SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase...
Transcript of SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase...
![Page 1: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/1.jpg)
SECURING LEGACY CFMLPETE FREITAG, FOUNDEO INC.
foundeo
![Page 2: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/2.jpg)
ABOUT PETE
• My Company: Foundeo Inc.
• Consulting: Code Reviews, Server Reviews, Development
• FuseGuard: Web App Firewall for CFML
• HackMyCF: Server Security Scanner
• Blog (petefreitag.com), Twitter (@pfreitag), #CFML Slack
• Guy behind cfdocs.org community sourced CFML docs.
![Page 3: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/3.jpg)
AGENDA
• Legacy Code Challenges
• How do you get started?
• Low Hanging Fruit
• Things to focus on
• What’s Next?
• Disclaimer: This approach may not be appropriate for all scenarios. This is a generalized approach which I have found can work well for many.
![Page 4: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/4.jpg)
LEGACY CODE?
DO YOU HAVE TO WORK WITH
![Page 5: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/5.jpg)
TYPICALLY
LEGACY CODE
• Has a large codebase (thousands of source code files)
• Has code you hope you don't have to see again.
• Can take weeks, but often months of work to properly secure.
• Can be hard to fix, brittle
• Probably uses outdated techniques
![Page 6: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/6.jpg)
FIXING A LARGE CODEBASE
HOW TO APPROACH
• Beast Mode - Spend several weeks dedicated to identifying & fixing vulnerabilities.
• Prioritize - Spend time identifying the most critical vulnerabilities and patch less critical vulnerabilities as you see them.
• As you go - As you work on files fix vulnerabilities as you see them. You may not ever fix some vulnerabilities with this approach.
![Page 7: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/7.jpg)
SECURING THAT LEGACY CODE
HOW DO YOU START?
STEP 1: DELETE THE CODE!
![Page 8: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/8.jpg)
LEGACY CODEBASES ARE LARGE BUT…MUCH OF THE CODE PROBABLY NEVER RUNS
![Page 9: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/9.jpg)
HOMEMADE VERSION CONTROL
YOU MIGHT BE USING…
• index_2.cfm
• index.old.cfm
• index-backup.cfm
• index-2007-03-04.cfm
• index-copy.cfm
• folder_backup2009/
![Page 10: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/10.jpg)
VERSION CONTROL
• Those backup folders and files are probably full of vulnerabilities.
• Version Control Server keeps backups of all your code and all changes you have ever made to it.
• Sync server source code with version control.
• Identify if someone changed something on the server.
![Page 11: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/11.jpg)
IDENTIFY UNUSED CODE
VERSION CONTROL
• Spend some time to identify unused code.
• Delete it!
• Version control has your back, if you deleted something you can recover it from the repository.
![Page 12: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/12.jpg)
THERE ARE LOTS OF FADS IN SOFTWARE DEVELOPMENT, VERSION CONTROL IS NOT
ONE OF THEM.
”
“
![Page 13: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/13.jpg)
WELCOME TO THE 90’S
PATCH THAT SERVER
• Use ColdFusion 10 or greater (CF9 and below are no longer supported and no longer patched by Adobe).
• Railo has not been touched since 2014, use Lucee (it is very easy to switch).
• Windows 2008 (EOL 2015)
• Java 8+, Java 7 (EOL 2015), Java 6 (EOL 2013)
![Page 14: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/14.jpg)
FIX VULNERABILITIES
PATCH THAT SERVER
• Multiple Denial of Service Vulnerabilities in old versions of Java
• Path Traversal via Null Byte injection JVM
• CRLF Injection (CF10+)
• File Uploads “somewhat” more secure (CF10+)
• TLS / SSL Protocol Implementations
• Java 8 Not supported on CF9 and below
![Page 15: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/15.jpg)
MITIGATES POTENTIAL IMPACT OF A VULNERABILITY
LOCKDOWN THE SERVER
• If your CFML server is running as SYSTEM or root then the attacker can do a lot more harm.
• If CFML server user has read only access to web root.
![Page 16: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/16.jpg)
WEB APPLICATION FIREWALLS
IMPLEMENT A WAF
• Inspect HTTP Request or Response
• Block or log malicious requests
• Several options
• Hardware
• Web Server Level - ModSecurity
• Application Level - FuseGuard
![Page 17: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/17.jpg)
SECURING THAT LEGACY CFML?
HOW DO YOU START
STEP 2: IDENTIFY HIGH RISK VULNERABILITIES IN YOUR CODE.
![Page 18: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/18.jpg)
TAKE CARE OF THESE FIRST
HIGH RISK VULNERABILITIES
• File Uploads
• Dynamic Evaluation Issues
• SQL Queries (SQL Injection)
• File System Access / Path Traversals
• Dynamic Process Execution (CFEXECUTE)
• Anything that can fully compromise server
![Page 19: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/19.jpg)
EVALUATEREMOTE CODE EXECUTION VIA
![Page 20: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/20.jpg)
CODE EXAMPLE
COMMON LEGACY EVALUATE
<cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday">
<cfoutput> #Evaluate("day_#url.day#")# </cfoutput>
![Page 21: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/21.jpg)
EVALUATE EXAMPLE
![Page 22: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/22.jpg)
USE BRACKET NOTATION
FIXING LEGACY EVALUATE EXAMPLE
<cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday">
<cfoutput> #variables["day_#url.day#"]# </cfoutput>
![Page 23: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/23.jpg)
SEARCH CODE FOR EVALUATE
FIXING EVALUATE ISSUES
• Search Code for "Evaluate"
• In most cases you should not need to use Evaluate at all, use brackets.
• If the variable is a query you may need to use queryName[row][columnName] notation.
• Not all cases are super simple to fix, but most are.
• Remove all Evaluate calls from your code.
![Page 24: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/24.jpg)
DO ANY OTHER FUNCTIONS EVALUATE
DYNAMICALLY?
![Page 25: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/25.jpg)
IF YOU ARE USING IIF STOP USING IIF
IIF
Hi #iif(len(url.name) EQ 0, de("Friend"), de(url.name))#
The second and third arguments are evaluated dynamically!
![Page 26: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/26.jpg)
IIF EXAMPLE
![Page 27: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/27.jpg)
USE TERNARY OPERATOR (CF9+, LUCEE)
FIXING IIF
Hi #(!len(url.name)) ? "Friend" : url.name#
Hi #url.name?:"Friend"#
ELVIS OPERATOR (CF11+, LUCEE)
Elvis Operator tests to see if url.name is defined / not null
![Page 28: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/28.jpg)
DO ANY OTHER FUNCTIONS EVALUATE
DYNAMICALLY?
![Page 29: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/29.jpg)
YES!The PrecisionEvaluate function also dynamically evaluates expressions
![Page 30: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/30.jpg)
DO ANY OTHER FUNCTIONS EVALUATE
DYNAMICALLY?
![Page 31: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/31.jpg)
YES!Lucee 5 has added a render function that evaluates tags
dynamically.
![Page 32: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/32.jpg)
DO ANY OTHER FUNCTIONS EVALUATE
DYNAMICALLY?
![Page 33: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/33.jpg)
NO!Not that I know of
![Page 34: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/34.jpg)
FILE UPLOADSCOMMON YET DANGEROUS
![Page 35: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/35.jpg)
FILE UPLOAD EXAMPLE
![Page 36: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/36.jpg)
3 RULES
FILE UPLOADS
• The upload destination must be outside of the web root
• Always validate the file extension against a whitelist
• Don't trust mime type validation in the accept attribute
![Page 37: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/37.jpg)
ADDITIONAL TIPS
FILE UPLOADS
• Inspect file content: fileGetMimeType, isImageFile, isPDFFile, etc
• Upload to static content server (s3 for example)
• Upload directly to s3: https://www.petefreitag.com/item/833.cfm
• Make sure directory serving uploaded files cannot serve dynamic content.
• File Extension Whitelist on Web Server (eg IIS Request Filtering)
• secureupload.cfc: https://github.com/foundeo/cfml-security/
![Page 38: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/38.jpg)
PATH TRAVERSALFILE SYSTEM ACCESS &
![Page 39: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/39.jpg)
VULNERABLE CODE EXAMPLE
PATH TRAVERSAL
<cfinclude template="path/#fileName#">
![Page 40: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/40.jpg)
PATH TRAVERSAL EXAMPLE
![Page 41: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/41.jpg)
TIPS
FIXING PATH TRAVERSALS
• Avoid variables in paths
• If you really need to use a variable strip out everything except a-z0-9
• Use the CF11 Application.cfc setting this.compileExtForInclude setting.
![Page 42: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/42.jpg)
CAN BE TIME CONSUMING
FINDING FILE ACCESS ISSUES
• Review all function calls / tags that access file system
• cffile, cfdocument, cfinclude, cfmodule, cfspreadsheet
• fileRead, fileWrite, fileOpen, etc
![Page 43: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/43.jpg)
SQL INJECTION
![Page 44: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/44.jpg)
CODE EXAMPLE
CLASSIC SQL INJECTION
<cfquery> SELECT title, story FROM news WHERE id = #url.id# </cfquery>
![Page 45: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/45.jpg)
CODE EXAMPLE
FIXING SQL INJECTION
<cfquery> SELECT title, story FROM news WHERE id = <cfqueryparam value="#url.id#"> </cfquery>
![Page 46: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/46.jpg)
SQL INJECTION
SCRIPT BASED
queryExecute("SELECT story FROM news WHERE id = :id", {id=url.id});
queryExecute("SELECT story FROM news WHERE id = #url.id#");
Vulnerable
Not Vulnerable
![Page 47: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/47.jpg)
DONEC QUIS NUNC
FINDING SQL INJECTION
• Search codebase for cfquery, queryExecute, ormExecute query
• Use Static Code Analyzer (CFBuilder 2016)
• Fix when you see one as you work
![Page 48: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/48.jpg)
SECURING LEGACY CFML
STEP 3: FIX ADDITIONAL VULNERABILITIES IN YOUR CODE.
![Page 49: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/49.jpg)
TO REVIEW
WHAT'S NEXT
• Session Handling (sessionRotate, sessionInvalidate)
• Scope Injection
• Authentication / Authorization / Forgot / Remember Me Code
• Cross Site Scripting
• Cross Site Request Forgery
• Timing Attacks
• Visit OWASP.org for tons of info about web application vulnerabilities
![Page 50: SECURING LEGACY CFML - Pete · PDF fileTYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take](https://reader035.fdocuments.us/reader035/viewer/2022070606/5a7914907f8b9adb5a8d494d/html5/thumbnails/50.jpg)
THANK YOUQuestions?
Pete Freitag [email protected]
foundeo.com | fuseguard.com | hackmycf.com
foundeo