SlideShare une entreprise Scribd logo

Security with ColdFusion

Télécharger en tant que PPTX, PDF
I
isummation
Technologie
1  sur  16
This is matter
My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog: http://www.thecfguy.com
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
 It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
 To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
 Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
        Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
 This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
 Sometime we supply crucial information in URL param without knowing importance.  For ex.: http://www.example.com/customer/userinvoice.cfm?i nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
 Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
 Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
 It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.  http://www.example.com/guest/profile  http://www.example.com/user/profile  Implement role based security for each functionality.
 This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
 World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
 Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. http://www.example.com/redirect.cfm?nexturl=badgu yssite.com Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.

Recommandé

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cross site request forgery(csrf)
Cross site request forgery(csrf) Cross site request forgery(csrf)
Cross site request forgery(csrf) Ai Sha
 
Esoteric xss payloads
Esoteric xss payloadsEsoteric xss payloads
Esoteric xss payloadsRiyaz Walikar
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 

Recommandé

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cross site request forgery(csrf)
Cross site request forgery(csrf) Cross site request forgery(csrf)
Cross site request forgery(csrf) Ai Sha
 
Esoteric xss payloads
Esoteric xss payloadsEsoteric xss payloads
Esoteric xss payloadsRiyaz Walikar
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acsChris Love
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016ColdFusionConference
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 

Contenu connexe

Tendances

Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acsChris Love
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net applicationZAIYAUL HAQUE
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security RightPhilippe De Ryck
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 

Tendances (20)

Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Unified authentication using azure acs
Unified authentication using azure acsUnified authentication using azure acs
Unified authentication using azure acs
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 

En vedette

Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016ColdFusionConference
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
NTT Com Asia - Our Values
NTT Com Asia - Our ValuesNTT Com Asia - Our Values
NTT Com Asia - Our ValuesJoyce Tai
 
Vasse 150910 wayne
Vasse 150910 wayneVasse 150910 wayne
Vasse 150910 wayneVasseSep2010
 
Final faculty presentation
Final faculty presentationFinal faculty presentation
Final faculty presentationstoliros
 
인터넷마케팅 과제
인터넷마케팅 과제인터넷마케팅 과제
인터넷마케팅 과제hyunjung89
 
Punchd: Loyalty cards on your smart phone
Punchd: Loyalty cards on your smart phonePunchd: Loyalty cards on your smart phone
Punchd: Loyalty cards on your smart phone500 Startups
 
Family tree
Family tree Family tree
Family tree 35150
 
pengurusan rekod murid
pengurusan rekod muridpengurusan rekod murid
pengurusan rekod muridOpie Mohamad
 
Kerajaan orang khmer
Kerajaan orang khmerKerajaan orang khmer
Kerajaan orang khmerOpie Mohamad
 
Triduo Sr. Angela Vallese_3 giorno ita
Triduo Sr. Angela Vallese_3 giorno itaTriduo Sr. Angela Vallese_3 giorno ita
Triduo Sr. Angela Vallese_3 giorno itaMaike Loes
 
Installing mandriva linux mandriva community wiki
Installing mandriva linux mandriva community wikiInstalling mandriva linux mandriva community wiki
Installing mandriva linux mandriva community wikiAdolfo Nasol
 

En vedette (20)

Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
Ukurankul
UkurankulUkurankul
Ukurankul
 
Cancer 2011
Cancer 2011Cancer 2011
Cancer 2011
 
Social Media Strategy
Social Media StrategySocial Media Strategy
Social Media Strategy
 
CASA ALEGRE TERRASSA
CASA ALEGRE TERRASSACASA ALEGRE TERRASSA
CASA ALEGRE TERRASSA
 
NTT Com Asia - Our Values
NTT Com Asia - Our ValuesNTT Com Asia - Our Values
NTT Com Asia - Our Values
 
Vasse 150910 wayne
Vasse 150910 wayneVasse 150910 wayne
Vasse 150910 wayne
 
Twitter
TwitterTwitter
Twitter
 
Quick Time7 User Guide
Quick Time7 User GuideQuick Time7 User Guide
Quick Time7 User Guide
 
Final faculty presentation
Final faculty presentationFinal faculty presentation
Final faculty presentation
 
인터넷마케팅 과제
인터넷마케팅 과제인터넷마케팅 과제
인터넷마케팅 과제
 
Punchd: Loyalty cards on your smart phone
Punchd: Loyalty cards on your smart phonePunchd: Loyalty cards on your smart phone
Punchd: Loyalty cards on your smart phone
 
Gim peus
Gim peusGim peus
Gim peus
 
Family tree
Family tree Family tree
Family tree
 
pengurusan rekod murid
pengurusan rekod muridpengurusan rekod murid
pengurusan rekod murid
 
Kerajaan orang khmer
Kerajaan orang khmerKerajaan orang khmer
Kerajaan orang khmer
 
Triduo Sr. Angela Vallese_3 giorno ita
Triduo Sr. Angela Vallese_3 giorno itaTriduo Sr. Angela Vallese_3 giorno ita
Triduo Sr. Angela Vallese_3 giorno ita
 
Mayu info
Mayu infoMayu info
Mayu info
 
Installing mandriva linux mandriva community wiki
Installing mandriva linux mandriva community wikiInstalling mandriva linux mandriva community wiki
Installing mandriva linux mandriva community wiki
 

Similaire à Security with ColdFusion

Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Jayasree Veliyath
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 

Similaire à Security with ColdFusion (20)

Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
 
Web Security
Web SecurityWeb Security
Web Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 

Dernier

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Dernier (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Security with ColdFusion

  • 2. My Name is Pritesh Patel working as Technical Project Manager at iSummation Technologies Pvt. Ltd. Twitter: @thecfguy Blog: http://www.thecfguy.com
  • 3. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Injection Broken Authentication And Session Management Cross-Site Scripting (XSS) Insecure Direct object references Security Misconfiguration Sensitive Data Exposure Missing Function level access control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  • 4.  It’s security team duty to find it out. I am developer, why should I care about?  Site doesn’t have important data to hide.  There is negligible change to attack on my site out of millions of websites.
  • 5.  To give little relax to your security team as gift.  Every sites data is important or other sites hosted on same server has.  We always hope to win Jackpot out of billion, who know you are lucky winner amongst millions.  You should care for your/your company better impression.
  • 6.
  • 7.  Injection can be done at SQL, OS or LDAP but a web      developer SQL injection will discuss. Best way to prevent it is, use <cfqueryparam> tag all your dynamic value of query (or user input). Use stored procedure as much as possible. Escaping all user supplied input wherever you are not using cfqueryparam. Remove unnecessary previlige for ColdFusion datasource from “Advance Setting”. You can simply use ESAPI (now available with ColdFusion 9 latest patch) and encodeForSQL() function.   <cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI").encoder()> <cfset esapi.encodeForSQL(org.owasp.esapi.codecs.Codec codec, java.lang.String input) )>
  • 8.         Keep username case INsensitive. (not for security but for user comfort. Set password minimum length not shorter than 10 characters. Maximum length should not be less than 20 characters. Force for complex password. On multiple incorrect attempt verify input placed by human. Never store password in plain text, you did that right? Re-authenticate on sensitive feature. (Like change password, delete account, edit account information or payment information). Use generic error message instead of indicating what exactly wrong.  Incorrect    Correct       “Test is wrong username”. “Supplied password is wrong”. “Login Failed: Incorrect username or password”. User UUID for CFTOKEN. Enable Jsession Id Use httpOnly for session cookie. Minimize session idle timeout. Do not cache webpage for important information. Force page refresh when using through browser back button.
  • 9.  This javascript based attack. Easy to attack on any site and     hard to prevent it. Simple rule to avoid XSS “Never trust on user input”. Demo ColdFusion 10 coming with inbuilt function based on ESAPI to avoid XSS attack. ColdFusion 9 latest patch already have ESAPI included in so you can create ESAPI object and use it wherever needed. Useful functions:     Encodeforhtml() Encodeforhtmlattribute() Encodeforcss() Encodeforjavascript()
  • 10.  Sometime we supply crucial information in URL param without knowing importance.  For ex.: http://www.example.com/customer/userinvoice.cfm?i nvoiceid=1233  How to avoid:  Add additional hashed key with passed parameters which generated with user session id and compare before giving access.
  • 11.  Keep your software updated with latest patches.  Always use custom error page instead of showing stacktrace.  Keep setting different for development and production. And it should auto detect by IP/domain instead of manual change.  Disabled directory listing on your web application.
  • 12.  Store your sensitive data (password, credit card) always in encrypted format.  Forced SSL redirection for non public page.  Store sensitive data only if needed.  Disable auto complete form for collecting sensitive data and of course disabled caching of page.
  • 13.  It is little similar to “Insecure Direct object References”. Instead of form/url parameter look for full URL is also have access control.  http://www.example.com/guest/profile  http://www.example.com/user/profile  Implement role based security for each functionality.
  • 14.  This attack allow to use functionality of user’s       authenticated area without knowing user’s permission. Demo Add CSRFToken to every request and compare it. Use POST instead of GET method (though is not going to prevent attack) Check the referrer header. (This can be spoofed as well) Check origin header. Unlike referer HTTP origin will be present in HTTP request that originates from HTTPS url. Challenge-Response:  Captcha  Re-Authenticate  One-Time token
  • 15.  World with lots of vulnerabilities. Before using any third party component or software make sure component do not have any known vulnerabilities.  Monitor security patches or version release for your components.
  • 16.  Imagine if your user redirect to some malware site if     click on “next” button. Sometime we use page to redirect. E.g. http://www.example.com/redirect.cfm?nexturl=badgu yssite.com Try to avoid redirect/forward page. Do not use user input for redirection parameter. Fully validate url where you are redirecting.