> I'd like to hear more about what you've done etc. - since I've been > heavily involved in the next revision of Mach-II. You can email me > off-list if you prefer.
Both plugins are really primarily useful on sites where real sensitive data is being managed. In my case it's a financial/banking application and I need the nonce to prevent replay attacks (and double clicks) and the forced browsing to prevent URL tampering and make sure people were only visiting pages that were the "next step" on the screen. The nonce was very easy to implement using a cookie and session variable that changes with each request. The forced browsing plugin was a little more interesting and dynamically "registers" every url that's a link or form post as the page is rendered. By knowing all the paths that exit a page I can make sure people aren't tampering or attempting to guess URLs. This can also prevent some cross site scripting attacks. I'm also considering registering all the form fields and detecting form fieldname/value (select boxes/radioboxes/hidden values) tampering, but haven't gone that far yet. Both plugins have issues that need to be resolved - namely dealing more gracefully with people who use the back button when I don't want them to or refreshing pages. I'm really not ready to share either plugin till I get those worked out... :) Also, for anyone who thinks I am crazy paranoid and insane, yes I am. For most apps this is overkill and not needed. However, I'll bet you'd feel better knowing your bank (for example) did stuff like that. -Cameron ----------------- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Peter J. Farrell > Sent: Tuesday, August 23, 2005 5:30 PM > To: [email protected] > Subject: Re: [CFCDev] OT: ColdFusion Security : oWasp Top Ten > > > Cameron Childress wrote: > > >I've actually been working on a nonce and forced browsing plugins for a > >Mach-II app I am working on. They work mostly, but aren't perfect yet. > >If/when they are ready for prime time I'll try to release them. > > > >-Cameron > > > > > Cameron, > > I'd like to hear more about what you've done etc. - since I've been > heavily involved in the next revision of Mach-II. You can email me > off-list if you prefer. > > Best, > .Peter > > -- > Peter J. Farrell :: Maestro Publishing > > blog :: http://blog.maestropublishing.com > email :: [EMAIL PROTECTED] > phone :: 651-204-0513 > ________________________________ > R O O I B O S G E N E R A T O R... > Create boilerplate beans and transfer objects for ColdFusion! > Rooibos is free to use at: http://rooibos.maestropublishing.com/ > ________________________________ > Member of Team Mach-II - The next rev is coming... > > > > ---------------------------------------------------------- > You are subscribed to cfcdev. To unsubscribe, send an email to > [email protected] with the words 'unsubscribe cfcdev' as the > subject of the email. > > CFCDev is run by CFCZone (www.cfczone.org) and supported by > CFXHosting (www.cfxhosting.com). > > CFCDev is supported by New Atlanta, makers of BlueDragon > http://www.newatlanta.com/products/bluedragon/index.cfm > > An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
