Become a Security Rockstar with ColdFusion 2016

41
David Epler Security Architect AboutWeb Become a Security Rockstar with ColdFusion 2016

Transcript of Become a Security Rockstar with ColdFusion 2016

Page 1: Become a Security Rockstar with ColdFusion 2016

David EplerSecurity Architect

AboutWeb

Become a Security Rockstar with ColdFusion 2016

Page 2: Become a Security Rockstar with ColdFusion 2016

Agenda

• Installation• SecureProfile• LockdownGuide• OtherConsiderations

• Updates• ColdFusionUpdates• SupportLifeCycle

• SecurityAnalyzer• CodingPractices

• Cross-siteScripting(XSS)• SQLInjection• Cross-siteRequestForgery(CSRF)• SessionManagement

Page 3: Become a Security Rockstar with ColdFusion 2016

Installation

Page 4: Become a Security Rockstar with ColdFusion 2016

Installation

• EnsureColdFusionis installedwithcorrectprofilefortheenvironmentitwillbeused

https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html

https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html
https://helpx.adobe.com/coldfusion/installing/installing-the-server-configuration.html
Page 5: Become a Security Rockstar with ColdFusion 2016

Profiles

https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html

https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html
https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html
Page 6: Become a Security Rockstar with ColdFusion 2016

Secure Profile

Page 7: Become a Security Rockstar with ColdFusion 2016

CFSCRIPTS Directory

• InColdFusion2016CFIDEaccessisnowremovedfromthewebserverandisonlyaccessibletolocalhostonport8500

• Followingdirectoriesarenowcontainedincf_scripts• CFIDE/scripts• CFIDE/classes• CFIDE/cfclient

Page 8: Become a Security Rockstar with ColdFusion 2016

Lockdown Guide

• LockdownguideabsolutelyneedstobeusedforanypublicfacingColdFusionServer

• GuidereleasedforeachversionofColdFusionsince9• ColdFusion10

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf• ColdFusion11

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf• ColdFusion2016

http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf

• GotoPete’ssessionnextinJasmineFB104–BulletproofYourColdFusionServerWithTheLockdownGuide

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf
http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf
Page 9: Become a Security Rockstar with ColdFusion 2016

Other Considerations

• Securingotherpartsofthewebstack• OperatingSystem• WebServer• DatabaseServer

• Usingadditionalguidelines• MicrosoftBaselineSecurityAnalyzer• CISSecurityBenchmarks• DISASTIGs• Othervendorguidelines

Page 10: Become a Security Rockstar with ColdFusion 2016

Updates

Page 11: Become a Security Rockstar with ColdFusion 2016

Updates

• Updateprocess• Alwaysapplyandtestondevelopmentandtest/stagingenvironmentsfirst• Updateasquicklyandreasonablypossible

• Notificationofupdates• viaColdFusionAdministrator• blogs.coldfusion.com• Twitter/Facebook• AdobeSecurityNotificationService

https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration

http://blogs.coldfusion.com/
https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration
https://campaign.adobe.com/webApp/adbeSecurityNotificationsRegistration
Page 12: Become a Security Rockstar with ColdFusion 2016

ColdFusion Updates

Page 13: Become a Security Rockstar with ColdFusion 2016

Support Life Cycle

https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63

https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html%2363
https://www.adobe.com/support/products/enterprise/eol/eol_matrix.html%2363
Page 14: Become a Security Rockstar with ColdFusion 2016

Security Analyzer

Page 15: Become a Security Rockstar with ColdFusion 2016

Security Analyzer

• IntegratedintoColdFusionBuilder2016toenabledeveloperstoavoidcommonsecuritypitfallsandvulnerabilitieswhilewritingColdFusioncode

• Highlightsthevulnerablecodeintheeditor• Classifiesthevulnerabilitytype• Severitylevelofthevulnerability• Suggestionsonhowtofixthevulnerability• Exportreport

Page 16: Become a Security Rockstar with ColdFusion 2016

Security Analyzer

• VulnerabilityTypes• SQLInjection• XSSAttack• PDFXSSAttack• CSRFAttack• CFLocationValidation• CookieValidation• Passwords• FileUploadValidation• GetvsPost• FileInjection

Page 17: Become a Security Rockstar with ColdFusion 2016

Security Analyzer

• EnterpriseOnly• DoesnotworkinDeveloperorStandardEdition• DoesnotworkwithColdFusionbuiltintoColdFusionBuilder• ColdFusionServer2016needstobeinstalledwithDeveloperProfile• RDSisrequired

• Needaccesstoport8500or• Createvirtualmappingfor/CFIDEandmodifyuriworkermap.propertiesforgivenconnectorto

remove!infrontof/CFIDE/*=cfusion

• KeepupdateversionsofColdFusionandColdFusionBuilderinsync• CommunicationchangedbetweenRelease,Update1,andUpdate2

• Updatesimprovedetectioncases

Page 18: Become a Security Rockstar with ColdFusion 2016

Security Analyzer Workflow

Page 19: Become a Security Rockstar with ColdFusion 2016

Security AnalyzerDemo

Page 20: Become a Security Rockstar with ColdFusion 2016

Coding Practices

Page 21: Become a Security Rockstar with ColdFusion 2016

Coding Practices

• Justupgradingtolatestversionwillnotsecureyourcode• NeedtouselanguageenhancementsintroducedsinceColdFusion10

• Reviewingcodeinuse• Trainingdeveloperstousemoresecurecodingpractices• Securitybestpracticeschangeovertime

Page 22: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

• Enablesattackerstoinjectclient-sidescriptintowebpages• SessionHijacking• Phishingforpasswordsorotherinfo

• Severaltypes• Persistent(Stored)• Non-Persistent(Reflected)• DOM-based

Page 23: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

Page 24: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

• Oldencodingfunctions

Context Example

HTML <p>Hi#htmlEditFormat(url.name)#</p>

HTMLAttribute <divid="#htmlEditFormat(url.name)#"/>

JavaScript <script>x='#jsStringFormat(url.name)#’</script> <aonmouseover=“foo(#jsStringFormat(url.name)#)"/>

CSS <divstyle="font-family:#form.fontname#"/>

URL <ahref=“index.cfm?id=#urlEncodedFormat(cookie.id)#"/>

Page 25: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

• NewOWASPESAPIencodersavailableinColdFusion10+

• ReplacehtmlEditFormat,jsStringFormat,andurlEncodedFormat

Context Example

HTML <p>Hi#encodeForHTML(url.name)#</p>

HTMLAttribute <divid="#encodeForHTMLAttribute(url.name)#"/>

JavaScript <script>x=’#encodeForJavascript(url.name)#’</script> <aonmouseover=“foo(#encodeForJavaScript(url.name)#)"/>

CSS <divstyle="font-family:#encodeForCSS(form.fontname)#"/>

URL <ahref=“index.cfm?id=#encodeForURL(cookie.id)#"/>

Page 26: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

Page 27: Become a Security Rockstar with ColdFusion 2016

Cross Site Scripting (XSS)

• WYSIWYGHTMLeditors

• ColdFusion11addedsupportHTMLSanitizationusingOWASPAntiSamy• isSafeHTML(inputString,[policyFile],[throwOnError])• getSafeHTML(inputString,[policyFile],[throwOnError])

• ColdFusion’sdefaultpolicybasedonSlashdotpolicyfromprojecthttps://code.google.com/archive/p/owaspantisamy/downloads

https://code.google.com/archive/p/owaspantisamy/downloads
https://code.google.com/archive/p/owaspantisamy/downloads
Page 28: Become a Security Rockstar with ColdFusion 2016

SQL Injection

TweetPicfromsomeonethatdidnotresponsiblydiscloseissuetositeownerthathasSQLInjection

Page 29: Become a Security Rockstar with ColdFusion 2016

SQL Injection

• Allowsattackertodoanyofthefollowing:• Downloadalldataindatabase• ModifyorDeletealldataindatabase• Executestoredproceduresorprocessesinsomecases

Page 30: Become a Security Rockstar with ColdFusion 2016

SQL Injection

Page 31: Become a Security Rockstar with ColdFusion 2016

SQL Injection – Partially Fixed

• <cfqueryparam>wasintroducedinColdFusion4.5• Stillmissinginalotofoldcodeandtoomanydevelopersdonotuseit

Page 32: Become a Security Rockstar with ColdFusion 2016

SQL Injection – Fixed

Page 33: Become a Security Rockstar with ColdFusion 2016

SQL Injection

• SQLInjectionisnotlimitedto<cfquery>

• Storedprocedures• Use<cfprocparam>• Donotuseexecinside<cfquery>

• ORMExecuteQuery()andQueryExecute()

Page 34: Become a Security Rockstar with ColdFusion 2016

Cross-site Request Forgery

• Causesauser’swebbrowsertoperformanunwantedactiononatrustedsiteforwhichtheuseriscurrentlyauthenticated• Couldresultinatransferoffunds,changingapassword,orpurchasinganitem• Impactvarygreatlybasedontheprivilegesoftheuser

• Occurswithoutknowledgeofthetargetuser,untiltheunauthorizedtransactionhasbeencommitted

Page 35: Become a Security Rockstar with ColdFusion 2016

Cross-site Request Forgery

• RandomToken

• CSRFGenerateToken([key],[forceNew])• Generatesarandomtokenandstoresitinthesession

• CSRFVerifyToken(token,[key])• Validatesthepassedintokenagainstthetokenstoredinthesession

• Musthavesessionvariablesenabled

Page 36: Become a Security Rockstar with ColdFusion 2016

Session Management

• SessionRotate()• Createsanewsessionandcopiessessionscopeintothisnewsession,theninvalidatestheold

session• Usedafteravalidlogintopreventsessionfixation

• SessionInvalidate()• Clearssessionscopeandmakesthecurrentsessionidentifiersnolongervalid

• OnlyworkswithColdFusionsessions(CFID/CFToken),doesnotworkwithJEEsessions(JSESSIONID)• SessionRotateforJEEsessions-http://www.petefreitag.com/item/829.cfm

http://www.petefreitag.com/item/829.cfm
http://www.petefreitag.com/item/829.cfm
Page 37: Become a Security Rockstar with ColdFusion 2016

One more thing

Page 38: Become a Security Rockstar with ColdFusion 2016

Security Analyzer Commandline

• AdobeonlybuiltaccesstoSecurityAnalyzerthroughColdFusionBuilder

But…

• UsingnewcommandlineabilitiesinColdFusion2016builtasolution• AvailableonGitHub,https://github.com/dcepler/cf-cmdline-sec-ana• RequiresColdFusionServer2016Update2orhigher

• AllowsforintegrationoftheSecurityAnalyzerintosourcecodecommithooksandbuildprocesses

https://github.com/dcepler/cf-cmdline-sec-ana
https://github.com/dcepler/cf-cmdline-sec-ana
Page 39: Become a Security Rockstar with ColdFusion 2016

Security Analyzer Commandline Demo

Page 40: Become a Security Rockstar with ColdFusion 2016

Q&A - Thanks

• Blog:https://www.dcepler.net• Email:[email protected]• Twitter:@dcepler• GitHub:https://github.com/dcepler

Pleaseremembertocompletesessionsurvey

https://www.dcepler.net
mailto:[email protected]
https://twitter.com/dcepler
https://github.com/dcepler
Page 41: Become a Security Rockstar with ColdFusion 2016

Thank you!


How to Become a Content Curation Rockstar, B2B Content Marketing Open Dialogue, Toronto 2013

How to Become a Content Curation Rockstar, B2B Content Marketing Open Dialogue, Toronto 2013

Coldfusion Lockdown

Coldfusion Lockdown

ColdFusion ORM

ColdFusion ORM

ColdFusion Programmers

ColdFusion Programmers

Metaoption Coldfusion

Metaoption Coldfusion

ColdFusion Quick Reference Guide · ColdFusion Quick Reference Guide 7 CFPROCPARAM

ColdFusion Quick Reference Guide · ColdFusion Quick Reference Guide 7 CFPROCPARAM

How to become a design Rockstar

How to become a design Rockstar

Webinar: DataStax Training - Everything you need to become a Cassandra Rockstar

Webinar: DataStax Training - Everything you need to become a Cassandra Rockstar

Administering ColdFusion MX MX...2 Chapter 1 Administering ColdFusion About the ColdFusion Administrator The ColdFusion Administrator provides a browser-based interface for managing

Administering ColdFusion MX MX...2 Chapter 1 Administering ColdFusion About the ColdFusion Administrator The ColdFusion Administrator provides a browser-based interface for managing

How to become a LinkedIn Rockstar

How to become a LinkedIn Rockstar

Rockstar presentation

Rockstar presentation

Scaling ColdFusion

Scaling ColdFusion

Online ColdFusion Meetup ColdFusion Application Security: Beyond SQL Injection

Online ColdFusion Meetup ColdFusion Application Security: Beyond SQL Injection

Adobe ColdFusion DocumentationThe ColdFusion 11€release introduced rapid application development through ColdFusion Builder. ColdFusion 11 introduced full-fledged on-device debugging

Adobe ColdFusion DocumentationThe ColdFusion 11€release introduced rapid application development through ColdFusion Builder. ColdFusion 11 introduced full-fledged on-device debugging

Using Server-Side ActionScript in ColdFusion MXherzog.economia.unam.mx/secesco/partition... · About ColdFusion documentation vii About ColdFusion documentation ColdFusion documentation

Using Server-Side ActionScript in ColdFusion MXherzog.economia.unam.mx/secesco/partition... · About ColdFusion documentation vii About ColdFusion documentation ColdFusion documentation

CANHEIT 2013 - 5 Things You Need to Know to Become an IT Communications Rockstar

CANHEIT 2013 - 5 Things You Need to Know to Become an IT Communications Rockstar

usermanual.wiki · iii Contents Chapter 1: Introduction Administering ColdFusion 3 Chapter 2: Administering ColdFusion About the ColdFusion Administrator

usermanual.wiki · iii Contents Chapter 1: Introduction Administering ColdFusion 3 Chapter 2: Administering ColdFusion About the ColdFusion Administrator

How Do I Become The #1 Rockstar SDR At My Company? - Alex Berman

How Do I Become The #1 Rockstar SDR At My Company? - Alex Berman

How To Become A Rockstar Photogapher Magazine Issue 1

How To Become A Rockstar Photogapher Magazine Issue 1

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.