XSS mitigation in ColdFusion, Part 1: Understanding HTML Contexts - Security Series #8.5.1

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.


Whose responsibility is data security?

This is an important question and one that you need to ask yourself.

Last week this article was released about a faculty researcher at University of North Carolina at Chapel Hill.

The article describes how the University recently found out that a machine that stored 180,000 social security numbers (used for research) was compromised back in 2007. The University is now hanging out the researcher to dry and not claiming any fault of their own. There is no report yet on what is happening with the programmer/system admin that she hired to maintain the system.


My Presentation Files from the MN Government IT Symposium

Last week I had a great time presenting a couple of topics at the MN Government IT Symposium. Here are the slide decks from my presentations:


Recording and slides from MAX 2010 - Securing ColdFusion Applications Presentation

Sorry for the wait. I was delayed getting back from MAX due to weather.

I just got back from Los Angeles and I really had a great time. I was honored to have been asked to speak on Securing ColdFusion Applications, and I think the presentation went very well.

The recordings are up on Adobe TV already (Awesome). You'll find my recording here: http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/


Practical Ajax Security on the ColdFusion Meetup this Thursday

This Thursday at 12:00 EST I will be presenting "Practical Ajax Security" for the Online ColdFusion Meetup.

This is a presentation that I did at cf.Objective(), CFUnited, and NCDevCon. I am very pleased to be able to now present it online for those that could not attend those events.

Here is the topic description:

ith the introduction of Rich Internet Applications (RIAs) over the last several years, it seems that everyone is jumping on the RIA bandwagon. But is any thought being given to what might need to be done to ensure that our Web 2.0 applications are secure? Or are they are not introducing new vulnerabilities into existing applications? In this presentation, we will look at some of the security issues that can arise from introducing Ajax into your applications and about how to mitigate the risks of opening up remote services for Ajax.

I look forward to seeing you there.


As always, thank you to Charlie Arehart for all you do for the community and for continuing the Online ColdFusion Meetup for all this time. It is, without question, one of the most valuable resources for our community.

What's Possible with XSS? - Security Series #8.1

So now that the hacker has discovered an XSS vulnerability in your site, what can he do with it? A JavaScript alert('XSS') seems pretty harmless, doesn't it?

Once a malicious user has discovered an XSS vulnerability in your web application, the sky is really the limit. The potential damage also goes beyond the scope of just your site and your users.

Here are a few examples of nefariousness that could be perpetrated via XSS in a website. A hacker could:

  • use the credibility of your site to run a phishing scheme
  • steal your users' passwords
  • hijack your users' sessions
  • try to launch an attack against the site administrator (you)
  • redirect your users to another site (gambling, porn, Google, affiliate link, whatever)
  • display inappropriate or mis-informative messages to your users
  • Or anything else that could be done with client-side executable code

How would they do those things? It's actually quite simple.


Wha sup, yo?

Wow. Things have been busy and I have been neglecting my blog. I feel bad about that. My blog is so important to me, and things have been keeping me away.

I am a teacher at heart. I love to teach. That is why I blog, that is why I present at conferences, and that is why I am going to grad school. So the fact that I have been unable to blog for a while upsets me greatly. But I want to tell you a little bit about why. This is not about making excuses. This is about what is keeping me busy and what I am learning about. It will also motivate me to blog about these things, and that's the important part.


My Presentation slides from cf.Objective, NCDevCon, and CFUnited

I keep forgetting to do this. Sorry :(

I have given three presentations so far this year, and I will have 2 or three more et before the end of the year. Here are the slides for the first three in both Keynote and PDF formats.


Using Asymmetric Cryptography in your ColdFusion Application - Security Series #16.10

A reader emailed me and asked:

I have a question re asymmetric encryption and the best way to achieve it....

I need to encrypt a CreditCard number on one server and store the encrypted string in a db and then 5 minutes later another server takes the card number off that DB and then needs to decrypt it. Any suggestions gratefully received :)

After an e-mail exchange we determined that we were NOT just talking about using SSL between ColdFusion and the DB and we determined that using a symmetric algorithm would not be acceptable to the credit card service. So it seems that this user really did need asymmetric encryption in his application.


My 10 ideas to improve security in ColdFusion 10 (Link)

A few weeks ago my buddy Pete Freitag posted his ideas for improving security for CF10 (link) (or whatever they call the next version of ColdFusion). I thought it would be a good idea to post my own ideas.

It's not that I disagree with any of Pete's ideas, I think they are great, I just thought a few more might be good, and I think some of my priorities might be different.


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner