no text exists for this slide

Introduction
Introduction
Landscape
Best Practices Guidelines
Examples and Code
Beyond the Platform (ESAPI)
Closing

Bilal Soylu
Bilal Soylu
CTO Verian Technologies LLC (www.verian.com)
ColdFusion since mid 90s
Open Source contributor
Enough mistakes to know better ;o)
Blog
http://BonCode.blogspot.com

Many applications have security issues regardless of platform
Many applications have security issues regardless of platform
Thinking about security comprehensively is actually the best way to achieve secure applications
Writing insecure code is easy
Time
Budget
Knowledge
Lunch

no text exists for this slide

no text exists for this slide

OWASP (www.owasp.org)
OWASP (www.owasp.org)
Open Web Application Security Project
Using Top Ten (Ranked by Severity)

A1: Injection (SQL) – User Input
A1: Injection (SQL) – User Input
A2: Cross-Site Scripting (XSS) - User Input
A3: Broken Authentication and Session Management - Logic
A4: Insecure Direct Object References – User Input
A5: Cross-Site Request Forgery (CSRF) – User Input
A6: Security Misconfiguration - Logic
A7: Insecure Cryptographic Storage - Knowledge
A8: Failure to Restrict URL Access – System Input
A9: Insufficient Transport Layer Protection – System Input
A10: Unvalidated Redirects and Forwards - User Inputs
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Why do I have to worry. Look at this:
Why do I have to worry. Look at this:

Most common vulnerability in web-apps
Most common vulnerability in web-apps
Target is other users
Break out context into the other
Data : for display to user
Code: for execution (running your logic)
Common example, using vulnerability in your app to distribute a script to others
XSS is possible without <script> tag

Demo
Demo

Sessions are always mine (A3)
Sessions are always mine (A3)
I am good with Files (A10?)

File Upload
File Upload

Session
Session
Don’t pass in URL (addToken=false in CFLOCATION)
Validate with cross checked or encrypted stored cookie (see below)
Switch to JEE or UUID tokens
Use HTTP only Session Cookies
-Dcoldfusion.sessioncookie.httponly=true on CF 9.0.1
Consider using SSL when authenticated (prevent sniffers)
Use application logic to check against hijack

Target is database
Target is database

Stateless nature of http causes loss of insight into transferred data to client
Stateless nature of http causes loss of insight into transferred data to client
Common Scopes with loss of control
CGI
COOKIE
FORM
URL
CLIENT (?)

no text exists for this slide

How to re-establish trust
How to re-establish trust
Outbound: Encryption  secure encryption
Inbound: Validation
Type
Numeric, Date, String
Content / Scope
Number Range, Date Range, distinct string values, e.g. Pass valid Whitelist in encrypted form for non-sequential selections)
Whitelist, whitelist, whitelist
Examples for Form and URL

no text exists for this slide

no text exists for this slide

Use generic URL / FORM encryption function
Use generic URL / FORM encryption function
Once inputs have been validated or secured put them into a different scope, e.g.:
Request.URL
Request.Form

Still use Global Script protection
Still use Global Script protection
Important to know where we ware using user generated data (context)
Outputting data from an uncontrolled / un-trusted input will lead to common XSS scenarios.
Only output from verified scope (e.g. Reques.URL), whitelist, whitelist, whitelist
Output data requires context awareness
In data context: XMLFormat()
Welcome #XMLFormat(Form.UserName)#
URL Context
<a href=“my.cfm?par=#URLEncodedFormat(orm.color)#>Col</a>

Java library OWASP project
Java library OWASP project
A port to CF (CFESAPI) is in progress (rumor CF10)
In HTML Attributes (between double quotes):
<a href=“#Form.Page#”>myLink</a>
encoderForHTMLAttribute(formString)
JavaScript Context (+DOM Events)
<div onfocus=“this.style.color=‘#form.color#’>
encodeForJavaScript(form.color)
CSS Context
.myCss { color: #form.color# }
encodeForCSS(form.color)
URL Context
<a href=“http://targetsite.com/my.cfm?para1=#form.color#>Color</a>
encodeForURL(form.color)
ESAPI has more stuff, e.g. command line, SQL etc.

Operating Systems
Operating Systems
Databases
Application Servers

Most web attack vectors are based on developer logic errors
Most web attack vectors are based on developer logic errors
Establishing trust in your inputs will go a long way in securing your applications
You can have coding practices indicate to you if inputs have been secured/validated.
Outputting data needs to be in context sensitive
OWASP is superset of guidelines that we should be familiar with.

OWASP (www.owasp.org)
OWASP (www.owasp.org)
Nice video episodes
Adobe (http://www.adobe.com/support/security/)
My Blog (http://boncode.blogspot.com)
CFESAPI (https://www.owasp.org/index.php/ESAPI_ColdFusion_CFML_Readme)
ESAPI (https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)

Q & A
Q & A

Passwords
Passwords
Use Hash (SHA-256 or SHA-512)… you need longer storage, add salt
Encryption
Use strong encryption method, including salt and IV to introduce variability
CFMX_COMPAT is bad
TripleDES, AES, Blowfish are good, AES fast
Use CBC mode of operation
For stronger encryption need to change Java Policy files changed