 |
| Hack Proofing: ColdFusion |
The Only Way to Stop a HackerIs to Think Like One
• Complete Coverage of ColdFusion 5.0 and Special Bonus Coverage of ColdFusion MX• Hundreds of Damage & Defense,Tools & Traps, and Notes from the Underground Sidebars,Security Alerts,and FAQs
• Complete Coverage of the Top ColdFusion Hacks
Copyright © 2002 by Syngress Publishing, Inc. All rights reserved.
Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Technical Editor
Steven Casco is the Founder and Chairman of the Boston ColdFusion Users Group. He is also the Co-Founder of @eaze Productions, a development company that was recently acquired by an international software corporation. Steven is currently the Director of Interactive Technology for
Philip Johnson associates, a new media company with offices in Cambridge, Massachusetts and San Francisco, California. Steve is also an advisor and consultant to several high tech companies in the greater Boston area, such as Behavioral Health Laboratories and Night Light Security.
Technical Reviewer and Contributor
Sarge (MCSE, MMCP, Certified ColdFusion Developer) is the former ColdFusion Practice Manager for Macromedia Consulting Services. He currently provides a consummate source for security, session-management, and LDAP information as a Senior Product Support Engineer, handling
incident escalations as a member of Macromedia’s Product Support - Server Division. Sarge first honed his security skills helping develop the prototype for the DOD-PKI as the lead developer of the GCSSWeb/ Portal, a secure DOD intranet integrating Java and ColdFusion to deliver real-time information to soldiers in the theatre. He has helped several ColdFusion sites implement session-management and custom security configurations, and published several articles on these subjects.
Table of Contents
Foreword xxiii
Chapter 1 Thinking Like a Hacker
Introduction 2
Understanding the Terms 3
A Brief History of Hacking 3
Telephone System Hacking 4
Computer Hacking 5
Why Should I Think Like a Hacker? 8
What Motivates a Hacker? 8
Ethical Hacking versus Malicious Hacking 9
Mitigating Attack Risk in Your ColdFusion
Applications 10
Validating Page Input 13
Functionality with Custom Tags and
CFMODULE 14
The Top ColdFusion Application Hacks 15
Form Field Manipulation 17
URL Parameter Tampering 21
CFFILE, CFPOP, and CFFTP Tag Misuse 24
Security Concerns with CFFILE,
CFPOP, and CFFTP 25
ColdFusion RDS Compromise 27
Understanding Hacker Attacks 28
Denial of Service 29
Virus Hacking 31
Trojan Horses 33
Worms 34
Client-Based Applets 35
Credit Card Theft 36
Identity Theft 38
Preventing “Break-ins” by Thinking Like
a Hacker 39
Development Team Guidelines 39
QA Team Guidelines 41
IT Team Guidelines 41
Summary 42
Solutions Fast Track 43
Frequently Asked Questions 45
Chapter 2 Securing Your ColdFusion Development
Introduction 48
Session Tracking 48
CFID and CFTOKEN Issues 51
Stop Search Engines from
Cataloging CFID/CFToken 53
Error Handling 55
Detecting and Using Errors 55
Processed Code in a
CFTRY-CFCATCH Block 56
<CFTHROW> and <CFRETHROW> 61
Verifying Data Types 63
Checking for Data Types 64
Evaluating Variables 64
Summary 67
Solutions Fast Track 69
Frequently Asked Questions 70
Chapter 3 Securing Your ColdFusion Tags
Introduction 74
Identifying the Most Dangerous ColdFusion Tags 74
Properly (and Improperly) Using Dangerous Tags 77
Using the <CFCONTENT> Tag 77
Using the <CFDIRECTORY> Tag 79
Using the <CFFILE> Tag 80
Using the <CFOBJECT> Tag 83
Using the <CFREGISTRY> Tag 85
Using the <CFADMINSECURITY> Tag 87
Using the <CFEXECUTE> Tag 89
Using the <CFFTP> Tag 90
Using the <CFLOG> Tag 92
Using the <CFMAIL> Tag 95
Using the connectstring Attribute 97
Using the dbtype=dynamic Attribute 98
Knowing When and Why You
Should Turn Off These Tags 98
Setting Up the Unsecured Tags Directory 99
Controlling Threading within Dangerous Tags 99
Working with Other Dangerous
and Undocumented Tags 100
Using the GetProfileString() and
ReadProfileString() Functions 100
Using the GetTempDirectory() Function 100
Using the GetTempFile() Function 101
Using the <CFIMPERSONATE> Tag 101
Using the CF_SetDataSourceUsername(),
CF_GetDataSourceUsername(),
CF_SetDataSourcePassword(),
CF_SetODBCINI(), and
CF_GetODBCINI() Functions 102
Using the CF_GetODBCDSN() Function 102
Using the CFusion_Encrypt() and
CFusion_Decrypt() Functions 102
Summary 104
Solutions Fast Track 105
Frequently Asked Questions 107
Chapter 4 Securing Your ColdFusion Applications
Introduction 110
Cross-Site Scripting 112
URL Hacking 114
Combating Form Hacking 117
Validating Browser Input 119
Malformed Input 122
Scripts Executed by the Client 123
Validating Consistently from the “Hit List” 125
Using <CFOUTPUT> 125
Using <CFAPPLICATION> 127
Using <CFHTTP> and
<CFHTTPPARAM> 129
Using (or Not Using) <CFINSERT> 131
Using <CFQUERY> 132
Web-Based File Upload Issues 134
Techniques to Protect Your Application
when Accepting File Uploads 134
URL Session Variables 136
Session ID 137
Short Timeout Session 137
Summary 139
Solutions Fast Track 140
Frequently Asked Questions 142
Chapter 5 The ColdFusion Development System
Introduction 146
Understanding the ColdFusion Application
Server 146
Thread Pooling 146
Custom Memory Management 151
Page-based Applications 151
JIT Compiler 151
Database Connection Manager 152
Scheduling Engine 155
Indexing Engine 156
Distributed Objects 157
Understanding ColdFusion Studio 157
Setting Up FTP and RDS Servers 158
Configuring Scriptable Project
Deployment 159
Thinking of ColdFusion as Part of a System 165
Securing Everything to Which
ColdFusion Talks 165
Summary 167
Solutions Fast Track 167
Frequently Asked Questions 169
Chapter 6 Configuring ColdFusion Server Security
Introduction 172
Setting Up the ColdFusion Server Using
“Basic Security” 173
Employing Encryption under the Basic
Security Setup 181
Application Development 181
Application Runtime 182
Authentication under the Basic
Security Setup 182
Application Development 183
Application Runtime 185
Customizing Access Control
under the Basic Security Setup 186
Accessing Server Administration
under the Basic Security Setup 189
Setting Up the ColdFusion
Server Using “Advanced Security” 190
Employing Encryption under
the Advanced Security Setup 193
Application Development 193
Application Runtime 195
Authentication under the
Advanced Security Setup 195
Application Development 196
Application Runtime 197
Customizing Access Control under
the Advanced Security Setup 198
User Directories 201
Protecting Resources with a Policy 204
Security Contexts 206
Security Sandbox 209
Application Development 210
Setting Up RDS Security 217
Performance Considerations When Using
Basic or Advanced Security 218
Caching Advanced Security Information 219
File and Data Source Access 220
LAN, FTP, and RDS File Access
Comparisons 221
Summary 224
Solutions Fast Track 224
Frequently Asked Questions 226
Chapter 7 Securing the ColdFusion Server after Installation
Introduction 230
What to Do with the Sample Applications 230
Reducing Uncontrolled Access 234
Configuring ColdFusion Service User 237
Choosing to Enable or Disable the RDS Server 238
Limiting Access to the RDS Server 239
Using Interactive Debugging 240
Securing Remote Resources for ColdFusion
Studio 244
Creating a Security Context 246
Setting Rules and Policies 248
Debug Display Restrictions 250
Using the mode=debug Parameter 252
Assigning One Specific IP Address 253
Microsoft Security Tool Kit 254
MS Strategic Technology Protection Program 255
Summary 256
Solutions Fast Track 256
Frequently Asked Questions 259
Chapter 8 Securing Windows and IIS
Introduction 262
Security Overview on Windows, IIS,
and Microsoft 262
Securing Windows 2000 Server 263
Avoiding Service Pack Problems with
ColdFusion 265
Understanding and Using Hotfixes,
Patches, and Security Bulletins 266
Using Windows Services (“Use Only
What You Need”) 268
Stopping NetBIOS 270
Working with Users and Groups 272
The Administrators Group 274
The Users Group 275
The Power Users Group 275
Understanding Default File System and
Registry Permissions 276
Securing the Registry 278
Modifying the Registry 278
Protecting the Registry against
Remote Access 278
Assigning Permissions/User Rights
to the Registry 279
Other Useful Considerations for
Securing the Registry and SAM 279
Removing OS/2 and POSIX
Subsystems 280
Enabling Passfilt 280
Using the Passprop Utility 281
SMB Signing 281
Encrypting the SAM with Syskey 282
Using SCM 283
Logging 283
Installing Internet Information Services 5.0 284
Removing the Default IIS 5.0 Installation 285
Creating an Answer File for the New
IIS Installation 288
Securing Internet Information Services 5.0 290
Setting Web Site, FTP Site, and Folder
Permissions 290
Configuring Web Site Permissions 291
Configuring NTFS Permissions 293
Using the Permissions Wizard 295
Using the Permission Wizard
Template Maker 298
Restricting Access through IP Address
and Domain Name Blocking 302
Configuring Authentication 304
Using Anonymous Authentication 305
Configuring Web Site Authentication 313
Examining the IIS Security Tools 316
Using the Hotfix Checker Tool 317
Using the IIS Security Planning Tool 319
Using the Windows 2000 Internet Server
Security Configuration Tool for IIS 5.0 320
The IIS Lockdown Tool 320
The Interviewing Process 321
Configuring the Template Files 322
Deploying the Template Files 327
Auditing IIS 328
Summary 330
Solutions Fast Track 331
Frequently Asked Questions 335
Chapter 9 Securing Solaris, Linux, and Apache
Introduction 338
Solaris Solutions 338
Overview of the Solaris OS 339
Considerations for Installing Solaris
Securely 339
Understanding Solaris Patches 343
Solaris Patch Clusters 344
Securing Default Solaris Services 344
Evaluating the Security of Solaris
Services at Startup 345
Security Issues for Solaris 2.6 and Later 361
Understanding the Solaris Console 362
Other Useful Considerations in
Securing Your Solaris Installation 365
Adding SSH Source to Your Server 365
Linux Solutions 372
Understanding Linux Installation
Considerations 372
Updating the Linux Operating System 373
Selecting Packages for Your Linux Installation 374
Considering Individual Package
Installation 375
Understanding More About
Linux Bug Fixes:A Case Study 376
Hardening Linux Services 377
Evaluating the Security of Linux
at Startup 378
Securing Your Suid Applications 379
Applying Restrictive Permissions
on Administrator Utilities 379
Understanding Sudo System Requirements 381
Learning More About the Sudo Command 381
Downloading Sudo 382
Installing Sudo 383
Configuring Sudo 387
Running Sudo 389
Running Sudo with No Password 391
Logging Information with Sudo 392
Other Useful Considerations to
Securing Your Linux Installation 394
Configuring and Using OpenSSH 394
Comparing SSH with Older
R-Commands 398
TCP Wrappers 402
Hardening the System with Bastille 402
Apache Solutions 410
Configuring Apache on Solaris and Linux 411
Limiting CGI Threats to Apache 413
Using Apache Virtual Hosts 415
Monitoring Web Page Usage
and Activity 416
Configuring Apache Modules 418
Running ColdFusion on Apache 418
Choosing Apache SSL 419
Evaluating Free and Commercial
Apache SSL Add-Ons 419
Summary 420
Solutions Fast Track 421
Frequently Asked Questions 424
Chapter 10 Database Security
Introduction 428
Database Authentication and Authorization 428
Authentication 429
Authentication Settings 429
Authorization 430
Limiting SQL Statements in
the ColdFusion Administrator 430
Database Security and ColdFusion 430
Dynamic SQL 431
Exploiting Integers 434
String Variables 437
Leveraging Database Security 443
Microsoft SQL Server 444
Securing the Database from the Network 445
Securing the Administrative Account 445
Create a Non-Administrative User 446
Remove All Rights from That User 446
Grant Permissions Required to
SELECT Data 447
Grant Permissions for Inserting,
Updating, or Deleting Data 448
Microsoft Access 452
Oracle 453
Securing the Database from the Network 453
Securing the Administrative Accounts 453
Create a Non-Administrative User 453
Remove All Rights from That User 454
Grant Permissions Required to
SELECT Data 455
Grant Permissions for Inserting,
Updating, or Deleting Data 456
Summary 460
Solutions Fast Track 460
Frequently Asked Questions 462
Chapter 11 Securing Your ColdFusion Applications Using Third-Party Tools
Introduction 464
Firewalls 464
Testing Firewalls 465
Using Telnet, Netcat, and
SendIP to Probe Your Firewall 466
DNS Tricks 469
Port Scanning Tools 471
Detecting Port Scanning 473
Best Practices 474
Install Patches 474
Know What’s Running 474
Default Installs 474
Change Passwords and Keys 475
Backup, Backup,Backup 476
Firewalls 477
Summary 478
Solutions Fast Track 478
Frequently Asked Questions 480
Chapter 12 Security Features in ColdFusion MX
Introduction 484
Who’s Responsible for Security? 484
A Look at Security in ColdFusion MX 485
New and Improved Tools 487
New Tags 489
Overview of CFML Changes 491
Summary 494
Solutions Fast Track 494
Frequently Asked Questions 495
Index 497
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 7,995 KB |
Pages
|
545 p |
File Type
|
PDF format |
ISBN
| 1-928994-77-6 |
Copyright
| 2002 by Syngress Publishing, Inc |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
