Hack Proofing ColdFusion

Hack Proofing ColdFusion

1st Edition - April 25, 2002

Write a review

  • Author: Syngress
  • eBook ISBN: 9780080478098

Purchase options

Purchase options
DRM-free (PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

The only way to stop a hacker is to think like one! ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for e-commerce sites and content sites where databases and transactions are the most vulnerable and where security is of the utmost importance.Several security concerns exist for ColdFusion due to its unique approach of designing pages using dynamic-page templates rather than static HTML documents. Because ColdFusion does not require that developers have expertise in Visual Basic, Java and C++; Web applications created using ColdFusion Markup language are vulnerable to a variety of security breaches. Hack Proofing ColdFusion 5.0 is the seventh edition in the popular Hack Proofing series and provides developers with step-by-step instructions for developing secure web applications.

Key Features

  • Teaches strategy and techniques: Using forensics-based analysis this book gives the reader insight to the mind of a hacker
  • Interest in topic continues to grow: Network architects, engineers and administrators are scrambling for security books to help them protect their new networks and applications powered by ColdFusion
  • Unrivalled Web-based support: Up-to-the minute links, white papers and analysis for two years at solutions@syngress.com

Table of Contents


  • Foreword

    Chapter 1 Thinking Like a Hacker

    Introduction

    Understanding the Terms

    A Brief History of Hacking

    Why Should I Think Like a Hacker?

    Mitigating Attack Risk in Your ColdFusion Applications

    Validating Page Input

    Functionality with Custom Tags and CFMODULE

    The Top ColdFusion Application Hacks

    Form Field Manipulation

    URL Parameter Tampering

    CFFILE, CFPOP, and CFFTP Tag Misuse

    ColdFusion RDS Compromise

    Understanding Hacker Attacks

    Denial of Service

    Virus Hacking

    Preventing “Break-ins” by Thinking Like a Hacker

    Development Team Guidelines

    QA Team Guidelines

    IT Team Guidelines

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 2 Securing Your ColdFusion Development

    Introduction

    Session Tracking

    CFID and CFTOKEN Issues

    Error Handling

    Verifying Data Types

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 3 Securing Your ColdFusion Tags

    Introduction

    Identifying the Most Dangerous ColdFusion Tags

    Properly (and Improperly) Using Dangerous Tags

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the Tag

    Using the connectstring Attribute

    Using the dbtype=dynamic Attribute

    Knowing When and Why You

    Should Turn Off These Tags

    Controlling Threading within Dangerous Tags

    Working with Other Dangerous and Undocumented Tags

    Using the GetProfileString() and ReadProfileString() Functions

    Using the GetTempDirectory() Function

    Using the GetTempFile() Function

    Using the Tag

    Using the CF_SetDataSourceUsername(), CF_GetDataSourceUsername(), CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() Functions

    Using the CF_GetODBCDSN() Function

    Using the CFusion_Encrypt() and CFusion_Decrypt() Functions

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 4 Securing Your ColdFusion Applications

    Introduction

    Cross-Site Scripting

    URL Hacking

    Validating Browser Input

    Malformed Input

    Validating Consistently from the “Hit List”

    Using

    Using

    Using and

    Using (or Not Using)

    Using

    Web-Based File Upload Issues

    Techniques to Protect Your Application when Accepting File Uploads

    URL Session Variables

    Session ID

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 5 The ColdFusion Development System

    Introduction

    Understanding the ColdFusion Application Server

    Thread Pooling

    Custom Memory Management

    Page-based Applications

    JIT Compiler

    Database Connection Manager

    Scheduling Engine

    Indexing Engine

    Distributed Objects

    Understanding ColdFusion Studio

    Setting Up FTP and RDS Servers

    Thinking of ColdFusion as Part of a System

    Securing Everything to Which ColdFusion Talks

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 6 Configuring ColdFusion Server Security

    Introduction

    Setting Up the ColdFusion Server Using “Basic Security”

    Employing Encryption under the Basic Security Setup

    Authentication under the Basic Security Setup

    Customizing Access Control under the Basic Security Setup

    Accessing Server Administration under the Basic Security Setup

    Setting Up the ColdFusion Server Using “Advanced Security”

    Employing Encryption under the Advanced Security Setup

    Authentication under the Advanced Security Setup

    Customizing Access Control under the Advanced Security Setup

    Performance Considerations When Using Basic or Advanced Security

    Caching Advanced Security Information

    File and Data Source Access

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 7 Securing the ColdFusion Server after Installation

    Introduction

    What to Do with the Sample Applications

    Reducing Uncontrolled Access

    Choosing to Enable or Disable the RDS Server

    Limiting Access to the RDS Server

    Securing Remote Resources for ColdFusion Studio

    Creating a Security Context

    Debug Display Restrictions

    Using the mode=debug Parameter

    Microsoft Security Tool Kit

    MS Strategic Technology Protection Program

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 8 Securing Windows and IIS

    Introduction

    Security Overview on Windows, IIS, and Microsoft

    Securing Windows 2000 Server

    Avoiding Service Pack Problems with ColdFusion

    Using Windows Services (“Use Only What You Need”)

    Working with Users and Groups

    Understanding Default File System and Registry Permissions

    Securing the Registry

    Other Useful Considerations for Securing the Registry and SAM

    Installing Internet Information Services 5.0

    Removing the Default IIS 5.0 Installation

    Creating an Answer File for the New IIS Installation

    Securing Internet Information Services 5.0

    Setting Web Site, FTP Site, and Folder Permissions

    Restricting Access through IP Address and Domain Name Blocking

    Configuring Authentication

    Examining the IIS Security Tools

    Using the Hotfix Checker Tool

    Using the IIS Security Planning Tool

    Using the Windows 2000 Internet Server Security Configuration Tool for IIS 5.0

    Auditing IIS

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 9 Securing Solaris, Linux, and Apache

    Introduction

    Solaris Solutions

    Overview of the Solaris OS

    Understanding Solaris Patches

    Securing Default Solaris Services

    Security Issues for Solaris 2.6 and Later

    Other Useful Considerations in Securing Your Solaris Installation

    Linux Solutions

    Understanding Linux Installation Considerations

    Selecting Packages for Your Linux Installation

    Hardening Linux Services

    Securing Your Suid Applications

    Understanding Sudo System Requirements

    Learning More About the Sudo Command

    Downloading Sudo

    Installing Sudo

    Configuring Sudo

    Running Sudo

    Running Sudo with No Password

    Logging Information with Sudo

    Other Useful Considerations to Securing Your Linux Installation

    Apache Solutions

    Configuring Apache on Solaris and Linux

    Configuring Apache Modules

    Choosing Apache SSL

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 10 Database Security

    Introduction

    Database Authentication and Authorization

    Authentication

    Authorization

    Database Security and ColdFusion

    Dynamic SQL

    Leveraging Database Security

    Microsoft SQL Server

    Microsoft Access

    Oracle

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 11 Securing Your ColdFusion Applications Using Third-Party Tools

    Introduction

    Firewalls

    Testing Firewalls

    DNS Tricks

    Port Scanning Tools

    Detecting Port Scanning

    Best Practices

    Install Patches

    Know What’s Running

    Default Installs

    Change Passwords and Keys

    Backup, Backup,Backup

    Firewalls

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Chapter 12 Security Features in ColdFusion MX

    Introduction

    Who’s Responsible for Security?

    A Look at Security in ColdFusion MX

    New and Improved Tools

    New Tags

    Summary

    Solutions Fast Track

    Frequently Asked Questions

    Index




Product details

  • No. of pages: 512
  • Language: English
  • Copyright: © Syngress 2002
  • Published: April 25, 2002
  • Imprint: Syngress
  • eBook ISBN: 9780080478098

About the Author

Syngress

Ratings and Reviews

Write a review

There are currently no reviews for "Hack Proofing ColdFusion"