This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Deconstructing ColdFusion

From OWASP
Revision as of 15:37, 17 September 2010 by Mark.bristow (talk | contribs) (Created page with '== The presentation == rightColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation …')

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The presentation

Owasp logo normal.jpg
ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers.

In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape. We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code.

We’ll also delve briefly into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level. Included in the talk is a detailed description of the WAR/EAR structure for compiled ColdFusion apps. We'll release open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format.

This talk is not about 0day vulnerabilities in the ColdFusion platform, nor is it about Adobe bashing. It is intended to be pragmatic, arming attendees with information that they can take back and incorporate into their daily work.

The speaker

Speaker bio will be posted shortly.

Retrieved from "https://wiki.owasp.org/index.php?title=Deconstructing_ColdFusion&oldid=89488"