COLDFUSION SECURITY REVIEW

Presented by Denard SpringleNVCFUG January, 2012

Beyond the CF Application Many people hear ‘security’ in conjunction

with ‘ColdFusion’ and think only about ColdFusion application security, which is primary, but not the only security you should be concerned about.

Operating System, network, application server and physical environment are additional security concerns rarely discussed in the ColdFusion circles.

Operating System Security Most major breaches of security coming from the

outside are based on operating system attacks. Windows is the primary target of most scripted hacking

systems and of most hacking groups – this is due primarily to the large surface area Windows exposes.

Most production web sites on Windows servers are extremely vulnerable due to lack of proper patch maintenance.

Most production web sites on Windows servers are extremely vulnerable to virus due to a general lack of virus protection and maintenance.

Operating System Security Protecting yourself involves:

Ensuring you plan for and execute maintenance windows that apply security patches to the OS as frequently as possible – preferably within a few to 24 hours after release.

Turning off all services and removing all applications that are not required or will never be utilized.

Turning on the software based firewall included with modern operating systems and opening only the ports required to operate (SSH/RDP, HTTP, SSL, FTP, etc.)

Multiple Anti-Viral/Malware applications set to stop and remove virus/malware automatically.

Network Security Most major breaches of security coming

from the outside are based on port attacks – with the most common attack still being buffer overrun.

Ports below 1024 are the most commonly attacked ports in part because these ports are granted more rights in the operating system and in part because they are the most commonly used port for application servers.

Network Security Protecting yourself includes:

One (or more) firewalls between the outside network and your application server.

Port forwarding from the firewall(s) to non-standard ports on the OS (e.g. port 80 at the firewall to port 41280 on the OS)

Single line connection between outside network, firewall(s) and the application server – no switches, no hubs, no other application servers, just one to one.

Application Servers The second most active target of hackers is the

applications that run on the operating system. IIS and MSSQL are the two most active targets

of hackers in the application realm – again due to the large surface area exposed.

Apache, Sun One, MySQL, Oracle, Postgres, ColdFusion etc. are all additional targets of hackers.

Any application exposed to the transport layer is susceptible to attack.

Application Servers Protecting yourself includes:

Turn off everything in IIS and MSSQL that are not required (limits exposing processes that could be taken advantage of – e.g. ASP.NET, FrontPage extenstions, ODBC, etc.)

Run separate instances of MSSQL for *each* database (limits exposing multiple databases to one hacker)

Limit IIS to a single web site (limits exposing other websites to immediate disclosure if one site is hacked)

Physical Security The majority of physical attacks from the

inside come from disgruntled employees. The majority of physical internal attacks

are designed to cripple hardware (pull drives, spill liquid, etc.).

The second most common internal physical attack is from corporate spies intent on stealing data or technology, or crippling the competition.

Physical Security Protecting yourself includes:

Putting servers under lock and key Server room should be locked and impenetrable (can’t

use a utility knife to slice through the sheetrock and walk in, can’t climb over the ceiling, etc.)

Servers and wiring should be in locked cages Use only fiber optic network connections (reduces EMI

and eliminates physically patching the cabling) Servers should additionally be in locked cabinets.

Implementing PKI, CAC or RSA style authentication and limiting logins at the console to non-specific administrator accounts (e.g. NOT ‘Administrator’)

Know your weaknesses! The best defense is a good offense – know

what you are exposing to the outside world and mitigate it as much as possible.

Nmap is a network scanner tool designed to penetrate networks and isolate security flaws – it produces reports generally with links to how to resolve the issue(s) found.

Windows Security Scanner – scans windows machines and determines vulnerabilities also with links to solutions.

HackMyCF Pete Freitag (Foundeo, Inc.) has written a

tool called HackMyCF (http://hackmycf.com/) which is like an Nmap for ColdFusion servers.

Detects missing patches, isolates common security issues such as exposing your application server name and version, and provides links to more information that can be used to resolve those issues, including blog posts by Pete himself.

hackmycf

The Unofficial Updater For those using CF8 and CF9, David Epler has

created a java utility called the ‘Unofficial Updater’ (https://github.com/dcepler/unofficial-updater2/downloads) that automates the process of updating your CF server to the latest patch release (requires Java 6 or Java 7).

ColdFusion Zeus will include a utility in the CF Admin that will show you updates and allow you to manage them (download, install, uninstall).

Security – Major Focus of Zeus The primary focus of the next release of ColdFusion

will be on application security. All areas of ColdFusion have been touched on down to and including the very engine CF will run on (Tomcat vs. Jrun). Tomcat is an open source engine that is a more robust, more secure and more trusted application server than Jrun (and, it’s much, much faster).

CF Zeus will provide enterprise grade security features putting CF developers on equal footing with ASP and Java developers from a capabilities perspective.

Application Security Changes ColdFusion Zeus implements ESAPI (The OWASP

Enterprise Security API - https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)

Implemented under the hood since CF8 HF4 Enhances the built-in security functionality of

ColdFusion and eliminates the need to write your own secure session handlers.

Enhances security in ColdFusion to mitigate the vulnerabilities mentioned in the OWASP Top 10.

OWASP Top 10 Vulnerabilities1. Injection (code,

script, SQL, etc.)2. Cross-Site Scripting

(XSS)3. Authentication &

Sessions4. Insecure Direct

Object Reference5. Cross-Site Request

Forgery (C/XSRF)

6. Security Misconfiguration

7. Insecure Storage (crypto)

8. URL Access Restrictions

9. Poor Transport Layer Protection

10. Unvalidated Redirects

Enhancements Session Cookies – total upgrade – you can

now control attributes of the session cookie that make it more secure (timeouts, http only, etc.).

Cookies in general now have the http only attribute – prevents client-side scripts from accessing server-side cookies.

Session rotation, input parsers, content validation and more!

More cowbell As with each prior release of ColdFusion, it has

once again been enhanced with the latest and greatest encryption and hashing standards, providing additional options for securing content and a wider array of multi-encryption possibilities for the uber secure (or corporately paranoid) among us.

In addition to enhancing the security of ColdFusion, Zeus brings so many speed enhancements it nearly eliminates the arguments against writing secure applications.

The basics still apply… Basic security principles have *not* changed with

the implementation of ESAPI – sessions and security related utility functions have been improved.

Obfuscation, encryption, password hashing and mitigating exposed surface area of your application are all still critical aspects of secure application design and development.

ESAPI provides many utility functions that make implementing some of these requirements easier.

Additional Information Open Web Application Security Project (OWASP)

– the defacto standard body for defining security on the web (https://www.owasp.org/)

Charlie Arehart’s What’s New in Zeus presentation (http://www.carehart.org/presentations/whats_new_in_cf_zeus-cfcamp.pdf)

Matt Gifford’s ESAPI Preso (http://www.slideshare.net/coldfumonkeh/owasp-enterprise-security-api-and-available-methods-to-help-lock-down-a-coldfusion-application)