Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training.

Slides:

Advertisements

Similar presentations

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,

Advertisements

CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training

ColdFusion Code Security Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

Database Updates Made Easy In WebFocus Using SQL And HTML Painter Sept 2011 Lender Processing Services 1.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

The Art of Debugging Shlomy Gantz 02/13/01MDCFUG.

1/20 1 How to become a Guru Coder Michael Smith, TeraTech, Inc x110 Copyright.

Exception Handling MDCFUG 6/12/2007 David Lakein Programmer / Analyst TeraTech Inc.

More on Fusebox at Fusebox Development Methodology : More on Fusebox at Fusebox Development Methodology.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.

Software Architecture for ColdFusion Developers Unit 4: Application Events and Global Variables.

What’s New in CF 8 Admin MDCFUG 8/14/2007 Ajay Sathuluri Sr. Web and Database Engineer TeraTech Inc.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

Copyright 2000 eMation SECURITY - Controlling Data Access with

COLD FUSION Deepak Sethi. What is it…. Cold fusion is a complete web application server mainly used for developing e-business applications. It allows.

LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,

Week 7 IBS 685. Displaying an Image using CFOUTPUT 1.Save images in a folder under wwwroot directory 2.Create a database column and name it e.g. imagefilename.

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

1/36 1 Project Management What works, what doesn’t Michael Smith, TeraTech, Inc

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Putting it all together Dynamic Data Base Access Norman White Stern School of Business.

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.

Navigation Framework using CF Architecture for a Client-Server Application using the open standards of the web Kedar Desai presented by.

1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables.

Dynamic Debug Output and Error Handling in CF5 and CFMX November 12, 2002 By Douglas M. Smith Application Architect for Teratech, Inc.

CF Pest Control By Shlomy Gantz President, BlueBrick Inc. Presented by Sandra Clark

Web Application Security Raymond Camden

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

Sessions, Cookies, &.htaccess IT 210. Procedural Issues  Quiz #3 Today!  Homework #3 Due Friday at midnight UML for Lab 4  Withdraw Deadline is Wed,

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.

Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.

Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Using Derrick Rapley Maryland CFUG January 8, 2002.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

| imodules.com Top 10 FAQ in Application Support Kelly Schmiedeler & Amber Quayle.

ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.

1/20 1 How to become a Guru Coder Michael Smith, TeraTech, Inc x110 Copyright.

© 2001 Charles Arehart, 1 CF Hidden Gems Charles Arehart Founder/CTO Systemanage

Navigation Framework using CF Architecture for a Client-Server Application using the open standards of the Web presented by Kedar Desai Differential Technologies,

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

10 Tips for Building a Secure PHP Application. Tip 1: Use Proper Error Reporting/Handling  The development process of the application can become very.

Error Handling Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development

Cool CF Debugging Shlomy Gantz 07/29/01CF_ODYSSEY.

1/23 How to become a Guru Coder Michael Smith TeraTech, Inc x110 Copyright.

Building Secure ColdFusion Applications

ColdFusion And Section 508 Michael Smith, President TeraTech, Inc

Nate Nelson I*LEVEL, Inc.

ColdFusion Form Handling Michael Smith, President TeraTech, Inc

Presentation transcript:

Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training Presentation copyright TeraTech 2002

TeraTech Speaker Information Who am I? n Michael Smith n President of TeraTech, Inc Rockville MD u u ttWebReportServer, CFXGraphicserver n MDCFUG, CFUN-02, Fusebox Conf n Articles in CFDJ, Fusion Authority n CF_Underground IV Oct 27th u

TeraTech Overview n What is Application.cfm n Directory rules n Error handler n Application, Session and Client variables n Logon and Members only n Application Setup n Security

TeraTech What is Application.cfm n Regular CFM file that is included ONCE at beginning of every request. n Spelt Application.cfm (capital A for Unix) n You could just do a CFINCLUDE at beginning of every template. u Saves coding time

TeraTech Directory Rules n CF will search for Application.cfm starting in current directory of request template. n Moves up directory tree to system root (eg C:/) until it finds one. n Even if you don’t want to use Application.cfm feature have a blank one to save processing time.

TeraTech OnRequestEnd.cfm n OnRequestEnd.cfm is run at end of page request. n Opposite of Application.cfm n Must be in same directory as Application.cfm n Not run after CFABORT

TeraTech Traps n Can not span tags between Application.cfm and OnRequestEnd.cfm

TeraTech Error handling n Always have an error handler in Application.cfm – CFERROR tag n Never display default CF errors - gives out SQL information and template paths n Instead error to admin n Don’t explain why attempt failed n Can turn off for development IPs

TeraTech Error handling code In Application.cfm: In error_exception.cfm <CFMAIL to="#error.MailTo#" subject="ColdFusion Error"> #error.RemoteAddress# #error.Template# #error.DateTime# #error.Diagnostics#

TeraTech Application variables n Global across pages n Setup using CFAPPLICATION tag n Use as application.variablename u Lock your usage u Beware max timeout in CF Admin

TeraTech Session variables n Persistent between pages for ONE user. Use CFAPPLICATION tag: n Use as session.variablename u Lock your usage u Beware max timeout in CF Admin

TeraTech Client variables n Persistent between pages for ONE user. In Application.cfm n Use as client.variablename n Use client variables in place of session variables to avoid locking in CF 5. n Store in a DB, NOT the registry n Use WDDX for a complex variables n Timeout set in CF Admin - Manually test for less than 2 hours

TeraTech Timeouts

TeraTech Members only n Want to protect subdirectories for members only n Check CGI.script_name for directory n Check if user is logged on using client variable n Might also check roles in more complex system.

TeraTech Members Only Code

TeraTech Application Setup n Set request variables for dsn, webroot constants. n Request doesn’t need locking. n Have different versions for development, staging and production servers

TeraTech Application Setup code

TeraTech … More Setup code

TeraTech Caching Data n Store application wide data in memory in application varialbes n Must lock write and reads n Check to see if exists before creating n Query caching is easier to code

TeraTech Caching Data code SQL…

TeraTech Copy Session to Request n Session variables require locking, request do not n Copy session structure to a structure in request scope in application.cfm n Use request variables in code n Update any that are changed n See article How to sidestep locking on MDCFUG /Articles/ RequestVariables.cfm

TeraTech Authentication n Stateless web - any page can call another - this is good for open sites n Hacker pages call your page with false data n Use CGI. HTTP_REFERER to control who calls you n Use CGI. CF_TEMPLATE_PATH application.cfm control what is run. Warning - Can be spoofed by browser

TeraTech Fake form submits n Hacker uses View Source in browser to save your HTML source to their machine n Edits form fields and form action URL and submits to your action page. n Can now change what record is edited or remove fields to generate errors n Can also remove any client side validation including _required fields and JavaScript from CFFORM.

TeraTech Preventing Fake form submits To prevent fake form submits n Check HTTP_REFERER is in your domain

TeraTech Encrypt URLs n One way to protect URLs is to encrypt them on all links, form submits and JavaScript submits. n Use URLEncrypt() and URLDecrypt() functions from CFLib project u n Can decrypt in Application.cfm

TeraTech SQL hacking n URL and Form parameters used in SQL u SELECT * FROM EMP WHERE ID = #USERID# u Extra SQL commands on SQL Server 0FROM%20MyCustomerTable u | VBA functions - shell() on Access u xp_cmdshell in SQL Server

TeraTech SQL hacking prevention n use on all SQL parameters n check for ‘ and | etc in form and url variables in Application.cfm n Encrypt URL Variables

TeraTech Protect CFINCLUDE and CFMODULE files n Don’t let CFINCLUDE and CFMODULE files be run standalone – they may do bad things or generate error messages n Protect using a naming convention/ subdirectory and test in application.cfm of CGI.script_name n Especially important for Fusebox applications with many include files

TeraTech Code to protect CFINCLUDE files n For Fusebox In Application.cfm: n Non-Fusebox – check filename/directory

TeraTech Subnet Auto- Authentication In your application.cfm or header.cfm to be included in every page. Your protected links here Warning - spoofed IP numbers will get around this code

TeraTech Custom Debug info n Variable and structure dump in OnRequestEnd.cfm u Use CF_Dump or CF5 CFDump tags to output all session variables or all cookies, etc. objects.com/docs.cfm?f=cf_dump.htm

TeraTech Session Tracking n Who is logged on now u Keep track of login times to see who’s logged in now, can record activity and determine based on last activity or logoff option u Add userid and session info to a structure in application variable.

TeraTech Back button hacking n Hacker uses back button to view sensitive information from a users browser n Consider disabling back button, especially on logout

TeraTech Datasource password n Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data n Don’t hardcode in every CFQUERY call n Use request variables in application.cfm and encrypt it

TeraTech Questions n Questions? me at