It's been a while since I posed an entry, and it has been even longer since I posted for my on-going security series. So today I would like to get back to it by looking at Request Forgeries.

What is a Request Forgery?

A request forgery, also sometimes called a Cross-Site (or On-Site) Request Forgery(XSRF), is an attack that is perpetrated against the user of a site who has authenticated access to that site. The user is unwittingly tricked into performing actions on a site through hidden code displayed to them and, therefore, executed in their browser.

[More]

So for those that do not know, there is a great resource available to us called the Open Web Application Security Project (OWASP).

From their web site:

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.

[More]

I just got home from my second presentation to the Twin Cities ColdFusion User Group. I had a great time, I thought the presentation went well. I got a lot of great questions and comments from the floor, and we even went out afterward.

Thanks again Troy from having me. I look forward to doing it again soon.

[More]

Cross-site Scripting (XSS), to me, is one of those subjects that I feel like I am just barely keeping up with. I understand what it is, but It seems like every time I feel like I have a handle on the ways it can be done, I learn about something new. I am not going to claim to be the be-all-end-all authority on any security subject. It seems like there is always something new, but with XSS, it is especially so.

So, with this post, I am only presenting the information about XSS with which I am familiar. It is not intended to be the ultimate XSS guide. Think of it as in intro to some Cross-Site Scripting exploits and solutions. After reading this, I encourage you to research more on your own, as I will. As I learn more I will post about it.

[More]

This Wednesday, the 6th, I will be presenting "Intro to Application Security (Part 1)" at the Twin Cities ColdFusion User Group meeting. I am really looking forward to it. Right now I am feverishly working on finishing my slides.

[More]

If you have an application of any complexity, or if you use any of the available frameworks that are out there, whether it is Model-Glue, Mach-II, ColdBox, Transfer, ColdSpring, etc. then you are going to have config files, custom tags, template files or some other files that need to be protected.

Config files can contain a lot of sensitive information that you do not want others to see. DNS names, usernames, passwords, file paths, reinit strings, etc.

[More]

Well, I'm sure most will be glad that I am not going to try to beat this SQL Injection/cfqueryparam stuff any further into the ground. We get it now, right? Use cfqueryparam!! Unless you have a good reason not to, then use something else that will serve the purpose of creating a prepared statement for use in a query. You'll also have to do something to handle dynamic table names, dynamic sort statements, etc. These topics have been so well handled by other bloggers that I am not going to try to take it any further. Look at the bottom of the page for links to some of the best explanations.

But this post is not about SQL Injection or about <cfqueryparam> it is about having our eyes opened.

[More]

In part one of this access control sub-series we talk about assigning roles and user permissions to variables in the user's sessions. This allows you to access those variables programmatically from the users session while still not giving the user access to the variables for manipulation.

[More]

OK, so I have been putting of this access control stuff for too long. So let's get to it.

In "the basics" we are going to continue our discussion of access control by focusing on controlling how our application is accessed. We are not going to worry about source code files, media or image files, servers, non-web document files, or DBMSs. We are just going to worry about accessing the application from the browser, controlling program flow, etc.

[More]

Google has announced that they have open-sourced RatProxy, which, according to the Google Code site is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

[More]