Hack Proofing ColdFusion

The only way to stop a hacker is to think like one! ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for e-commerce sites and content sites where databases and transactions are the most vulnerable and where security is of the utmost importance. Several security concerns exist for ColdFusion due to its unique approach of designing pages using dynamic-page templates rather than static HTML documents. Because ColdFusion does not require that developers have expertise in Visual Basic, Java and C++; Web applications created using ColdFusion Markup language are vulnerable to a variety of security breaches. Hack Proofing ColdFusion 5.0 is the seventh edition in the popular Hack Proofing series and provides developers with step-by-step instructions for developing secure web applications.

Table of Contents:
Foreword Chapter 1 Thinking Like a Hacker Introduction Understanding the Terms A Brief History of Hacking Why Should I Think Like a Hacker? Mitigating Attack Risk in Your ColdFusion Applications Validating Page Input Functionality with Custom Tags and CFMODULE The Top ColdFusion Application Hacks Form Field Manipulation URL Parameter Tampering CFFILE, CFPOP, and CFFTP Tag Misuse ColdFusion RDS Compromise Understanding Hacker Attacks Denial of Service Virus Hacking Preventing “Break-ins” by Thinking Like a Hacker Development Team Guidelines QA Team Guidelines IT Team Guidelines Summary Solutions Fast Track Frequently Asked Questions Chapter 2 Securing Your ColdFusion Development Introduction Session Tracking CFID and CFTOKEN Issues Error Handling Verifying Data Types Summary Solutions Fast Track Frequently Asked Questions Chapter 3 Securing Your ColdFusion Tags Introduction Identifying the Most Dangerous ColdFusion Tags Properly (and Improperly) Using Dangerous Tags Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the Tag Using the connectstring Attribute Using the dbtype=dynamic Attribute Knowing When and Why You Should Turn Off These Tags Controlling Threading within Dangerous Tags Working with Other Dangerous and Undocumented Tags Using the GetProfileString() and ReadProfileString() Functions Using the GetTempDirectory() Function Using the GetTempFile() Function Using the Tag Using the CF_SetDataSourceUsername(), CF_GetDataSourceUsername(), CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() Functions Using the CF_GetODBCDSN() Function Using the CFusion_Encrypt() and CFusion_Decrypt() Functions Summary Solutions Fast Track Frequently Asked Questions Chapter 4 Securing Your ColdFusion Applications Introduction Cross-Site Scripting URL Hacking Validating Browser Input Malformed Input Validating Consistently from the “Hit List” Using Using Using and Using (or Not Using) Using Web-Based File Upload Issues Techniques to Protect Your Application when Accepting File Uploads URL Session Variables Session ID Summary Solutions Fast Track Frequently Asked Questions Chapter 5 The ColdFusion Development System Introduction Understanding the ColdFusion Application Server Thread Pooling Custom Memory Management Page-based Applications JIT Compiler Database Connection Manager Scheduling Engine Indexing Engine Distributed Objects Understanding ColdFusion Studio Setting Up FTP and RDS Servers Thinking of ColdFusion as Part of a System Securing Everything to Which ColdFusion Talks Summary Solutions Fast Track Frequently Asked Questions Chapter 6 Configuring ColdFusion Server Security Introduction Setting Up the ColdFusion Server Using “Basic Security” Employing Encryption under the Basic Security Setup Authentication under the Basic Security Setup Customizing Access Control under the Basic Security Setup Accessing Server Administration under the Basic Security Setup Setting Up the ColdFusion Server Using “Advanced Security” Employing Encryption under the Advanced Security Setup Authentication under the Advanced Security Setup Customizing Access Control under the Advanced Security Setup Performance Considerations When Using Basic or Advanced Security Caching Advanced Security Information File and Data Source Access Summary Solutions Fast Track Frequently Asked Questions Chapter 7 Securing the ColdFusion Server after Installation Introduction What to Do with the Sample Applications Reducing Uncontrolled Access Choosing to Enable or Disable the RDS Server Limiting Access to the RDS Server Securing Remote Resources for ColdFusion Studio Creating a Security Context Debug Display Restrictions Using the mode=debug Parameter Microsoft Security Tool Kit MS Strategic Technology Protection Program Summary Solutions Fast Track Frequently Asked Questions Chapter 8 Securing Windows and IIS Introduction Security Overview on Windows, IIS, and Microsoft Securing Windows 2000 Server Avoiding Service Pack Problems with ColdFusion Using Windows Services (“Use Only What You Need”) Working with Users and Groups Understanding Default File System and Registry Permissions Securing the Registry Other Useful Considerations for Securing the Registry and SAM Installing Internet Information Services 5.0 Removing the Default IIS 5.0 Installation Creating an Answer File for the New IIS Installation Securing Internet Information Services 5.0 Setting Web Site, FTP Site, and Folder Permissions Restricting Access through IP Address and Domain Name Blocking Configuring Authentication Examining the IIS Security Tools Using the Hotfix Checker Tool Using the IIS Security Planning Tool Using the Windows 2000 Internet Server Security Configuration Tool for IIS 5.0 Auditing IIS Summary Solutions Fast Track Frequently Asked Questions Chapter 9 Securing Solaris, Linux, and Apache Introduction Solaris Solutions Overview of the Solaris OS Understanding Solaris Patches Securing Default Solaris Services Security Issues for Solaris 2.6 and Later Other Useful Considerations in Securing Your Solaris Installation Linux Solutions Understanding Linux Installation Considerations Selecting Packages for Your Linux Installation Hardening Linux Services Securing Your Suid Applications Understanding Sudo System Requirements Learning More About the Sudo Command Downloading Sudo Installing Sudo Configuring Sudo Running Sudo Running Sudo with No Password Logging Information with Sudo Other Useful Considerations to Securing Your Linux Installation Apache Solutions Configuring Apache on Solaris and Linux Configuring Apache Modules Choosing Apache SSL Summary Solutions Fast Track Frequently Asked Questions Chapter 10 Database Security Introduction Database Authentication and Authorization Authentication Authorization Database Security and ColdFusion Dynamic SQL Leveraging Database Security Microsoft SQL Server Microsoft Access Oracle Summary Solutions Fast Track Frequently Asked Questions Chapter 11 Securing Your ColdFusion Applications Using Third-Party Tools Introduction Firewalls Testing Firewalls DNS Tricks Port Scanning Tools Detecting Port Scanning Best Practices Install Patches Know What’s Running Default Installs Change Passwords and Keys Backup, Backup,Backup Firewalls Summary Solutions Fast Track Frequently Asked Questions Chapter 12 Security Features in ColdFusion MX Introduction Who’s Responsible for Security? A Look at Security in ColdFusion MX New and Improved Tools New Tags Summary Solutions Fast Track Frequently Asked Questions Index