[cfaussie] Re: website security

[Mark Woods]

http://www.cgisecurity.com/owasp/html/index.html is an excellent guide to 
building secure web apps which does go through some of the common 
vulnerabilities.

There is also a list of common vulnerabilities in computer systems at 
http://www.cve.mitre.org/, though I'm not sure this is really what you want.

As for books...
"Hacking Web Appplications Exposed" is pretty good and the "Web Security 
Pocket Reference" (from one of the authors of Hacking Web Apps Exposed) 
looks good too, though I haven't read it.

None of the above are CF specific, but they will help you understand 
security issues affecting web applications and you should be able to then 
apply your new found wisdom to your CF development.

More specific information about particular databases, web servers etc. can 
generally be found with a quick google.

BTW, checking the referer will not prevent somebody from using a template 
from a remote machine if the referer you are checking for can be 
determined. The referer is a value sent by the client to the server. As the 
client does not have to be a web browser (CFHTTP is effectively a HTTP 
client) once the client knows what referer you are checking for, it can 
send that referer for future requests, circumventing your security procedure.

Mark



hello,

I have been pondering over this for a while, adn i cant seem to find any
answers to my questions.
Website security. I see written everywhere, do this to increase security,
do that to increase security, but what i want to know is what a hacker can
do to a website. Like how can they retrieve dsn info, or access your db,
or download your cfcs, so i can be aware of exactly what they an do. I
cannot find anything detailing exactly what you are to prevent happening.
do you follow?
for example, a form which sends mail.

For security: The recieving template would check that the refferer  was
your form on your site and that the vars it can accept are form.field and
form.field2 etc.
to prevent: This is to prevent somebody using the template from a remote
computer/site
Like info which is stored in a db, is it really safe? i know there are
security things to put in place but what do they prevent,
Hope i make sense.

from a confused ajmie!

---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia
http://www.mxdu.com/ + 24-25 February, 2004


---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia
http://www.mxdu.com/ + 24-25 February, 2004