Hack Proofing ColdFusion

Foreword
Chapter 1 Thinking Like a Hacker
Introduction
Understanding the Terms
A Brief History of Hacking
Why Should I Think Like a Hacker?
Mitigating Attack Risk in Your ColdFusion Applications
Validating Page Input
Functionality with Custom Tags and CFMODULE
The Top ColdFusion Application Hacks
Form Field Manipulation
URL Parameter Tampering
CFFILE, CFPOP, and CFFTP Tag Misuse
ColdFusion RDS Compromise
Understanding Hacker Attacks
Denial of Service
Virus Hacking
Preventing “Break-ins” by Thinking Like a Hacker
Development Team Guidelines
QA Team Guidelines
IT Team Guidelines
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 2 Securing Your ColdFusion Development
Introduction
Session Tracking
CFID and CFTOKEN Issues
Error Handling
Verifying Data Types
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 3 Securing Your ColdFusion Tags
Introduction
Identifying the Most Dangerous ColdFusion Tags
Properly (and Improperly) Using Dangerous Tags
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the Tag
Using the connectstring Attribute
Using the dbtype=dynamic Attribute
Knowing When and Why You
Should Turn Off These Tags
Controlling Threading within Dangerous Tags
Working with Other Dangerous and Undocumented Tags
Using the GetProfileString() and ReadProfileString() Functions
Using the GetTempDirectory() Function
Using the GetTempFile() Function
Using the Tag
Using the CF_SetDataSourceUsername(), CF_GetDataSourceUsername(), CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() Functions
Using the CF_GetODBCDSN() Function
Using the CFusion_Encrypt() and CFusion_Decrypt() Functions
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4 Securing Your ColdFusion Applications
Introduction
Cross-Site Scripting
URL Hacking
Validating Browser Input
Malformed Input
Validating Consistently from the “Hit List”
Using
Using
Using and
Using (or Not Using)
Using
Web-Based File Upload Issues
Techniques to Protect Your Application when Accepting File Uploads
URL Session Variables
Session ID
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5 The ColdFusion Development System
Introduction
Understanding the ColdFusion Application Server
Thread Pooling
Custom Memory Management
Page-based Applications
JIT Compiler
Database Connection Manager
Scheduling Engine
Indexing Engine
Distributed Objects
Understanding ColdFusion Studio
Setting Up FTP and RDS Servers
Thinking of ColdFusion as Part of a System
Securing Everything to Which ColdFusion Talks
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6 Configuring ColdFusion Server Security
Introduction
Setting Up the ColdFusion Server Using “Basic Security”
Employing Encryption under the Basic Security Setup
Authentication under the Basic Security Setup
Customizing Access Control under the Basic Security Setup
Accessing Server Administration under the Basic Security Setup
Setting Up the ColdFusion Server Using “Advanced Security”
Employing Encryption under the Advanced Security Setup
Authentication under the Advanced Security Setup
Customizing Access Control under the Advanced Security Setup
Performance Considerations When Using Basic or Advanced Security
Caching Advanced Security Information
File and Data Source Access
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7 Securing the ColdFusion Server after Installation
Introduction
What to Do with the Sample Applications
Reducing Uncontrolled Access
Choosing to Enable or Disable the RDS Server
Limiting Access to the RDS Server
Securing Remote Resources for ColdFusion Studio
Creating a Security Context
Debug Display Restrictions
Using the mode=debug Parameter
Microsoft Security Tool Kit
MS Strategic Technology Protection Program
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 8 Securing Windows and IIS
Introduction
Security Overview on Windows, IIS, and Microsoft
Securing Windows 2000 Server
Avoiding Service Pack Problems with ColdFusion
Using Windows Services (“Use Only What You Need”)
Working with Users and Groups
Understanding Default File System and Registry Permissions
Securing the Registry
Other Useful Considerations for Securing the Registry and SAM
Installing Internet Information Services 5.0
Removing the Default IIS 5.0 Installation
Creating an Answer File for the New IIS Installation
Securing Internet Information Services 5.0
Setting Web Site, FTP Site, and Folder Permissions
Restricting Access through IP Address and Domain Name Blocking
Configuring Authentication
Examining the IIS Security Tools
Using the Hotfix Checker Tool
Using the IIS Security Planning Tool
Using the Windows 2000 Internet Server Security Configuration Tool for IIS 5.0
Auditing IIS
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 9 Securing Solaris, Linux, and Apache
Introduction
Solaris Solutions
Overview of the Solaris OS
Understanding Solaris Patches
Securing Default Solaris Services
Security Issues for Solaris 2.6 and Later
Other Useful Considerations in Securing Your Solaris Installation
Linux Solutions
Understanding Linux Installation Considerations
Selecting Packages for Your Linux Installation
Hardening Linux Services
Securing Your Suid Applications
Understanding Sudo System Requirements
Learning More About the Sudo Command
Downloading Sudo
Installing Sudo
Configuring Sudo
Running Sudo
Running Sudo with No Password
Logging Information with Sudo
Other Useful Considerations to Securing Your Linux Installation
Apache Solutions
Configuring Apache on Solaris and Linux
Configuring Apache Modules
Choosing Apache SSL
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 10 Database Security
Introduction
Database Authentication and Authorization
Authentication
Authorization
Database Security and ColdFusion
Dynamic SQL
Leveraging Database Security
Microsoft SQL Server
Microsoft Access
Oracle
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 11 Securing Your ColdFusion Applications Using Third-Party Tools
Introduction
Firewalls
Testing Firewalls
DNS Tricks
Port Scanning Tools
Detecting Port Scanning
Best Practices
Install Patches
Know What’s Running
Default Installs
Change Passwords and Keys
Backup, Backup,Backup
Firewalls
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 12 Security Features in ColdFusion MX
Introduction
Who’s Responsible for Security?
A Look at Security in ColdFusion MX
New and Improved Tools
New Tags
Summary
Solutions Fast Track
Frequently Asked Questions
Index