Skip to content

Instantly share code, notes, and snippets.

learncfinaweek

Block or report user

Report or block learncfinaweek

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@learncfinaweek
learncfinaweek / gist:4121390
Created Nov 20, 2012
Security - Secure Password Storage
View gist:4121390

The ARTISTS table in the cfartgallery datasource used for examples is an excellent example of how NOT to store passwords. First, they are stored in clear text and the column is limited to only 8 characters.

ARTISTID
@learncfinaweek
learncfinaweek / gist:4121383
Created Nov 20, 2012
Security - File Uploads
View gist:4121383

Accepting file uploads is another common requirement for web applications, but also pose a great risk to both the server and the users of the web application. If not handled correctly, an uploaded file can lead to a compromised server or spread a virus infected file to other users.

The default behavior of the file upload should be to delete the file if it does not pass a validation check. When the file has passed all the checks, move it to the proper location using a system generated file name.

The first and most important thing is that files should NEVER be uploaded to a web accessible directory. They should always be placed in a temporary location, generally the ColdFusion temporary directory from GetTempDirectory(). On UNIX systems should also restrict access to the uploaded file by specifying the mode attribute, preferably 600 so that only the ColdFusion process can read or write to the file.

@learncfinaweek
learncfinaweek / gist:4121378
Created Nov 20, 2012
Security - Session Identifier Protection
View gist:4121378

Session identifiers (CFID, CFTOKEN, and JSESSIONID) need to be protected since they provide an attacker with an easy way to impersonate a user if they are acquired.

One of the biggest leakages of session identifiers occurs with cflocation because the ADDTOKEN attribute defaults to true, appending the session identifiers to the URL, and thus be easily captured. The ADDTOKEN attribute should be set to false in almost all cases.

An additional measure to protect the session identifiers is to set the cookie which they are delivered to be HTTPOnly. When a cookie is flagged HTTPOnly, it is not possible for the cookie to be accessed in the browser via Javascript. ColdFusion 9 added the ability to set HTTPOnly cookies with cfcookie and ColdFusion 9.0.1 added a JVM flag to enable HTTPOnly c

@learncfinaweek
learncfinaweek / gist:4121372
Created Nov 20, 2012
Security - Cross-Site Request Forgery (CSRF)
View gist:4121372

Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

One of the many examples occurred with Netflix in 2006; if you used the "Remember Me" functionality and came across any web page that had <img src="http://www.netflix.com/AddToQueue?movieid=70011204" />, embedded in it, a copy of “SpongeBob Squarepants” would be added to your Netflix queue.

ColdFusion 10 introduced two new functions to deal with CSRF; CSRFGenerateToken() and CSRFVerifyToken(). To use the functions, the web application needs to have Session Management enabled, which works by creating a random token that can be checked when the submission o

@learncfinaweek
learncfinaweek / gist:4121370
Created Nov 20, 2012
Security - Cross-Site Scripting (XSS)
View gist:4121370

Cross-site Scripting (XSS) is the most prevalent web application security flaw and occurs when user supplied data is sent to the browser without properly validating or escaping that content. XSS flaws can allow the attacker to:

@learncfinaweek
learncfinaweek / gist:4121367
Created Nov 20, 2012
Security - Injection
View gist:4121367

Injection attacks occur when data is sent to an interpreter which contain unintended commands with the data that are run by the interpreter. The most common injection flaw in web applications are SQL, but it is also possible to have injection flaws effect LDAP queries, XPath queries, and OS commands. We are going to cover SQL injections, but the techniques used to validate and control the input to the SQL interpreter are applicable to the other types of injections.

SQL Injection (SQLi)

In the earlier Database chapter you saw the use of the cfqueryparam tag. It is one of the simplest steps you can take to help prevent SQL injection attacks on your web application, but it can only be used in the WHERE clause, INSERT values, and UPDATE values of an SQL statement. Other parts of an SQL statement require more work to protect against it. The example below is using cfqueryparam, but it is still susceptible to SQL injection attack throug

@learncfinaweek
learncfinaweek / gist:4121364
Created Nov 20, 2012
Security - Introduction
View gist:4121364

Security is a broad topic area and the threats are constantly evolving. Security encompasses more than just writing secure code, but also items like the configuration and setup of the servers and network, and practices and procedures for handling sensitive data.

In this chapter, we'll focus on areas of security that you have the most control over as a ColdFusion developer in order to help you write more secure ColdFusion code and understand the security settings in the ColdFusion Administrator, making it more difficult for an attacker to exploit your web application. We say "more difficult" because no web application can be 100% secure.

There are several shifts in thought required.

@learncfinaweek
learncfinaweek / gist:4121359
Created Nov 20, 2012
Caching - Hands On 27
View gist:4121359
View gist:4121356

As you write more and larger ColdFusion applications, you will start looking for ways to improve the performance of your applications. There are many ways to do this, but perhaps the easiest is to use ColdFusion's caching mechanisms to reduce the amount of work your application has to do over and over. Caching simply refers to the idea that you create a piece of content or data once and hold it in application memory for some period of time. During that time frame, any part of your application that needs that content or data uses the copy that was previously generated rather than regenerating it.

ColdFusion has several different caching mechanisms built in, but they generally fall into two main categories--programmatic caching and application server caching.

Programmatic Caching

@learncfinaweek
learncfinaweek / gist:4121352
Created Nov 20, 2012
Document Handling - Hands On 26
View gist:4121352
<p>
In this hands on, we are going to import and export data into the blog section using Excel.
</p>
<p>
<strong>Tags Used</strong>: <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7fa1.html" target="_new">&lt;cffile></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec17cba-7f87.html" target="_new">&lt;cfspreadsheet></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7fe2.html" target="_new">&lt;cfloop></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ffd.html" target="_new">&lt;cfset></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7ebf.html" target="_new">&lt;cfscript></a>, <a href="http://help.adobe.com/en_US/ColdFusion/10.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7aea.html" target="_new">&lt;cfheader></a>, <a href="http://help.adobe.com/en_US/Co
You can’t perform that action at this time.