ColdFusion Security [closed] - security

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?

I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/

Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion

Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.

I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.

Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.

Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/

Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.

I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297

CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.

You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html

Related

Will Vert.x pose a threat to Node.js's user base due to it's much better performance? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Benchmark
Hacker News Discussion
Hacker News Discussion 2
It's not like Node.js is even really dominant today (except in the Hacker News community of course), it hasn't even had a 1.0 release yet. Funny to be speculating on what might replace it already :)
Performance is nice (though micro-benchmarks are not the right way to judge that) but if that was the only thing that mattered we would all be writing custom web servers in C for every app. One of the other important things is the community support, which Node.js definitely has going for it at the moment. It has a very healthy open source (this being the key) community that has created a large library of tools.
I think Vert.x is interesting and has a different way of looking at things than Node.js which is great. If they are able to continue to make progress, get more people interested in it, and show that it is easier and faster to write web apps then who knows? Maybe in a few years we can have a discussion on what is going to threaten Vert.x's future.
There are some interesting things brought up by this micro-benchmark that may be worth addressing in Node, but it's very important to remember that nobody doing 100's of millions of hits per day (which these benchmarks show) does so on one machine. They do it on many machines.
There are certain levels where faster languages make a difference (see for example Twitter migrating their backend from Ruby to Java), but it's VERY rare to get to that position.
Most people need a language that is clean and easy to program in, and a good ecosystem.
Vert.x has no ecosystem to speak of. If you want a JVM based system you can get plenty of options there. If you want a Javascript based system the best option right now is Node.js. It's that simple.

Easiest way to recommend users to upgrade their browser? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
There have been a lot of buzz around IE6NoMore campaign.
What's the easiest way to recommend users to upgrade their browser?
Use conditional comments targeting IE. This way other browsers/bots (even when masquerading as IE) won't see it.
Make sure the message is polite and unobtrusive. Focus on benefits of change ("our website is faster and easier to use in up-to-date browsers") rather than negative aspects of IE (otherwise users could interpret this as ridicule of them or anti-Microsoft fanboyism).
Be as non-technical as possible. Average user doesn't know the difference between Internet, browser and search engine (← this video is painful to watch).
You can recommend things to people until you're blue in the face, but the reason people who don't instinctively upgrade their browser actually get around to doing it will always be the same. They do it because there's something they want to use, but can't unless they upgrade.
Want people to quit using an old browser ?
Quit supporting it.
It's that simple.
If no one supported them anymore then you wouldn't have to write code for them. For a certain percentage of people, they upgrade through necessity, not out of choice. If IE6 keeps working then they will keep using. Dont make the extra effort to support IE6.
From a psychological point of view, users will upgrade software due to one of the following reasons:
- Need (they have to have feature)
- Benefit (they'd like to have a feature)
- Fear (they perceive some sort of damage if they don't have a feature)
Based on how well you know your users, you can use one of these approaches to motivate them to upgrade. I.e., Provide extra functionality in your software that works only in new browsers (suggestion: use Ajax for better page update, without the need to call another page or refresh the current). Make those users aware that new, better, safer functionality is available, if they just upgrade their browser.
But remember the following caveats:
Not everyone can upgrade on his own. OS and browser versions are often dictated by IT policies in medium-large organizations.
Not everyone is tech-savvy enough to upgrade - you may need to explain the process.
If the user can dictate behavior, he may require you to provide the shiny new functionality in the old browser - be careful how you present those benefits!
The type of people who haven't yet upgraded their browser will almost certainly be people who don't have the technical knowledge to do so; those users who do know what a browser is, does and how to upgrade (and the benefits of upgrading) will most probably have done so. From this you can see how important it is to explain clearly and concisely both the benefits of upgrading and precisely how to do so for those who aren't technically minded.

Grails security [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Which is the best security solution for grails among acegi, jsecurity and Stark security?
JSecurity actually became an Apache project under the name Apache Ki a while ago and they weren't happy with the name change for some reason and changed it to Apache Shiro soon after that. Also Stark is just a grails plugin wrapper for Spring Security and acegi is the origin of Spring Security project.
So which one to use?
Firstly, Spring Security is a matured security API and already widely used so from stability, support and especially security viewpoint it is a good choice. Shiro unfortunately loses a bit in this since as far as I know, it's still lacking in widespread adoption.
Secondly, they way the security framework actually behaves is quite important, it has to be able to enable you to do your favorite scheme of securing your application. For example while some people like the way Shiro works (see this tutorial, esp. the part under headline "Quickstart.java") others couldn't live without Spring Security's Spring-esque stuff and so on and so forth. Basically you need to try both and figure out if they meet your needs from usability point of view.
Thirdly, be sure of the actual security! Spring Security can be guaranteed to be secure, Shiro is most likely secure because no widespread adoption hides security issues easily, see for example Firefox vulnerabilities to see how increased user base starts to affect the actual security of the application in the long run.
To end this, if I had to choose for you, I would pick Spring Security because it's widely used, it's guaranteed to be secure and already integrated with Grails. JSecurity/Ki/Shiro isn't bad at all and I've used it for a while, but at the moment it's in some sort of limbo state for who knows what reason and for a security framework that's just unacceptable.
Edit: It's been over 1½ years since I answered this, so I felt the need to come back and say that our company recently decided to go with Spring Security due to its high pluggability and its proven functionality. This of course makes me a bit biased but in any case, I'd say that Spring Security is the way to go.
Esko's answer is great and comperehensive. I did an evaluation of the different frameworks a month ago, and chose Shiro as the underlying security framework, despite having previous experience with Spring Security. I needed a solution with ability to create complex authorization requirements. JSecurity's model is very simple, yet very powerful.
What finally convinced me, though, is Nimble plugin, which is a layer of UI on top of Shiro. It allows you to manage users, roles, groups, self-service account creation, email, etc... and is easy to integrate into your application. Not having to write all that code was a huge win for me. It also allows integration with OpenId, facebook, and others.
If Nimble worked for SpringSecurity, I would have probably chosen it, but I saw it as a huge win for me.
I've used both frameworks and love the way Shiro works in comparison to Spring's approach. I don't know why Spring Security is so popular. Unlike Shiro, Spring Security runs wild throughout the application whenever configuration is needed. Isn't security a cross-cutting concern for most applications? If so, wouldn't it be "cleaner code" to isolate it to a single location? My two cents.
Thanks guys for your responses. I actually tried spring security on a grails application. The grails plugin makes it quite easy to use.
regards.
Josh

Good resources on security, hacking etc? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am interested in learning about how hackers find and exploit vulnerabilities. Specifically about windows hacking and web hacking i.e. I’m NOT interested in linux/unix stuff.
Are there any good websites with technical articles about specifically how to find, exploit and block vulnerabilities with code samples and tools used.
I can do a quick search and there are a load of sites but i'm looking for something with a little more quality geared towards an audience with a programming and web background.
Even a good book but only if it's windows/web specific
Thanks a lot
Smashing the Stack for Fun and Profit is the classic Phrack article on writing buffer overflow exploits.
A good starting point for a web developper would be the Open Web Application Security Project (OWASP). They have a lot of ressources on the subject of Web Application Security and on some on application security in general. You can get some of the wisdom of that side in book form.
Try Simpson Garfinkel's book on web security first.
I highly recommend:
Hacking: The Art of Exploitation
Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook
I liked the Web Security Testing Cookbook. Some non-Windows stuff in there. The focus is on testing and using tools to find problems.
Subscribe to Schneier on Security. It's a great security blog.
For web hacking I recommend reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (very good book with lots of examples. It also shows you the tools which will get you started).
Also for web hacking I recommend completing and understanding all the challenges you can solve by downloading the WebGoat
See the top 100 network security tools list at http://sectools.org/.
Don't get me wrong but if you really want to understand security stuff, Linux is really the way to go. There, you'll really learn the fundamental, i.e. things that is important everywhere (encryption, ASM, programming, protocols, [etc]). However, on Linux, you'll be able to read real code and use/find real exploit (and of course, send bug fix). You'll also find a lot more documentation and a really nice community.
I know I'm biased toward Linux and you'll probably think I completely missed your question. However, I know friends of mine who asked me the same question and I told them what I've just told you.
Once you know the base, you can easily find the documentation you want (reading RFC, learning new languages, architectures, tools, source code, etc..) This is by far better then to know a procedure to execute an exploit without understanding why it exists.
One last thing, the best hacker does't find exploit by guessing.. they have a perfect understanding on the underlying structure and see something wrong. Then, some exploit it, other send a patch to fix it - this is not the right place to argue about it - however, they are both experts in this domain.
I think what you'll need would be to join some hackers community which would provide many missions where you'd have to find the exploits yourself....
understand that if you have learn hacking you'd have to hack something......
www.enigmagroup.org would be an useful one...
www.securitytube.net from here you can get videos on almost every security related issue...

How can I collect user feedback without physically seeing my users? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Like probably a lot of software developers, I almost never see real users using my software.
It is, of course, quite difficult to get good user feedback in this situation. Even if some users agree to give me some piece of information about the way they use the software, there's a huge difference between how they really use it and how they think they use it.
By chance, my software is client/server, which means I can quite easily technically collect some information on the server.
Of course, nothing equals looking at a real user using the software in real life, but I think it's better than nothing, or at least it's worth trying :)
While I log all the exceptions raised on the client in my database, I've not been beside this point yet.
Has anyone does that before?
What information would you log?
Are there some legal issues? How should I deal with those?
I face the same problem with the software I'm developing, though I have no users for it yet.
I generally think that monitoring should always be opt-in, and that you should have the ability to review before materials are being sent. I think most people would agree to that.
However, from a legal standpoint there are greater issues at stake. Some companies restrict users in installing software that has any components that "call home" for security reasons. Depending on the usage context, any monitoring data can potentially reveal secrets.
For example, my software annotates things in the IDE. If I transmitted "home" details about files that are open (rather than hashes), even without the content of these files, I would still possibly be sending confidential details. If your tool can be used to open images or documents, there may be similar issues.
I would suggest hashing or finding way of obfuscating results on the client side, and ensuring via sufficient tests that there cannot be a situation where your software sends information home without consent and obfuscation. If I'm not mistaken, if your software does so, even by mistake, you may be violating US federal laws.
Also, make sure to encrypt the details as you send them over the wire.
Finally, if some of your users are in the EU, where privacy laws are stronger, your database of exceptions may be legally considered a "database" in itself (e.g., if you store SQL statements as they were executed and failed and these contain production values). So you may have to follow a lot of the rules about personally identifiable information.
When I did UI development, I used to collect every user command (button push, menu selection) and log them to file with my own internal debug information, but auto-delete the log files after a few days. This information is invaluable when trying to debug your own software (user can rarely recall precisely the steps they took when a problem occurs). I also kept a record of every application startup, in case we had a compatibility problem with third party software.
The point is that the information wasn't used unless a problem did occur, it was kept locally with no remote access, and it automatically got deleted if there was no problem. Only if the customer called us in for a problem did we access the log data.
Actively tracking user operations and sending them back to base is a separate issue entirely, and I've always shied away from that.
This isn't exactly what you asked for, but you do have a few options that are not programming-related solutions:
1) Do some hallway usability testing (scroll down to #12).
2) Try a product like Morae to set up a more formal, but remote, viewing session.
3) Ask a client to watch over their shoulder, using something like GoToMeeting, CoPilot or WinVNC. Or go to their site for a day and hang out watching over their actual shoulder.
Any of these will give you a really good idea of what works and what doesn't.
You could do something like this, which captures mouse movements and replays them for you to see using javascript and ajax.

Resources