The ARTISTS table in the cfartgallery datasource used for examples is an excellent example of how NOT to store passwords. First, they are stored in clear text and the column is limited to only 8 characters.
| ARTISTID |
|---|
learncfinaweek
Accepting file uploads is another common requirement for web applications, but also pose a great risk to both the server and the users of the web application. If not handled correctly, an uploaded file can lead to a compromised server or spread a virus infected file to other users.
The default behavior of the file upload should be to delete the file if it does not pass a validation check. When the file has passed all the checks, move it to the proper location using a system generated file name.
The first and most important thing is that files should NEVER be uploaded to a web accessible directory. They should always be placed in a temporary location, generally the ColdFusion temporary directory from GetTempDirectory(). On UNIX systems should also restrict access to the uploaded file by specifying the mode attribute, preferably 600 so that only the ColdFusion process can read or write to the file.
learncfinaweek
/ gist:4121378
Created
November 20, 2012 21:42
Security - Session Identifier Protection
Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.
One of the biggest leakages of session identifiers occurs with cflocation because the ADDTOKEN attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The ADDTOKEN attribute should be set to false in almost all cases.
An additional measure to protect the session identifiers is to set the cookie which they are delivered to be HTTPOnly. When a cookie is flagged HTTPOnly, it is not possible for the cookie to be accessed in the browser via Javascript. ColdFusion 9 added the ability to set HTTPOnly cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable HTTPOnly c
learncfinaweek
/ gist:4121372
Created
November 20, 2012 21:41
Security - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.
One of the many examples occurred with Netflix in 2006; if you used the "Remember Me" functionality and came across any web page that had <img src="http://www.netflix.com/AddToQueue?movieid=70011204" />, embedded in it, a copy of “SpongeBob Squarepants” would be added to your Netflix queue.
ColdFusion 10 introduced two new functions to deal with CSRF; CSRFGenerateToken() and CSRFVerifyToken(). To use the functions, the web application needs to have Session Management enabled, which works by creating a random token that can be checked when the submission o
Cross-site Scripting (XSS) is the most prevalent web application security flaw and occurs when user supplied data is sent to the browser without properly validating or escaping that content. XSS flaws can allow the attacker to:
- Deface web page (examples http://xssed.com, http://www.alpacahack.com/)
- Steal session cookies so attackers can impersonate victims without having to steal passwords
Injection attacks occur when data is sent to an interpreter which contain unintended commands with the data that are run by the interpreter. The most common injection flaw in web applications are SQL, but it is also possible to have injection flaws effect LDAP queries, XPath queries, and OS commands. We are going to cover SQL injections, but the techniques used to validate and control the input to the SQL interpreter are applicable to the other types of injections.
In the earlier Database chapter you saw the use of the cfqueryparam tag. It is one of the simplest steps you can take to help prevent SQL injection attacks on your web application, but it can only be used in the WHERE clause, INSERT values, and UPDATE values of an SQL statement. Other parts of an SQL statement require more work to protect against it. The example below is using cfqueryparam, but it is still susceptible to SQL injection attack throug
Security is a broad topic area and the threats are constantly evolving. Security encompasses more than just writing secure code, but also items like the configuration and setup of the servers and network, and practices and procedures for handling sensitive data.
In this chapter, we'll focus on areas of security that you have the most control over as a ColdFusion developer in order to help you write more secure ColdFusion code and understand the security settings in the ColdFusion Administrator, making it more difficult for an attacker to exploit your web application. We say "more difficult" because no web application can be 100% secure.
There are several shifts in thought required.
As you write more and larger ColdFusion applications, you will start looking for ways to improve the performance of your applications. There are many ways to do this, but perhaps the easiest is to use ColdFusion's caching mechanisms to reduce the amount of work your application has to do over and over. Caching simply refers to the idea that you create a piece of content or data once and hold it in application memory for some period of time. During that time frame, any part of your application that needs that content or data uses the copy that was previously generated rather than regenerating it.
ColdFusion has several different caching mechanisms built in, but they generally fall into two main categories--programmatic caching and application server caching.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <p> | |
| In this hands on, we are going to import and export data into the blog section using Excel. | |
| </p> | |
| <p> | |
| <strong>Tags Used</strong>: <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7fa1.html" target="_new"><cffile></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec17cba-7f87.html" target="_new"><cfspreadsheet></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7fe2.html" target="_new"><cfloop></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffd.html" target="_new"><cfset></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ebf.html" target="_new"><cfscript></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7aea.html" target="_new"><cfheader></a>, <a href="http://help.adobe.com/en_US/Co |