in form fields...
I think the webrat made this...good idea nonetheless.
<!--- This section protects against FORM Hacks in which a user (if they knew
coldfusion) could set session variables
by typing in coldfusion in a field value and submitting it to the server for
evaluation. ~Todd R --->
<!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI
HACKER ---><!--- ANTI HACKER --->
<cfif isDefined("FORM") and IsStruct(FORM) and StructCount(FORM) GT "0">
<cfloop collection="#FORM#" item="y">
<cfset checkHackAgainst = evaluate(y)>
<cfif checkHackAgainst contains "<CF">
<cflocation url=""> addtoken="No">
</cfif>
</cfloop>
</cfif>
<!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI HACKER ---><!--- ANTI
HACKER ---><!--- ANTI HACKER --->
-----Original Message-----
From: Burns, John D [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:47 PM
To: CF-Talk
Subject: RE: RE: Securing CF Apps.
My personal opinion is that your app should be smart enough not to let
people pass SQL commands in the URL. I would imagine that everyone knows
that much.
I think some of the suggestions that have come out were just mentioning what
could be done to help prevent a lot of trouble if people somehow get access
to the code by compromising the server. That was Adam's thing about using
Stored Procedures. Then if someone somehow downloaded all of your code,
they couldn't figure out your database structure by looking through your
CFQUERY calls. I think he would agree that it's still not 100% secure by
any means but it does solve that particular problem for people figure out
your schema by seeing your queries.
The other suggestion that I would make is that on pages where you're doing
some kind of database manipulation queries based on form or url variables to
do a check to make sure that the request is coming from the same domain or
have a list of acceptable domains if you're expecting posts from other
domains. That can help to prevent hackers from posting to your pages unless
somehow they can execute the code from your server, in which case, you have
some other problems that you need to address.
My 2 cents,
John
-----Original Message-----
From: Kazmierczak, Kevin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:40 PM
To: CF-Talk
Subject: RE: RE: Securing CF Apps.
I agree that data validation is the most important thing you can do.
But if you have information that you don't want a user messing around with
that happens to be in a form or url, it doesn't seem like there isn't any
harm in weakly encrypting it. For example, this might deter my grandma from
inserting drop table SQL commands in the url.
If a hardcore hacker hits your site, you look for the most recent backup
;)
Kevin
_____
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 11:59 AM
To: CF-Talk
Subject: Re: RE: Securing CF Apps.
What exactly are you doing in your application that demands wimpy
"ecryption"?
And what do you when the "hardcore" hacker hits your site?
Sounds to me that people do silly, potentially harmful things like url
encryption simply because they don't properly consider data input, output
and transfer and then make themselves feel better by saying that it deters
"casual" hackers, whatever the hell that means.
----- Original Message -----
From: "Kazmierczak, Kevin" <[EMAIL PROTECTED]>
Date: Tuesday, March 23, 2004 9:49 am
Subject: RE: Securing CF Apps.
> Yeah I agree encrypting all variables is a bit much, but encrypting
> some of them might be enough to make the casual hacker move on to a
> differentserver without encrypted variables. If that person really
> wanted to decrypt those variables, they could. The most important
> thing to do is to make sure data is validated before you do anything
> with it.
>
> Kevin
>
> _____
>
> From: Kwang Suh [EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 11:39 AM
> To: CF-Talk
> Subject: Re: Securing CF Apps.
>
> There is nothing inherently wrong with letting users see fuseaction
> names.
>
> And to use a very weak form of "encryption" that makes you think that
> you're somehow safe against attacks is an extremely bad situation to
> be in.
>
> ----- Original Message -----
> From: Adrocknaphobia <[EMAIL PROTECTED]>
> Date: Tuesday, March 23, 2004 9:24 am
> Subject: Re: Securing CF Apps.
>
> > Point being, if you want a secure app, don't let users see your
> > fuseaction names.
> >
> > -adam
> >
> > > -----Original Message-----
> > > From: Kwang Suh [EMAIL PROTECTED]
> > > Sent: Tuesday, March 23, 2004 04:14 PM
> > > To: 'CF-Talk'
> > > Subject: Re: Securing CF Apps.
> > >
> > > > Yes. All URL and FORM variables should be encypted.
> > >
> > > This is beyond silly.
> > >
> > > Especially if
> > > > you are using a fusebox methodology.
> > >
> > > Using or not using Fusebox has nothing to do with the situation.
> > >
> > >
> > >
> > >
> >
> >
> _____
>
>
>
>
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
