This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ColdFusion Security Resources"

From OWASP
Jump to: navigation, search
(References)
m
 
(49 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Table of Contents ==
+
== Overview ==
 
+
The ColdFusion Security Resources project is an organized index of all the ColdFusion security resources on the Internet that would be useful to ColdFusion developers.<br>
{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
 
|-
 
| '''Research'''
 
| '''References'''
 
| '''Tools'''
 
| '''Libraries'''
 
|-
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#Videos Videos]
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#References References]
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#OWASP_Tools OWASP Tools]
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#Third-party_Security_Libraries 3rd Party Libs]
 
|-
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#White_Papers_.2F_Presentations White Papers/Presentations]
 
|
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#Static_Analysis Static Analysis]
 
|
 
|-
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#Articles Articles]
 
|
 
|
 
|
 
|-
 
| [http://www.owasp.org/index.php/Category:ColdFusion_Security_Resources#Example_Vulnerabilities Example Vulnerabilities]
 
|
 
|
 
|
 
|-
 
|
 
|
 
|
 
|
 
|-
 
|
 
|
 
|
 
|
 
|-
 
|
 
|
 
|
 
|
 
|-
 
|
 
|
 
|
 
|
 
|}
 
  
 +
== Goals ==
 +
The Security Resources projects aims to enable developers to easily find ColdFusion tools and resources regardless of whether they were developed by Adobe, OWASP or the ColdFusion development community.<br>
 
<br>
 
<br>
  
 
==Videos==
 
==Videos==
[http://www.youtube.com/watch?v=lKri4nnVzA0 DeConstructing ColdFusion] This BlackHat 2010 video is a presentation by Chris Eng and Brandon Creighton from VeraCode.<br>
+
[http://blogs.coldfusion.com/post.cfm/e-seminar-on-security-best-practices-for-coldfusion E-seminar on Security Best Practices for ColdFusion] A July 2013 Adobe e-seminar on security best practices for ColdFusion.<br>
 +
[https://www.adobe.com/cfusion/event/index.cfm?id=2077374&loc=en%5Fus&event=register%5Fno%5Fsession Securing applications with ColdFusion 10 Security Enhancements] A 2012 Adobe e-seminar presentation by Shilpi Khariwal on security improvements in ColdFusion 10.<br>
 +
[http://www.youtube.com/watch?v=lKri4nnVzA0 DeConstructing ColdFusion] This BlackHat 2010 video is a presentation by Chris Eng and Brandon Creighton from Veracode.<br>
 
[http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/ Securing ColdFusion Applications] Jason Dean and Peleus Uhley present at Adobe Max 2010 on how to create secure ColdFusion applications.<br>
 
[http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/ Securing ColdFusion Applications] Jason Dean and Peleus Uhley present at Adobe Max 2010 on how to create secure ColdFusion applications.<br>
 +
[http://cfmumbojumbo.com/cf/index.cfm/cfconferences/cfunited-2010/pete-freitag-secure-cfml/ Writing Secure CFML] Pete Freitag's presentation from CFUnited 2010.<br>
 
[http://experts.adobeconnect.com/p63949927/ Security: Hiding Information from Individuals Not Authorized to See It] Jim Harris present at the ColdFusion Meetup on March 17, 2011.<br>
 
[http://experts.adobeconnect.com/p63949927/ Security: Hiding Information from Individuals Not Authorized to See It] Jim Harris present at the ColdFusion Meetup on March 17, 2011.<br>
 
[http://experts.adobeconnect.com/p25976495/ Security: Washing Your Incoming Data using ColdFusion] Jim Harris presents at the ColdFusion Meetup on March 10, 2011. <br>
 
[http://experts.adobeconnect.com/p25976495/ Security: Washing Your Incoming Data using ColdFusion] Jim Harris presents at the ColdFusion Meetup on March 10, 2011. <br>
 
[http://experts.adobeconnect.com/p22718297/ Security: Practical ColdFusion Security] Justin McLean presents at the ColdFusion Meetup on February 24, 2011. <br>
 
[http://experts.adobeconnect.com/p22718297/ Security: Practical ColdFusion Security] Justin McLean presents at the ColdFusion Meetup on February 24, 2011. <br>
 +
[http://experts.na3.acrobat.com/p87014288/ Application Security: Beyond SQL Injection] Jason Dean presents at the ColdFusion Meetup on January 22, 2009.<br>
 +
[http://experts.na3.acrobat.com/p41776204/ Security Countermeasures for ColdFusion Programmers] Jim Harris presents at the ColdFusion Meeting on January 8, 2009<br>
 +
[http://www.carehart.org/ugtv/list.cfm?search=security UGTV search] Many ColdFusion security topics can be found by searching UGTV for the word security.<br>
 +
<br>
 +
 +
==White Papers/Presentations==
 +
[http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cfml-developer-security-guide.pdf ColdFusion Developer Security Guide] A developer guide for secure coding by Pete Freitag. Quoting the paper: In this guide we will discuss several vulnerabilities that pertain to web applications. Most of the vulnerabilities discussed in this guide are not unique to ColdFusion, however the mitigation techniques discussed are ColdFusion specific.<br>
 +
[http://blogs.coldfusion.com/assets/content/security/Security%20Best%20Practices%20for%20ColdFusion.pdf Security Best Practices for ColdFusion] These are the slides to the July 2013 Adobe e-seminar on Security Best Practices for ColdFusion.<br>
 +
[http://blogs.coldfusion.com/assets/content/security/Securing%20applications%20with%20ColdFusion%2010%20security%20enhancements.pdf Securing Applications with ColdFusion 10 Security Enhancements] The slides from Shilpi Khariwal's 2012 e-seminar on ColdFusion 10 security features.<br>
 +
[http://www.petefreitag.com/item/807.cfm ColdFusion 10 Security Enhancements] Pete Freitag's ColdFusion Developer Week 2012 presentation on the new security features available in ColdFusion 10.<br>
 +
[http://www.petefreitag.com/presentations/cfobjective/2011/maximum-security-cfml.pdf Maximum Security CFML] Pete Freitag's presentation from the CFObjective 2011 conference.<br>
 +
[https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf Deconstructing ColdFusion] The slides from Chris Eng's and Brandon Creighton's presentation at BlackHat 2010.<br>
 +
[http://foundeo.com/security/presentations/cfunited-writing-secure-cfml-2010.pdf Writing Secure CFML] Pete Freitag's slides from his CFUnited 2010 presentation.<br>
 +
[http://foundeo.com/security/presentations/cfunited-coldfusion-lockdown-2010.pdf ColdFusion Lockdown] Pete Freitag's slides from his CFUnited 2010 presentation on locking down ColdFusion.<br>
 +
[http://cfunited.com/2009/files/presentations/254_ShlomyGantz_August2009_HackProofingColdFusion.pdf Hack Proofing ColdFusion] Shlomy Gantz's presentation from CFUnited 2009.<br>
  
 
<br>
 
<br>
  
==White Papers/Presentations==
+
==Articles==
[https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf Deconstructing ColdFusion] The slides from Chris Eng's and Brandon Creighton's presentation at BlackHat 2010
+
[http://www.adobe.com/devnet/coldfusion/articles/security-improvements-cf11.html Security Improvements in ColdFusion 11] An Adobe ColdFusion blog providing details on the security features and enhancements to ColdFusion 11.<br>
 +
[http://blogs.coldfusion.com/post.cfm/security-enhancements-in-coldfusion-splendor-pbkdf2-and-antisamy Security Enhancements in ColdFusion Splendor - PBKDF2 and AntiSamy] An Adobe ColdFusion blog providing insight into two new features in ColdFusion 11 (codename Splendor).<br>
 +
[http://www.adobe.com/devnet/coldfusion/articles/security-improvements.html Security improvements in ColdFusion 10] This Adobe Developer Connection article highlights many of the new security features in ColdFusion 10 that can help with cross-site scripting, cross-site request forgery, session management and similar security issues.<br>
 +
[http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html Securing your applications using HttpOnly cookies with ColdFusion] An Adobe Developer Connection article by Pete Freitag detailing how to implement HttpOnly cookies in ColdFusion.<br>
 +
[http://www.12robots.com/index.cfm/Security Jason Dean's blog] Jason Dean frequently blogs on ColdFusion application security topics. This is a collection of his blogs.<br>
 +
[http://www.petefreitag.com/tag/security Pete Freitag's blog] Pete Freitag frequently blogs on ColdFusion application security topics. This is a collection of his blogs.<br>
  
 
<br>
 
<br>
  
 
==References==
 
==References==
 +
[http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf ColdFusion 11 Lockdown Guide] The Adobe server lockdown guide for ColdFusion 11.<br>
 +
[http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html Security Enhancements in ColdFusion 10] The official Adobe ColdFusion 10 reference documentation describing the new security protections available in ColdFusion 10.<br>
 
[http://www.adobe.com/devnet/coldfusion/security.html ColdFusion Security] The Adobe Developer Center's section on ColdFusion Security.<br>
 
[http://www.adobe.com/devnet/coldfusion/security.html ColdFusion Security] The Adobe Developer Center's section on ColdFusion Security.<br>
[http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf ColdFusion 9 Lockdown Guide] The Adobe server lockdown guide for ColdFusion 9.
+
[http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf ColdFusion 10 Lockdown Guide] The Adobe server lockdown guide for ColdFusion 10.<br>
[http://www.adobe.com/support/security/#coldfusion ColdFusion Security Updates] The section of the Adobe Security page that lists current ColdFusion security patches.
+
[http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf ColdFusion 9 Lockdown Guide] The Adobe server lockdown guide for ColdFusion 9.<br>
 +
[http://www.adobe.com/support/security/#coldfusion ColdFusion Security Updates] The section of the Adobe Security page that lists current ColdFusion security patches.<br>
 +
[http://help.adobe.com/en_US/ColdFusion/9.0/Developing/index.html ColdFusion 9 Developer Guide] Adobe's official documentation for ColdFusion 9 developers.<br>
 +
 
 +
<br>
 +
 
 +
==OWASP Resources==
 +
[http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=ColdFusion.2FCFML OWASP ESAPI - ColdFusion] The OWASP ESAPI project's ColdFusion distribution.<br>
 +
[http://www.petefreitag.com/item/788.cfm Leveraging the ESAPI library in ColdFusion] Pete Freitag's blog on using the OWASP ESAPI library included in ColdFusion.<br>
 +
[http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI - Java] The OWASP ESAPI project's Java distribution.<br>
 +
[http://www.owasp.org/index.php/Guide_Table_of_Contents OWASP Developer Guide] Many sections throughout the developer guide contain specific ColdFusion guidance.<br>
 +
[http://www.petefreitag.com/item/760.cfm Using AntiSamy with ColdFusion] Pete Freitag's blog on using the OWASP Anti-Samy library with ColdFusion.<br>
 +
 
 +
<br>
 +
 
 +
==Tools==
 +
[https://www.veracode.com/press-releases/veracode-unveils-the-most-complete-cloud-based-application-security-testing-service-for-software-dev-3.html Veracode] Veracode is a commercial security testing company whose flagship product can test ColdFusion applications.<br>
 +
[http://hackmycf.com/ Hack My CF] An online tool that specializes in hacking ColdFusion servers.<br>
 +
[http://foundeo.com/security/ FuseGuard] A commercial web application firewall for ColdFusion servers.<br>
 +
[http://www.raymondcamden.com/index.cfm/2012/4/11/Security-Profile-Admin-Extension-for-ColdFusion-10 Security Profile Admin Extension for ColdFusion 10] This tool produces a one page report covering those security options set up during installation. It can be modified for CF 9.<br>
 +
 
 +
<br>
 +
 
 +
==Security Libraries==
 +
 
 +
[http://www.oracle.com/technetwork/java/javase/downloads/index.html Java Cryptography Extension] It is possible to get stronger cryptography out of ColdFusion by updating the Java Policy files as described [http://www.danielgaspar.com/blog/2011/01/coldfusion-strong-encryption-256bit-and-higher/ here]. Ensure that you are adhering to your local government requirements.<br>
 +
 
 +
[http://tokenizer.riaforge.org/ Tokenizer] Tokenizer encapsulates all the heavy lifting of creating, expiring, checking and removing a unique token from Forms on your site to combat CSRF.
 +
 
 +
[https://github.com/anthony-id/cfWSAuthenticator cfWSAuthenticator] A ColdFusion CFC to add WS-Security to SOAP requests.
 +
 
 +
[https://github.com/anthony-id/cfSAML cfSAML] ColdFusion object to create SAML packets as an Identity Provider.
 +
 
 +
<br>
 +
 
 +
==Project Contributors==
  
==OWASP Tools==
+
The ColdFusion Security Resources section is run by [http://www.owasp.org/index.php/User:Puhley Peleus Uhley]<br>
[http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=ColdFusion.2FCFML OWASP ESAPI - ColdFusion] The OWASP ESAPI project's ColdFusion distribution.
 
[http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI - Java] The OWASP ESAPI project's Java distribution.
 

Latest revision as of 06:56, 7 June 2014

Overview

The ColdFusion Security Resources project is an organized index of all the ColdFusion security resources on the Internet that would be useful to ColdFusion developers.

Goals

The Security Resources projects aims to enable developers to easily find ColdFusion tools and resources regardless of whether they were developed by Adobe, OWASP or the ColdFusion development community.

Videos

E-seminar on Security Best Practices for ColdFusion A July 2013 Adobe e-seminar on security best practices for ColdFusion.
Securing applications with ColdFusion 10 Security Enhancements A 2012 Adobe e-seminar presentation by Shilpi Khariwal on security improvements in ColdFusion 10.
DeConstructing ColdFusion This BlackHat 2010 video is a presentation by Chris Eng and Brandon Creighton from Veracode.
Securing ColdFusion Applications Jason Dean and Peleus Uhley present at Adobe Max 2010 on how to create secure ColdFusion applications.
Writing Secure CFML Pete Freitag's presentation from CFUnited 2010.
Security: Hiding Information from Individuals Not Authorized to See It Jim Harris present at the ColdFusion Meetup on March 17, 2011.
Security: Washing Your Incoming Data using ColdFusion Jim Harris presents at the ColdFusion Meetup on March 10, 2011.
Security: Practical ColdFusion Security Justin McLean presents at the ColdFusion Meetup on February 24, 2011.
Application Security: Beyond SQL Injection Jason Dean presents at the ColdFusion Meetup on January 22, 2009.
Security Countermeasures for ColdFusion Programmers Jim Harris presents at the ColdFusion Meeting on January 8, 2009
UGTV search Many ColdFusion security topics can be found by searching UGTV for the word security.

White Papers/Presentations

ColdFusion Developer Security Guide A developer guide for secure coding by Pete Freitag. Quoting the paper: In this guide we will discuss several vulnerabilities that pertain to web applications. Most of the vulnerabilities discussed in this guide are not unique to ColdFusion, however the mitigation techniques discussed are ColdFusion specific.
Security Best Practices for ColdFusion These are the slides to the July 2013 Adobe e-seminar on Security Best Practices for ColdFusion.
Securing Applications with ColdFusion 10 Security Enhancements The slides from Shilpi Khariwal's 2012 e-seminar on ColdFusion 10 security features.
ColdFusion 10 Security Enhancements Pete Freitag's ColdFusion Developer Week 2012 presentation on the new security features available in ColdFusion 10.
Maximum Security CFML Pete Freitag's presentation from the CFObjective 2011 conference.
Deconstructing ColdFusion The slides from Chris Eng's and Brandon Creighton's presentation at BlackHat 2010.
Writing Secure CFML Pete Freitag's slides from his CFUnited 2010 presentation.
ColdFusion Lockdown Pete Freitag's slides from his CFUnited 2010 presentation on locking down ColdFusion.
Hack Proofing ColdFusion Shlomy Gantz's presentation from CFUnited 2009.


Articles

Security Improvements in ColdFusion 11 An Adobe ColdFusion blog providing details on the security features and enhancements to ColdFusion 11.
Security Enhancements in ColdFusion Splendor - PBKDF2 and AntiSamy An Adobe ColdFusion blog providing insight into two new features in ColdFusion 11 (codename Splendor).
Security improvements in ColdFusion 10 This Adobe Developer Connection article highlights many of the new security features in ColdFusion 10 that can help with cross-site scripting, cross-site request forgery, session management and similar security issues.
Securing your applications using HttpOnly cookies with ColdFusion An Adobe Developer Connection article by Pete Freitag detailing how to implement HttpOnly cookies in ColdFusion.
Jason Dean's blog Jason Dean frequently blogs on ColdFusion application security topics. This is a collection of his blogs.
Pete Freitag's blog Pete Freitag frequently blogs on ColdFusion application security topics. This is a collection of his blogs.


References

ColdFusion 11 Lockdown Guide The Adobe server lockdown guide for ColdFusion 11.
Security Enhancements in ColdFusion 10 The official Adobe ColdFusion 10 reference documentation describing the new security protections available in ColdFusion 10.
ColdFusion Security The Adobe Developer Center's section on ColdFusion Security.
ColdFusion 10 Lockdown Guide The Adobe server lockdown guide for ColdFusion 10.
ColdFusion 9 Lockdown Guide The Adobe server lockdown guide for ColdFusion 9.
ColdFusion Security Updates The section of the Adobe Security page that lists current ColdFusion security patches.
ColdFusion 9 Developer Guide Adobe's official documentation for ColdFusion 9 developers.


OWASP Resources

OWASP ESAPI - ColdFusion The OWASP ESAPI project's ColdFusion distribution.
Leveraging the ESAPI library in ColdFusion Pete Freitag's blog on using the OWASP ESAPI library included in ColdFusion.
OWASP ESAPI - Java The OWASP ESAPI project's Java distribution.
OWASP Developer Guide Many sections throughout the developer guide contain specific ColdFusion guidance.
Using AntiSamy with ColdFusion Pete Freitag's blog on using the OWASP Anti-Samy library with ColdFusion.


Tools

Veracode Veracode is a commercial security testing company whose flagship product can test ColdFusion applications.
Hack My CF An online tool that specializes in hacking ColdFusion servers.
FuseGuard A commercial web application firewall for ColdFusion servers.
Security Profile Admin Extension for ColdFusion 10 This tool produces a one page report covering those security options set up during installation. It can be modified for CF 9.


Security Libraries

Java Cryptography Extension It is possible to get stronger cryptography out of ColdFusion by updating the Java Policy files as described here. Ensure that you are adhering to your local government requirements.

Tokenizer Tokenizer encapsulates all the heavy lifting of creating, expiring, checking and removing a unique token from Forms on your site to combat CSRF.

cfWSAuthenticator A ColdFusion CFC to add WS-Security to SOAP requests.

cfSAML ColdFusion object to create SAML packets as an Identity Provider.


Project Contributors

The ColdFusion Security Resources section is run by Peleus Uhley