It's been a while since I posed an entry, and it has been even longer since I posted for my on-going security series. So today I would like to get back to it by looking at Request Forgeries.

What is a Request Forgery?

A request forgery, also sometimes called a Cross-Site (or On-Site) Request Forgery(XSRF), is an attack that is perpetrated against the user of a site who has authenticated access to that site. The user is unwittingly tricked into performing actions on a site through hidden code displayed to them and, therefore, executed in their browser.

[More]

This post is a continuation of another post where I am discussing form handling and validation.

Please see part 2 before you read this post.

Now, and this is where things get interesting, I call the validate() method from the TransferObject "itemBean". What you say? validate() method? There is not validate() method in a TransferObject.

I used a Transfer decorator to add a validate() method to my itemBean. I also added a populate() method. Here, have a look:

[More]

This post is a continuation of another post where I am discussing form handling and validation.

Please see part 1 before you read this post.

So, after my user enters data into the form, they will hit the add/update button and the form will get posted to the next event handler, called items.editPost().

[More]

The last time I blogged about this I got some great feedback, so I have gone back to it again and I am trying something new that combines some of the advice I have received from that post, and some advice from Brian Kotek.

[More]

So for those that do not know, there is a great resource available to us called the Open Web Application Security Project (OWASP).

From their web site:

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

[More]

I just got home from my second presentation to the Twin Cities ColdFusion User Group. I had a great time, I thought the presentation went well. I got a lot of great questions and comments from the floor, and we even went out afterward.

Thanks again Troy from having me. I look forward to doing it again soon.

[More]

Just came across the video on YouTube that has a very simple demonstration of a SQL injection attack. It demonstrates just how easy it is to get past JavaScript authentication control and how easy it is to inject SQL into a site once you take control of the web form.

[More]

Cross-site Scripting (XSS), to me, is one of those subjects that I feel like I am just barely keeping up with. I understand what it is, but It seems like every time I feel like I have a handle on the ways it can be done, I learn about something new. I am not going to claim to be the be-all-end-all authority on any security subject. It seems like there is always something new, but with XSS, it is especially so.

So, with this post, I am only presenting the information about XSS with which I am familiar. It is not intended to be the ultimate XSS guide. Think of it as in intro to some Cross-Site Scripting exploits and solutions. After reading this, I encourage you to research more on your own, as I will. As I learn more I will post about it.

[More]

This Wednesday, the 6th, I will be presenting "Intro to Application Security (Part 1)" at the Twin Cities ColdFusion User Group meeting. I am really looking forward to it. Right now I am feverishly working on finishing my slides.

[More]

If you have an application of any complexity, or if you use any of the available frameworks that are out there, whether it is Model-Glue, Mach-II, ColdBox, Transfer, ColdSpring, etc. then you are going to have config files, custom tags, template files or some other files that need to be protected.

Config files can contain a lot of sensitive information that you do not want others to see. DNS names, usernames, passwords, file paths, reinit strings, etc.

[More]