every request. That way it is different every time
2. By using plain text variable names your going to give the potential
intruder a decent insight into your application design, and this will give
them the ability to make educated guesses as to your other circuit names.
3. The objection to using cfquery is multifaceted. There is the risk of SQL
injection if your not doing the correct validation. If your errors are not
being handled correctly you can give away table and column names in the
error message. Also should someone gain access to your file system they can
build a pretty complete picture of your database from the queries. You
can't do this when all you are using is Stored Procedures, especially if
your variable names don't match your column names. Throw in views and you
can obscure it even more.
--
Timothy Heald
Web Portfolio Manager
Overseas Security Advisory Council
U.S. Department of State
571.345.2319
The opinions expressed here do not necessarily reflect those of the U.S.
Department of State or any affiliated organization(s). Nor have these
opinions been approved or sanctioned by these organizations. This e-mail is
unclassified based on the definitions in E.O. 12958.
-----Original Message-----
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 12:55 PM
To: CF-Talk
Subject: Re: Securing CF Apps.
> My issue with <cfquery> is that you are exposing your db design.
> It's alot harder to hack a db is you dont know the table and
> column names.
huh?
> As for encrypting the fuseaction, the question is why not?
Because it's useless.
Let's think this through:
I have a fuseaction called "products.list"
It encrypts to "wafiawjfw"
I type in "wafiawjfw" in the url.
It lists the products.
Where's the security?
Users
> can start throwing errors by trying different fuseaction calls.
> Which in turn could expose too much info if you dont have a site
> wide error handler.
Let me get this straight. I should waste time encrypting urls, and yet be
stupid enough not to have an error handler.
Let's think this one through:
I type in "wiejfiawefijwf", which doesn't decrypt properly.
The site then throws an error, and since I don't have a site wide error
handler, it exposes a whole bunch of information.
Where's the security?
The topic of this thread is securing cf apps.
> Although it may not be 100% necessary, it sure doesn't hurt.
It doesn't help either.
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
