SlideShare a Scribd company logo

Securing Legacy CFML Code

ColdFusionConference, profile picture
ColdFusionConference

The document discusses approaches for securing legacy CFML code, emphasizing the challenges of working with large, outdated codebases. It outlines methods for identifying and fixing vulnerabilities, including prioritizing high-risk areas such as file uploads and SQL injection. Additionally, it highlights the importance of effective version control, server updates, and server lockdown practices.

Technology
1 of 50
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
SECURING LEGACY CFML PETE FREITAG, FOUNDEO INC. foundeo
ABOUT PETE • My Company: Foundeo Inc. • Consulting: Code Reviews, Server Reviews, Development • FuseGuard: Web App Firewall for CFML • HackMyCF: Server Security Scanner • Blog (petefreitag.com), Twitter (@pfreitag), #CFML Slack • Guy behind cfdocs.org community sourced CFML docs.
AGENDA • Legacy Code Challenges • How do you get started? • Low Hanging Fruit • Things to focus on • What’s Next? • Disclaimer: This approach may not be appropriate for all scenarios. This is a generalized approach which I have found can work well for many.
LEGACY CODE? DO YOU HAVE TO WORK WITH
TYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take weeks, but often months of work to properly secure. • Can be hard to fix, brittle • Probably uses outdated techniques
FIXING A LARGE CODEBASE HOW TO APPROACH • Beast Mode - Spend several weeks dedicated to identifying & fixing vulnerabilities. • Prioritize - Spend time identifying the most critical vulnerabilities and patch less critical vulnerabilities as you see them. • As you go - As you work on files fix vulnerabilities as you see them. You may not ever fix some vulnerabilities with this approach.
SECURING THAT LEGACY CODE HOW DO YOU START? STEP 1: DELETE THE CODE!
LEGACY CODEBASES ARE LARGE BUT… MUCH OF THE CODE PROBABLY NEVER RUNS
HOMEMADE VERSION CONTROL YOU MIGHT BE USING… • index_2.cfm • index.old.cfm • index-backup.cfm • index-2007-03-04.cfm • index-copy.cfm • folder_backup2009/
VERSION CONTROL • Those backup folders and files are probably full of vulnerabilities. • Version Control Server keeps backups of all your code and all changes you have ever made to it. • Sync server source code with version control. • Identify if someone changed something on the server.
IDENTIFY UNUSED CODE VERSION CONTROL • Spend some time to identify unused code. • Delete it! • Version control has your back, if you deleted something you can recover it from the repository.
THERE ARE LOTS OF FADS IN SOFTWARE DEVELOPMENT, VERSION CONTROL IS NOT ONE OF THEM. ” “
WELCOME TO THE 90’S PATCH THAT SERVER • Use ColdFusion 10 or greater (CF9 and below are no longer supported and no longer patched by Adobe). • Railo has not been touched since 2014, use Lucee (it is very easy to switch). • Windows 2008 (EOL 2015) • Java 8+, Java 7 (EOL 2015), Java 6 (EOL 2013)
FIX VULNERABILITIES PATCH THAT SERVER • Multiple Denial of Service Vulnerabilities in old versions of Java • Path Traversal via Null Byte injection JVM • CRLF Injection (CF10+) • File Uploads “somewhat” more secure (CF10+) • TLS / SSL Protocol Implementations • Java 8 Not supported on CF9 and below
MITIGATES POTENTIAL IMPACT OF A VULNERABILITY LOCKDOWN THE SERVER • If your CFML server is running as SYSTEM or root then the attacker can do a lot more harm. • If CFML server user has read only access to web root.
WEB APPLICATION FIREWALLS IMPLEMENT A WAF • Inspect HTTP Request or Response • Block or log malicious requests • Several options • Hardware • Web Server Level - ModSecurity • Application Level - FuseGuard
SECURING THAT LEGACY CFML? HOW DO YOU START STEP 2: IDENTIFY HIGH RISK VULNERABILITIES IN YOUR CODE.
TAKE CARE OF THESE FIRST HIGH RISK VULNERABILITIES • File Uploads • Dynamic Evaluation Issues • SQL Queries (SQL Injection) • File System Access / Path Traversals • Dynamic Process Execution (CFEXECUTE) • Anything that can fully compromise server
EVALUATE REMOTE CODE EXECUTION VIA
CODE EXAMPLE COMMON LEGACY EVALUATE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #Evaluate("day_#url.day#")# </cfoutput>
EVALUATE EXAMPLE
USE BRACKET NOTATION FIXING LEGACY EVALUATE EXAMPLE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #variables["day_#url.day#"]# </cfoutput>
SEARCH CODE FOR EVALUATE FIXING EVALUATE ISSUES • Search Code for "Evaluate" • In most cases you should not need to use Evaluate at all, use brackets. • If the variable is a query you may need to use queryName[row][columnName] notation. • Not all cases are super simple to fix, but most are. • Remove all Evaluate calls from your code.
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
IF YOU ARE USING IIF STOP USING IIF IIF Hi #iif(len(url.name) EQ 0, de("Friend"), de(url.name))# The second and third arguments are evaluated dynamically!
IIF EXAMPLE
USE TERNARY OPERATOR (CF9+, LUCEE) FIXING IIF Hi #(!len(url.name)) ? "Friend" : url.name# Hi #url.name?:"Friend"# ELVIS OPERATOR (CF11+, LUCEE) Elvis Operator tests to see if url.name is defined / not null
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
YES! The PrecisionEvaluate function also dynamically evaluates expressions
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
YES! Lucee 5 has added a render function that evaluates tags dynamically.
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
NO! Not that I know of
FILE UPLOADS COMMON YET DANGEROUS
FILE UPLOAD EXAMPLE
3 RULES FILE UPLOADS • The upload destination must be outside of the web root • Always validate the file extension against a whitelist • Don't trust mime type validation in the accept attribute
ADDITIONAL TIPS FILE UPLOADS • Inspect file content: fileGetMimeType, isImageFile, isPDFFile, etc • Upload to static content server (s3 for example) • Upload directly to s3: https://www.petefreitag.com/item/ 833.cfm • Make sure directory serving uploaded files cannot serve dynamic content. • File Extension Whitelist on Web Server (eg IIS Request Filtering) • secureupload.cfc: https://github.com/foundeo/cfml-security/
PATH TRAVERSAL FILE SYSTEM ACCESS &
VULNERABLE CODE EXAMPLE PATH TRAVERSAL <cfinclude template="path/#fileName#">
PATH TRAVERSAL EXAMPLE
TIPS FIXING PATH TRAVERSALS • Avoid variables in paths • If you really need to use a variable strip out everything except a-z0-9 • Use the CF11 Application.cfc setting this.compileExtForInclude setting.
CAN BE TIME CONSUMING FINDING FILE ACCESS ISSUES • Review all function calls / tags that access file system • cffile, cfdocument, cfinclude, cfmodule, cfspreadsheet • fileRead, fileWrite, fileOpen, etc
SQL INJECTION
CODE EXAMPLE CLASSIC SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = #url.id# </cfquery>
CODE EXAMPLE FIXING SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = <cfqueryparam value="#url.id#"> </cfquery>
SQL INJECTION SCRIPT BASED queryExecute("SELECT story FROM news WHERE id = :id", {id=url.id}); queryExecute("SELECT story FROM news WHERE id = #url.id#"); Vulnerable Not Vulnerable
DONEC QUIS NUNC FINDING SQL INJECTION • Search codebase for cfquery, queryExecute, ormExecute query • Use Static Code Analyzer (CFBuilder 2016) • Fix when you see one as you work
SECURING LEGACY CFML STEP 3: FIX ADDITIONAL VULNERABILITIES IN YOUR CODE.
TO REVIEW WHAT'S NEXT • Session Handling (sessionRotate, sessionInvalidate) • Scope Injection • Authentication / Authorization / Forgot / Remember Me Code • Cross Site Scripting • Cross Site Request Forgery • Timing Attacks • Visit OWASP.org for tons of info about web application vulnerabilities
THANK YOU Questions? Pete Freitag pete@foundeo.com foundeo.com | fuseguard.com | hackmycf.com foundeo

More Related Content

What's hot (20)

PDF
Realtime with websockets
ColdFusionConference
 
PDF
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
Gavin Pickin
 
PDF
Instant ColdFusion with Vagrant
ColdFusionConference
 
PDF
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
PDF
ColdFusion builder plugins
ColdFusionConference
 
PPTX
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
PDF
Getting Started with Docker (For Developers)
ColdFusionConference
 
PDF
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
PPTX
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
PDF
Locking Down CF Servers
ColdFusionConference
 
PPTX
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
PDF
This is how we REST
ColdFusionConference
 
PDF
Bring api manager into your stack
ColdFusionConference
 
PDF
Automate Thyself
Ortus Solutions, Corp
 
PDF
CommandBox & ForgeBox Package Management
Ortus Solutions, Corp
 
PDF
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Gavin Pickin
 
PDF
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
PDF
3 WAYS TO TEST YOUR COLDFUSION API
Gavin Pickin
 
PPTX
Intro to Coldfusion
Terry Ryan
 
PDF
Conquering AngularJS Limitations
Valeri Karpov
 
Realtime with websockets
ColdFusionConference
 
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
Gavin Pickin
 
Instant ColdFusion with Vagrant
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
ColdFusion builder plugins
ColdFusionConference
 
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Getting Started with Docker (For Developers)
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Locking Down CF Servers
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
This is how we REST
ColdFusionConference
 
Bring api manager into your stack
ColdFusionConference
 
Automate Thyself
Ortus Solutions, Corp
 
CommandBox & ForgeBox Package Management
Ortus Solutions, Corp
 
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Gavin Pickin
 
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
3 WAYS TO TEST YOUR COLDFUSION API
Gavin Pickin
 
Intro to Coldfusion
Terry Ryan
 
Conquering AngularJS Limitations
Valeri Karpov
 

Viewers also liked (20)

PPTX
Eskaintza
hazitegi
 
PDF
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
Miklas Njor
 
PDF
1067855064 enero 1
manuel-g-l
 
PDF
Article Becas Media Superior (34)
allegedransom4260
 
PDF
Metro Boston 9.27.06
Natalie Greaves
 
PDF
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Aspa Foundation
 
PPT
Sibéal Turraoin - Irish Adventures in the North-West Passage
Realsmartmedia
 
PDF
Scan 11
Mohamed El Majdoub
 
PPTX
Mehatxua
hazitegi
 
DOCX
ResumeP.1
Esteban Lopez
 
PPTX
Shale gas by sanyam jain
Sanyam Jain
 
PDF
FPGA Verilog Processor Design
Archana Udaranga
 
PPTX
Los padres y la escuela
Stefanie Prado
 
PDF
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
PDF
Hari Krishna Vetsa Resume
Hari Krishna
 
PPTX
Level up your front-end skills- going beyond cold fusion’s ui tags
ColdFusionConference
 
PPTX
Cold fusion is racecar fast
ColdFusionConference
 
PPTX
Safeguarding applications from cyber attacks
ColdFusionConference
 
PDF
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
PDF
Where is cold fusion headed
ColdFusionConference
 
Eskaintza
hazitegi
 
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
Miklas Njor
 
1067855064 enero 1
manuel-g-l
 
Article Becas Media Superior (34)
allegedransom4260
 
Metro Boston 9.27.06
Natalie Greaves
 
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Aspa Foundation
 
Sibéal Turraoin - Irish Adventures in the North-West Passage
Realsmartmedia
 
Scan 11
Mohamed El Majdoub
 
Mehatxua
hazitegi
 
ResumeP.1
Esteban Lopez
 
Shale gas by sanyam jain
Sanyam Jain
 
FPGA Verilog Processor Design
Archana Udaranga
 
Los padres y la escuela
Stefanie Prado
 
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
Hari Krishna Vetsa Resume
Hari Krishna
 
Level up your front-end skills- going beyond cold fusion’s ui tags
ColdFusionConference
 
Cold fusion is racecar fast
ColdFusionConference
 
Safeguarding applications from cyber attacks
ColdFusionConference
 
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
Where is cold fusion headed
ColdFusionConference
 
Ad

Similar to Securing Legacy CFML Code (20)

PDF
Securing applications
ColdFusionConference
 
PDF
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
PPTX
Version Control and Continuous Integration
Geff Henderson Chang
 
PPTX
Continuous Delivery - Automate & Build Better Software with Travis CI
wajrcs
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
PDF
Getting to Walk with DevOps
Eklove Mohan
 
PDF
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
Frank van der Linden
 
PPTX
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
PDF
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
PPTX
Delphix and DBmaestro
Kyle Hailey
 
PDF
Use Docker to Enhance Your Testing
TechWell
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
PDF
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PPTX
DCRUG: Achieving Development-Production Parity
Geoff Harcourt
 
PPTX
Version Control meets Database Control
DBmaestro - Database DevOps
 
PDF
A Byte of Software Deployment
Gong Haibing
 
PPTX
manage databases like codebases
DBmaestro - Database DevOps
 
PDF
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
PPTX
Best Practices for Building WordPress Applications
Taylor Lovett
 
Securing applications
ColdFusionConference
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
Version Control and Continuous Integration
Geff Henderson Chang
 
Continuous Delivery - Automate & Build Better Software with Travis CI
wajrcs
 
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
Getting to Walk with DevOps
Eklove Mohan
 
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
Frank van der Linden
 
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
Delphix and DBmaestro
Kyle Hailey
 
Use Docker to Enhance Your Testing
TechWell
 
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
DCRUG: Achieving Development-Production Parity
Geoff Harcourt
 
Version Control meets Database Control
DBmaestro - Database DevOps
 
A Byte of Software Deployment
Gong Haibing
 
manage databases like codebases
DBmaestro - Database DevOps
 
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Best Practices for Building WordPress Applications
Taylor Lovett
 
Ad

More from ColdFusionConference (20)

PDF
Api manager preconference
ColdFusionConference
 
PDF
Cf ppt vsr
ColdFusionConference
 
PDF
Building better SQL Server Databases
ColdFusionConference
 
PDF
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
PDF
Don't just pdf, Smart PDF
ColdFusionConference
 
PDF
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
PDF
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
PDF
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
PDF
ColdFusion in Transit action
ColdFusionConference
 
PDF
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
PDF
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
PDF
Instant ColdFusion with Vagrant
ColdFusionConference
 
PPT
Restful services with ColdFusion
ColdFusionConference
 
PDF
Super Fast Application development with Mura CMS
ColdFusionConference
 
PDF
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
PDF
Why Everyone else writes bad code
ColdFusionConference
 
PDF
Testing automaton
ColdFusionConference
 
PDF
Rest ful tools for lazy experts
ColdFusionConference
 
PDF
Hidden gems in cf2016
ColdFusionConference
 
PDF
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 
Api manager preconference
ColdFusionConference
 
Cf ppt vsr
ColdFusionConference
 
Building better SQL Server Databases
ColdFusionConference
 
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
Don't just pdf, Smart PDF
ColdFusionConference
 
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
ColdFusion in Transit action
ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
Instant ColdFusion with Vagrant
ColdFusionConference
 
Restful services with ColdFusion
ColdFusionConference
 
Super Fast Application development with Mura CMS
ColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
Why Everyone else writes bad code
ColdFusionConference
 
Testing automaton
ColdFusionConference
 
Rest ful tools for lazy experts
ColdFusionConference
 
Hidden gems in cf2016
ColdFusionConference
 
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 

Recently uploaded (20)

PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 

Securing Legacy CFML Code

  • 1. SECURING LEGACY CFML PETE FREITAG, FOUNDEO INC. foundeo
  • 2. ABOUT PETE • My Company: Foundeo Inc. • Consulting: Code Reviews, Server Reviews, Development • FuseGuard: Web App Firewall for CFML • HackMyCF: Server Security Scanner • Blog (petefreitag.com), Twitter (@pfreitag), #CFML Slack • Guy behind cfdocs.org community sourced CFML docs.
  • 3. AGENDA • Legacy Code Challenges • How do you get started? • Low Hanging Fruit • Things to focus on • What’s Next? • Disclaimer: This approach may not be appropriate for all scenarios. This is a generalized approach which I have found can work well for many.
  • 5. TYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take weeks, but often months of work to properly secure. • Can be hard to fix, brittle • Probably uses outdated techniques
  • 6. FIXING A LARGE CODEBASE HOW TO APPROACH • Beast Mode - Spend several weeks dedicated to identifying & fixing vulnerabilities. • Prioritize - Spend time identifying the most critical vulnerabilities and patch less critical vulnerabilities as you see them. • As you go - As you work on files fix vulnerabilities as you see them. You may not ever fix some vulnerabilities with this approach.
  • 7. SECURING THAT LEGACY CODE HOW DO YOU START? STEP 1: DELETE THE CODE!
  • 8. LEGACY CODEBASES ARE LARGE BUT… MUCH OF THE CODE PROBABLY NEVER RUNS
  • 9. HOMEMADE VERSION CONTROL YOU MIGHT BE USING… • index_2.cfm • index.old.cfm • index-backup.cfm • index-2007-03-04.cfm • index-copy.cfm • folder_backup2009/
  • 10. VERSION CONTROL • Those backup folders and files are probably full of vulnerabilities. • Version Control Server keeps backups of all your code and all changes you have ever made to it. • Sync server source code with version control. • Identify if someone changed something on the server.
  • 11. IDENTIFY UNUSED CODE VERSION CONTROL • Spend some time to identify unused code. • Delete it! • Version control has your back, if you deleted something you can recover it from the repository.
  • 12. THERE ARE LOTS OF FADS IN SOFTWARE DEVELOPMENT, VERSION CONTROL IS NOT ONE OF THEM. ” “
  • 13. WELCOME TO THE 90’S PATCH THAT SERVER • Use ColdFusion 10 or greater (CF9 and below are no longer supported and no longer patched by Adobe). • Railo has not been touched since 2014, use Lucee (it is very easy to switch). • Windows 2008 (EOL 2015) • Java 8+, Java 7 (EOL 2015), Java 6 (EOL 2013)
  • 14. FIX VULNERABILITIES PATCH THAT SERVER • Multiple Denial of Service Vulnerabilities in old versions of Java • Path Traversal via Null Byte injection JVM • CRLF Injection (CF10+) • File Uploads “somewhat” more secure (CF10+) • TLS / SSL Protocol Implementations • Java 8 Not supported on CF9 and below
  • 15. MITIGATES POTENTIAL IMPACT OF A VULNERABILITY LOCKDOWN THE SERVER • If your CFML server is running as SYSTEM or root then the attacker can do a lot more harm. • If CFML server user has read only access to web root.
  • 16. WEB APPLICATION FIREWALLS IMPLEMENT A WAF • Inspect HTTP Request or Response • Block or log malicious requests • Several options • Hardware • Web Server Level - ModSecurity • Application Level - FuseGuard
  • 17. SECURING THAT LEGACY CFML? HOW DO YOU START STEP 2: IDENTIFY HIGH RISK VULNERABILITIES IN YOUR CODE.
  • 18. TAKE CARE OF THESE FIRST HIGH RISK VULNERABILITIES • File Uploads • Dynamic Evaluation Issues • SQL Queries (SQL Injection) • File System Access / Path Traversals • Dynamic Process Execution (CFEXECUTE) • Anything that can fully compromise server
  • 20. CODE EXAMPLE COMMON LEGACY EVALUATE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #Evaluate("day_#url.day#")# </cfoutput>
  • 22. USE BRACKET NOTATION FIXING LEGACY EVALUATE EXAMPLE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #variables["day_#url.day#"]# </cfoutput>
  • 23. SEARCH CODE FOR EVALUATE FIXING EVALUATE ISSUES • Search Code for "Evaluate" • In most cases you should not need to use Evaluate at all, use brackets. • If the variable is a query you may need to use queryName[row][columnName] notation. • Not all cases are super simple to fix, but most are. • Remove all Evaluate calls from your code.
  • 24. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 25. IF YOU ARE USING IIF STOP USING IIF IIF Hi #iif(len(url.name) EQ 0, de("Friend"), de(url.name))# The second and third arguments are evaluated dynamically!
  • 27. USE TERNARY OPERATOR (CF9+, LUCEE) FIXING IIF Hi #(!len(url.name)) ? "Friend" : url.name# Hi #url.name?:"Friend"# ELVIS OPERATOR (CF11+, LUCEE) Elvis Operator tests to see if url.name is defined / not null
  • 28. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 29. YES! The PrecisionEvaluate function also dynamically evaluates expressions
  • 30. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 31. YES! Lucee 5 has added a render function that evaluates tags dynamically.
  • 32. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 33. NO! Not that I know of
  • 36. 3 RULES FILE UPLOADS • The upload destination must be outside of the web root • Always validate the file extension against a whitelist • Don't trust mime type validation in the accept attribute
  • 37. ADDITIONAL TIPS FILE UPLOADS • Inspect file content: fileGetMimeType, isImageFile, isPDFFile, etc • Upload to static content server (s3 for example) • Upload directly to s3: https://www.petefreitag.com/item/ 833.cfm • Make sure directory serving uploaded files cannot serve dynamic content. • File Extension Whitelist on Web Server (eg IIS Request Filtering) • secureupload.cfc: https://github.com/foundeo/cfml-security/
  • 39. VULNERABLE CODE EXAMPLE PATH TRAVERSAL <cfinclude template="path/#fileName#">
  • 41. TIPS FIXING PATH TRAVERSALS • Avoid variables in paths • If you really need to use a variable strip out everything except a-z0-9 • Use the CF11 Application.cfc setting this.compileExtForInclude setting.
  • 42. CAN BE TIME CONSUMING FINDING FILE ACCESS ISSUES • Review all function calls / tags that access file system • cffile, cfdocument, cfinclude, cfmodule, cfspreadsheet • fileRead, fileWrite, fileOpen, etc
  • 44. CODE EXAMPLE CLASSIC SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = #url.id# </cfquery>
  • 45. CODE EXAMPLE FIXING SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = <cfqueryparam value="#url.id#"> </cfquery>
  • 46. SQL INJECTION SCRIPT BASED queryExecute("SELECT story FROM news WHERE id = :id", {id=url.id}); queryExecute("SELECT story FROM news WHERE id = #url.id#"); Vulnerable Not Vulnerable
  • 47. DONEC QUIS NUNC FINDING SQL INJECTION • Search codebase for cfquery, queryExecute, ormExecute query • Use Static Code Analyzer (CFBuilder 2016) • Fix when you see one as you work
  • 48. SECURING LEGACY CFML STEP 3: FIX ADDITIONAL VULNERABILITIES IN YOUR CODE.
  • 49. TO REVIEW WHAT'S NEXT • Session Handling (sessionRotate, sessionInvalidate) • Scope Injection • Authentication / Authorization / Forgot / Remember Me Code • Cross Site Scripting • Cross Site Request Forgery • Timing Attacks • Visit OWASP.org for tons of info about web application vulnerabilities