Presentation is loading. Please wait.

Presentation is loading. Please wait.

CFUNITED – The premier ColdFusion conference www.cfunited.com ColdFusion Application Security The Top Ten Most Critical Web Application Security Vulnerabilities.

Published byMaria Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "CFUNITED – The premier ColdFusion conference www.cfunited.com ColdFusion Application Security The Top Ten Most Critical Web Application Security Vulnerabilities."— Presentation transcript:

1 CFUNITED – The premier ColdFusion conference www.cfunited.com ColdFusion Application Security The Top Ten Most Critical Web Application Security Vulnerabilities

2 June 28 th – July 1 st 2006 Adam Wayne Lehman  U.S. Department of State Adobe Developers User Group Manager  Senior Developer with the U.S. Department of State / IRM Business Center  Certified Advanced ColdFusion MX 7 Developer  10 years of web development experience  Adrocknaphobia.com

3 June 28 th – July 1 st 2006 Overview  OWASP  Top 10 Web Application Vulnerabilities

4 June 28 th – July 1 st 2006 OWASP  The Open Web Application Security Project (OWASP) is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted  Research security topics  Produce guidelines and standards

5 June 28 th – July 1 st 2006 OWASP Top 10 Project  Represents a broad consensus about what the most critical web application security flaws are  Available in 5 languages  Listed as a key best practice by the U.S. Defense Information Systems Agency (DISA)

6 June 28 th – July 1 st 2006 OWASP Web Application Security Vulnerabilities Top 10

7 June 28 th – July 1 st 2006 #10 Insecure Configuration Mangement  Having a strong server configuration standard is critical to a secure web application. Few, if any, server products are secure out of the box.

8 June 28 th – July 1 st 2006 #10 Insecure Configuration Mangement  Establish a configuration baseline for ColdFusion Do not deploy the ColdFusion Administrator or Sample applications to a production environment Do not deploy RDS to a production environment  Establish a configuration baseline for the server operating system  Utilize Security Scanning Tools

9 June 28 th – July 1 st 2006 #9 Denial of Service (DoS Attacks)  Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

10 June 28 th – July 1 st 2006 #9 Denial of Service (DoS Attacks)  Keep ColdFusion/JRun up-to-date with all security related patches.  Utilize server or hardware solutions  Minimize the amount of resources used per session  Minimize unnecessary access to the database and other expensive resources.  Check your error handlers

11 June 28 th – July 1 st 2006 #8 Insecure Storage  Web applications frequently use cryptographic functions to protect information and credentials. While encryption has become relatively easy to implement and use, developers still frequently make mistakes while integrating it into a web application.

12 June 28 th – July 1 st 2006 #8 Insecure Storage  Protect sensitive data Passwords Credit Card Numbers Social Security Numbers *  Encrypt data before you store it  User built-in ColdFusion functions hash() encrypt() * Do you really need to store the information?

13 June 28 th – July 1 st 2006 #8 Insecure Storage - hash()  Creates a "fingerprint" or unique identifier for the original string.  It is not possible to convert the hash result back to the source string.  hash() does not require a key.  Use a hash rather than encryption for validating data such as password.

14 June 28 th – July 1 st 2006 #8 Insecure Storage – encrypt()  Uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string.  The security of the encrypted string depends on maintaining the secrecy of the key.  Use encryption rather than a hash when storing information that needs to be used in it’s original format such as credit card numbers.

15 June 28 th – July 1 st 2006 #8 Insecure Storage - Algorithims  Compatibility Algorithm CFMX_COMPAT  Block Encryption Algorithms AES BLOWFISH DES DESEDE  Password Based Encryption Algorithms PBEWithMD5AndDES PBEWithMD5AndTripleDES  CFMX 7 provides the ability to install any additional Java Cryptology Extension (JCE) security providers

16 June 28 th – July 1 st 2006 #7 Improper Error Handling  Web applications frequently generate error conditions during normal operation.  Error messages must include Meaningful messages for user  Error messages may include Diagnostic information for the site maintainer  Error messages should never include Useful information to an attacker

17 June 28 th – July 1 st 2006 #7 Improper Error Handling  CF Administrator Do not Enable Robust Exception Information Do not Enable Debugging Define a Site-wide Error Handler  Define Application-wide Error Handlers

18 June 28 th – July 1 st 2006 #6 Injection Flaws  Injection flaws allow attackers to relay malicious code through a web application to another system. Whole scripts can be injected into poorly designed web applications and executed.  Attacks are commonly aimed at the operating system and the database (SQL injection)

19 June 28 th – July 1 st 2006 #6 Injection Flaws - System  Setup a sandbox to limit access to All other operating system functions

20 June 28 th – July 1 st 2006 #6 Injection Flaws - Database  Carefully validate the data provided to ensure that it does not contain any malicious content.   Limit database permissions

21 June 28 th – July 1 st 2006 #5 Buffer Overflows  Attackers use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code – effectively taking over the machine.

22 June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Cross-site scripting (sometimes referred to as XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script, to a different end user.  Two Categories Stored Reflective

23 June 28 th – July 1 st 2006 MySpace and XSS  Samy Stored XSS Worm Attack, October 2005 Amassed 1,000,000+ friends  GodOfTheNoose Stored XSS Work Attack, December 2005 Utilized unsanitized variables & Flash Infected 450,000+ users

24 June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Enable Global Script Protection ColdFusion Administrator  Checkbox enables protection for all scopes Application.cfc  THIS.scriptProtect Allowed values  None  All  Comma-delimited list of scopes

25 June 28 th – July 1 st 2006 #4 Cross Site Scripting (XSS) Flaws  Encode user supplied output with a UDF like HTMLTrans() Download HTMLTrans() from CFLib.org  Install web server filters URL Scan (IIS)

26 June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.

27 June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Passwords Enforce Complexity Limit Invalid Login Attempts Change Controls Stored hashed in the database

28 June 28 th – July 1 st 2006 #3 Broken Authentication and Session Management  Authenticate via SSL  Transmit Session IDs over SSL  Do not pass Session IDs in the URL  Use J2EE Sessions

29 June 28 th – July 1 st 2006 #2 Broken Access Control  Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions.

30 June 28 th – July 1 st 2006 #2 Broken Access Control  Centralize Authorization  Insecure Id’s  Harden Access to Administrative Functionality

31 June 28 th – July 1 st 2006 #1 Unvalidated Input  Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.  May cause Cross Site Scripting Flaws Injection Flaws Buffer Overflows

32 June 28 th – July 1 st 2006 #1 Unvalidated Input  Validation techniques Mask onBlur onSubmit onServer Hidden form field isValid function &

33 June 28 th – July 1 st 2006 #1 Unvalidated Input  isValid() function  Syntax IsValid(type, value) isValid("range", value, min, max) isValid("regex" or "regular_expression", value, pattern)  Supports 20+ types All data types Formatted data  Credit card  SSN  Telephone  More…

34 June 28 th – July 1 st 2006 #1 Unvalidated Input  Validate from your model  view & server-side Client-side javascript

35 June 28 th – July 1 st 2006 Recommendations  Make security part of your SDLC Regularly perform security code reviews Include security in your test conditions  There is no such thing as too much security  Security must not sacrifice usability

36 June 28 th – July 1 st 2006 Other OWASP Projects  AJAX Security Project  WebScarab Project  Language specific Java PHP.NET  Code Review Project

37 June 28 th – July 1 st 2006 OWASP Local Chapters  70+ chapters worldwide  Free and open to anyone  Monthly meetings

38 June 28 th – July 1 st 2006 Online Resources  OWASP www.owasp.org www.owasp.org  ColdFusion Security Center http://www.macromedia.com/devnet/coldfusion/security.html http://www.macromedia.com/devnet/coldfusion/security.html  HTMLTrans() http://www.cflib.org/udf.cfm?ID=945http://www.cflib.org/udf.cfm?ID=945  Windows 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsser ver2003/w2003hg/sgch00.mspx http://www.microsoft.com/technet/security/prodtech/windowsser ver2003/w2003hg/sgch00.mspx  Adobe Security Topic Center http://www.adobe.com/devnet/security/

39 June 28 th – July 1 st 2006 Questions / Discussion

Download ppt "CFUNITED – The premier ColdFusion conference www.cfunited.com ColdFusion Application Security The Top Ten Most Critical Web Application Security Vulnerabilities."

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Similar presentations

Ads by Google