Debugging Shlomy Gantz 02/13/01MDCFUG.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2000 eMation SECURITY - Controlling Data Access with

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

COLD FUSION Deepak Sethi. What is it…. Cold fusion is a complete web application server mainly used for developing e-business applications. It allows.

Troubleshooting Windows Vista Security Chapter 4.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training.

Dynamic Debug Output and Error Handling in CF5 and CFMX November 12, 2002 By Douglas M. Smith Application Architect for Teratech, Inc.

Web Application Security Raymond Camden

Crash Course in Web Hacking

Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

CSC 405: Web Application Engineering II8.1 Web programming using PHP What have we learnt? What have we learnt? Underlying technologies of database supported.

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

CF2001 Welcome Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development and training

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

Error Handling Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

Cool CF Debugging Shlomy Gantz 07/29/01CF_ODYSSEY.

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Defense In Depth: Minimizing the Risk of SQL Injection

Building Secure ColdFusion Applications

Chapter 7: Identifying Advanced Attacks

Server Concepts Dr. Charles W. Kann.

Cross-Site Forgery

Web Servers / Deployment

Chapter 8, pp 171 – pp 200 Web Security, by Lincoln D. Stein

6. Application Software Security

Presentation transcript:

ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

Introduction n ColdFusion security n Keeping hackers out n While still letting users and friendly apps in

ColdFusion Security Here is what we will be covering: n System software u OS-> FW -> WS -> DB -> CF n Page parameter validation n User Authentication n Security Resources

1.1 System software n a) Operating System/Webserver  Delete guest and administrator NT server userids (create a user name for administrator)  Get latest Service Packs  Patch ::$DATA and %20 source holes  Use IIS or Website directory security, possibly with CFAuth too.  Clean up the /CGI-BIN directory - dangerous sample scripts

1.2 System software n b) Database  Store database in separate directory from web root or PC.  Move from Access to SQL server – better security features  user ids and passwords that are hard to guess  Delete guest and sa userids  Only give the read/update/delete rights that you need.  Use stored procedures

1.3 System software n c) Firewall  Keeps bad IP packets out  By default keep it out  Prevents hackers from moving from machine to machine  Only open ports that are required - eg for SQL server  Prevent/Record Denial of Service  Proxy access to HTTP  Can get in way of development

1.4 System software n d) ColdFusion  Remove CFDOC dir from live servers  Remove Start/Stop page  Turn off CFDIRECTORY, CFFILE, CFCONTENT, CFOBJECT  Remove any unused CFX and CF tags  Use a dedicated server

2: Page Validation n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands 0FROM%20MyCustomerTable u | VBA functions - shell() n Use VAL() on parameters or check for ‘ and | n Encrypt Variables

3.1: Authentication n Stateless web - any page can call another - this is good for open sites n Hacker pages call your page with false data n Use CGI. HTTP_REFERER to control who calls you n Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. n Encrypting code n NT auth or LDAP

3.2: Authentication u Protected Header code In your application.cfm or header.cfm to be included in every page. Your protected links here

3.3: Error handling n Never display default CF errors - gives out SQL information n error to admin n Don’t explain why attempt failed n Standard processing time

4: Resources n ecurityzone/ n Tools you could use to analyze your NT servers u u n NTSecurity

Real Hacks n This spring several commercial ColdFusion sites were hacked or shutdown due to the CFDOCs hole. n Security is hard because a hacker only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.

What Security Means n Security is a way of thinking - how can they get in... n Get patches and read security bulletins - today’s secure system may be tomorrow's hack! n More knowledge is power - don’t keep security secret!

Next Steps n Conduct a security audit u Download Michael Dinowitz’s MunchkinLand.cfm to test your site for holes u Remove CFDOCS n Change database configuration and passwords n Validate pages n Authenticate pages