ColdFusion Code Security
Michael Smith
President
TeraTech, Inc
ColdFusion, database & VB custom development and training.
http://www.teratech.com
800-447-9120
Speaker Information
Who am I? Michael Smith President of TeraTech, Inc Rockville MD
http://www.teratech.com/ ttWebReportServer, CFXGraphicserver
MDCFUG, CFUN-02, Fusebox Conf Articles in CFDJ, Fusion Authority
IntroductionThe ColdFusion security
challenge: Keeping hackers out While still letting users and friendly
apps in
“Balance security vs easy of use”
The Challenge
SecuritySecurity
ColdFusion SecurityHere is what we will be covering: Error handling Form Validation Page parameter validation User Authentication Members Only Encryption and passwords
Not covered in this talk
Server security Database security Hardware security Operating system security TeraTech’s CF201 Class covers
more security topics than we can cover in an hour.
Error handling Always have an error handler in
Application.cfm Never display default CF errors -
gives out SQL information and template paths
Instead email error to admin Don’t explain why attempt failed Standard processing time
Error handling code
In Application.cfm:<cferror type="EXCEPTION"
template="error_exception.cfm" mailto=“michael@teratrech,.com"><CFMAIL to="#error.MailTo#"
from="[email protected]" subject="ColdFusion Error">#error.RemoteAddress##error.Template##error.DateTime##error.Diagnostics#
</CFMAIL>
Form Validation
Why it is important Underscore validation CFFORM validation Javascript validation CF validation SQL validation Fake form submits
Why is validation important?
Malicious exploits are possible Bad data may be entered Server crashes Hacker can force an error
message
Underscore Validation
AKA Form-level validation Easiest to implement<Input Type=“Hidden”
Name=“field_required” value=“Error message”>
Runs on the server based on this hidden parameter from the form page
Trusts the browser that the form variable is passed
Effectively client-side, although actual validation occurs on the server
CFFORM Validation
Automagically generates form-level validation and javascript validation
Works well enough in simple forms Does not adapt well for complex
forms, need for complex validation, javascript, etc.
Generally roll-your-own is preferred
Still trusts browser
Javascript Validation
Available many places Swipe from the source code
generated by CFForm http://builder.com/
Totally browser dependent With CF Form, won’t even submit if
javascript not present Effectively useless with 508 BUT! Least server traffic
CF Validation
Occurring on the ACTION page, on the server side
Need not trust the browser 508 compliant, browser
independent A little more complicated to write,
but necessary on public sites
Authentication Stateless web - any page can call
another - this is good for open sites Hacker pages call your page with
false data Use CGI. HTTP_REFERER to
control who calls you Use CGI. CF_TEMPLATE_PATH
application.cfm control what is run.
Warning - Can be
spoofed by browser
Fake URLs
Hacker edits your URL to get data they shouldn’t see or to force page error.
Protect URLs with checksum – eg hash() function.
How to checksum a URL
In calling page:<a href="bouquet.cfm?ID =
#GetBouquets.BouquetID#&checksum=#hash(GetBouquets.BouquetID)#">
In target page:<CFIF hash(URL.ID) neq checksum>
Bad URL <CFABORT></CFIF>
Fake form submits
Hacker copies your HTML source to their machine, edits form fields and submits to your action page.
They can now edit your hidden fields or remove fields to generate error messages
Hidden form field token Check HTTP_REFERER is in your
domain
Fake cookies
Cookies can be faked too – they are just in text file on client machine
Don’t assume cookie value is valid For top security add checksum to
cookie.
Page Validation URL and Form parameters used in SQL
SELECT * FROM EMP WHERE ID = #USERID#
Extra SQL commands on SQL Serverhttp://myserver/page.cfm?ID_VAR=7%3BDELETE
%20FROM%20MyCustomerTable
| VBA functions - shell() on Access xp_cmdshell in SQL Server
Use VAL() on parameters or check for ‘ and | or use <CFQUERYPARAM>
Encrypt Variables Checksum URLs
The Challenge
TechnologyTechnology
CFQUERYPARAM
Code example:
<CFQUERY name="getFirst" DATASOURCE="cfsnippets"> SELECT * FROM courses WHERE course_id=<CFQUERYPARAM value="#course_id#" CFSQLType="CF_SQL_integer"> </CFQUERY>.
Also runs faster SQL too – cached query plan.
Protect CFINCLUDE and CFMODULE files Don’t let CFINCLUDE and
CFMODULE files be run standalone – they may do bad things or generate error messages
Protect using a naming convention/ subdirectory and test in application.cfm of CGI.script_name
Especially important for Fusebox applications with many include files
Code to protect CFINCLUDE files For Fusebox In Application.cfm:
<CFIF CGI.script_name contains “index.cfm”>
<!--- ok to run --->
<CFELSE>
<CFABORT SHOWERROR="Protected page">
</CFIF> Non-Fusebox – check filename/directory
Code Defensively
Assume bad things will happen and code for them
Always code the CFELSE and CFDEFAULTCASE
Check input parameters exist using CFPARAM, they are of correct type and are that they are in range.
E.g. <CFPARAM NAME=“urilid" TYPE="numeric“>
Input massaging
Textarea field may be stored to database for redisplay
Bad characters can force errors Bad users may enter JavaScript or
CF functions into your text hoping you will use evaluate() on them.
Strip them out using a regular expression.
CFCONTENT
CFCONTENT can be misused to send back your source code – eg filename/path in URL
Store files it sends in directory outside of webroot.
Logins
Use Strong SSL where available http://www.thawte.com/
Require at least 8 chr password Consider requiring numbers in password Consider forcing regular password
changes depending on application Strong form validation Consider blocking accounts after multiple
failed attempts
Authentication Protected Header code
In your application.cfm or header.cfm to be included in every page.<CFIF cgi.script_name contains "/intranet/">
<cfif left(CGI.REMOTE_ADDR,11) is not "123.456.789">
<cfif not isdefined("session.authorized")>
<CFLOCATION URL=”http://www.mycompany.com/logon.cfm”>
<cfabort><cfelse>
<cfset session.authorized = TRUE>
</cfif></cfif>
Your protected links here </cfif>
Warning - spoofed IP numbers will get around this code
Session, client and cookiesClient Management Use short timeouts. (conflicts with 508) Consider rolling your own security
Use CFID / CFToken from URL or create your own cookies
Store information in database with a table to keep track of ID/Token combinations against user Ids
Most flexible method
Session, client and cookiesClient Management If you use session management
(as enabled with CFApplication) Lock your usage
<CFLOCK scope=“Session”> Limit session timeout, minutes not
hours Consider passing session vars into
request vars at top and bottom of page
Session, client and cookiesClient Management Use client variables in place of session
variables where you do not need to store complex values
Configure storage so that variables are stored in a DB, NOT the registry
Use WDDX if you have the occasional need for a complex variable
Don’t use too many cookies Manually test for timeout less than 2
hours – client.last_access_datetime
Timeouts
Use as short a timeout as practical Don’t want users annoyed Do want to protect against trouble Consider (also/instead) having cookies
go away after browser closing This is the default with cookies if you do
not specify a time If you create your own session
management, you can do more
Session Tracking
Who is logged on now Keep track of login times to see who’s
logged in now, can record activity and determine based on last activity or logoff option
Variable and structure dump Use CF_Dump or CF5 CFDump tags to
output all session variables or all cookies, etc.
http://www.smart-objects.com/docs.cfm?f=cf_dump.htm
Session hang over
User logs in then closes browser without logging out.
Hacker uses browser and if the session has not timed out they are logged in as previous user
Use CFCOOKIE on CFID and CFTOKEN to set these session cookies to expire immediately on browser close.
<cfcookie expires="NOW" name="CFID" value="#cookie.cfid#">
Remember Me
Sites with Login functions often have “Remember Me” option
Be careful - want to be clear what this option means
Use <CFCookie> to set your own cookie Store something other than username /
password or a flag - consider some random values
Don’t turn option on by default
Members Only
Summary Session variables can still be used,
with locks, but Client or Cookies are preferable
Use <CFLOCATION> after insert/cfmail to avoid issues
Short timeouts for login - experiment
Remember Me is easy with Cookie
Back button hacking
Hacker uses back button to view sensitive information from a users browser
Consider disabling back button, especially on logout
<CFHEADER NAME="Expires" VALUE="06 Nov 1994 08:49:37 GMT">
<CFHEADER NAME="Pragma" VALUE="no-cache">
<CFHEADER NAME="cache-control" VALUE="no-cache, no-store, must-revalidate">
Refresh Issues
If delete/insert/update pages are refreshed, or other action pages, problems occur – hacker sees error message.
Immediately <CFLOCATION> after one of these actions to avoid this
Use the addtoken=“yes” parameter to keep any session changes across pages
Datasource password
Don’t put datasource userid and password in CF Admin – if any template is compromised hacker can destroy data
Don’t hardcode in every CFQUERY call Use request variables in application.cfm
and encrypt it Or for super security set up user
accounts in Oracle and have users enter userid/password when they logon.
Encryption
Encrypt source so even if downloaded it can not be read
Be aware that decryption programs exist Encrypt sensitive data such as credit
card numbers in database using CF encrypt() and decrypt(). Or better don’t store on server.
Consider storing hash() of password instead of plain text so even if user table is hacked they can’t see passwords.
Hashing passwords
<CFQUERY NAME="CheckPerson" DATASOURCE="UserData"> SELECT PasswordHash FROM SecureData WHERE UserID=<CFQUERYPARAM VALUE="#UserID#" CFSQLType="CF_SQL_CHARVAR"> </CFQUERY>
<CFIF Hash(Form.Password) IS NOT CheckPerson.PasswordHash>
<CFLOCATION URL="unauthenticated.cfm">
<CFELSE>
<CFLOCATION URL="authenticated.cfm">
</CFIF>
Resources http://www.allaire.com/developer/s
ecurityzone/ http://www.macromedia.com/v1/de
veloper/securityzone/ http://www.houseoffusion.com/
Security section
What Security Means Security is hard because a hacker
only needs one window to be open to get in while the poor webmaster must work on closing dozens of holes.
Security is a way of thinking - how can they get in...
More knowledge is power - don’t keep security tips secret!
Next Steps Conduct a security audit
Download Michael Dinowitz’s http://www.houseoffusion.com/ MunchkinLAN to test your site for holes
Remove CFDOCS
Validate pages Authenticate pages TeraTech’s CF201 class Questions? Email me at
Top Related