Search Results
There are 4 item(s) tagged with the keyword "security".
- Displaying: 1 - 4 of 4
- 1. Day 5: ColdFusion 10 session enhancement.
ColdFusion 10 added couple of session related function and add settings related to session cookie. First of all I notice that use UUID for CFTOKEN is default now enable so if you are moving from older version to ColdFusion 10 where cftoken wasn't UUID and you were using datasource for client variables then make sure you update field size in database where you are storing client variables. SessionId generated from application name, cfid and cftoken.
- By Pritesh
- 2. Day 4: Avoid CSRF attack with ColdFusion 10
Day 4 for my ColdFusion 10 review, since last three days concentrating on all security enhancement. In previous two posts I have covered functions added in ColdFusion10 to avoid XSS attack. Now its time for CSRF (cross site request forgery). As per Wikipedia this is 909th most dangerous software bug ever found. And in normal project we always keep this door open and do not take precaution to restrict it. ColdFusion 10 make it really easy to avoid CSRF attack by adding two functions CSRFGenerateToken and CSRFVerifyToken. First function will generate different token for each session (or each request) which we need to pass with form submit and in action page you need to call CSRFVerifyToken function to make sure request coming through same session and it is not an forgery request. I used to create hash key with combination of session variable and page name which pass with form and in action page comparing same combination with hash key passed in form data.
- By Pritesh
- 3. Day 3: Avoid Cross-site scripting (XSS) using ColdFusion 10 - Part 2
Yesterday I have tried to look over three newly added security functions to avoid XSS attach on your website. Today look for remaining functions encodeForCSS, encodeForURL and canonicalize.
encodeForCSS:
As function name says it will encode your string to make safe render in CSS. Normally I do not use dynamic CSS but in certain case you may want to change background color of div based on user input. User input??? Yes and it dangerous too as we are opening again door for XSS attack for hacker. Have a look on sample below.
- By Pritesh
- 4. Day 2: Avoid Cross-site scripting (XSS) using ColdFusion 10 - Part 1
In ColdFusion 10 added bunch of functions to avoid XSS attack, XSS attack (as explained above by Wikipedia) is some scripting code/iFrame in dynamic content which will render in webpage and significantly create security risk. Most of us already using HTMLEditFormat to encode user input (like comment in blog post) to avoid unwanted HTML rendering. But HTMLEditFormat is not capable to avoid all kind of XSS attack since this function encode only <, >, & and ". This function will not help if you to avoid XSS in tag attribute, CSS and JavaScript. ColdFusion 10 introduce endcodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, endCodeForURL and canonicalize to fight with XSS attach. In this post I will try to cover some of them.
- By Pritesh
- Displaying: 1 - 4 of 4