Hack Proofing ColdFusion

Overview

The only way to stop a hacker is to think like one!
ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for e-commerce sites and content sites where databases and transactions are the most ...
See more details below
Other sellers (Paperback)
  • All (8) from $1.99   
  • New (2) from $1.99   
  • Used (6) from $1.99   
Sending request ...

Overview

The only way to stop a hacker is to think like one!
ColdFusion is a Web application development tool that allows programmers to quickly build robust applications using server-side markup language. It is incredibly popular and has both an established user base and a quickly growing number of new adoptions. It has become the development environment of choice for e-commerce sites and content sites where databases and transactions are the most vulnerable and where security is of the utmost importance.
Several security concerns exist for ColdFusion due to its unique approach of designing pages using dynamic-page templates rather than static HTML documents. Because ColdFusion does not require that developers have expertise in Visual Basic, Java and C++; Web applications created using ColdFusion Markup language are vulnerable to a variety of security breaches.
Hack Proofing ColdFusion 5.0 is the seventh edition in the popular Hack Proofing series and provides developers with step-by-step instructions for developing secure web applications.

· Teaches strategy and techniques: Using forensics-based analysis this book gives the reader insight to the mind of a hacker
· Interest in topic continues to grow: Network architects, engineers and administrators are scrambling for security books to help them protect their new networks and applications powered by ColdFusion
· Unrivalled Web-based support: Up-to-the minute links, white papers and analysis for two years at solutions@syngress.com

"Hack Proofing ColdFusion 5.0" is the seventh volume in the popular Hack Proofing series and is the only book specifically written for developers devoted to protecting their ColdFusion Web applications. It provides developers with step-by-step instructions for developing secure Web applications and gives the reader crucial understanding and insight into the mind of a hacker.

Read More Show Less

Editorial Reviews

From The Critics
Eleven computer specialists contribute to this text for programmers on how to secure ColdFusion development. Coverage includes learning to think like a hacker, recognizing the top ColdFusion application hacks, securing ColdFusion tags and applications, client-side development and server-side configuration, securing the ColdFusion server and making adjustments after installation, secure development issues for the most popular operating systems that ColdFusion runs on, industry leading databases and their security pitfalls, complementary technologies and techniques to ensure security, and the enhanced security features of ColdFusion MX. Annotation c. Book News, Inc., Portland, OR (booknews.com)
Read More Show Less

Product Details

  • ISBN-13: 9781928994770
  • Publisher: Elsevier Science
  • Publication date: 5/25/2002
  • Pages: 548
  • Product dimensions: 7.00 (w) x 10.00 (h) x 1.11 (d)

Read an Excerpt

Working with Other Dangerous and Undocumented Tags The tags listed above, which are controlled within the ColdFusion Administrator, are not the only potentially dangerous functionality within ColdFusion’s arsenal. Here are some additional things to worry about as you build your application. The following tags and functions cannot be disabled through the Administrator. The only way to limit the use of these tags is to run your application inside an Advanced Security sandbox, and use that sandbox’s settings to control which tags and functions are available. (For more on Advanced Security, see Chapter 6.)

GetProfileString(), ReadProfileString()

GetProfileString() and ReadProfileString() are documented functions for reading and writing to *.ini files. These functions are great for creating and utilizing small, file-based persistent storage mechanisms, especially when storing such information in a database is impossible or not desired. You may also want to look at these functions if your ColdFusion application is tightly integrated with another application; the two apps may be able to share an .ini file containing common configuration information.

These functions are dangerous because they can read and write to sensitive system files. A hacker could use these functions to alter Windows files, or .ini files belonging to unrelated applications. This access could expose sensitive information to the hacker, or alter your system such that it will not boot!

GetTempDirectory()

GetTempDirectory() is a documented function; it returns the operating system ’s directory for storing temp files. A minor security threat, this function can expose to information about your system’sconfiguration to a hacker. The less a hacker knows, the better off you are.

GetTempFile()

GetTempFile() is a documented function. Unlike GetTempDirectory(), which simply returns information, GetTempFile() will actually create an empty, 0-byte file within the directory you specify. Even though each temp file is empty, it still takes up some room on disk for its listing in the directory. A hacker could use this function within a loop to create enormous amounts of these temp files, which has a remote possibility of consuming your disk space. The larger threat is to performance and stability, since any directory with huge amounts of files causes the operating system to crawl.

is a documented tag. It allows the ColdFusion server to temporarily execute as a user different from the one you specified in the Services Control Panel (Windows) or the start script (UNIX). This is extremely useful to provide short-term dynamic access to resources, but it also creates large security holes. If you are relying on your operating system’s security policy for protection, you’re not completely safe. This tag can bypass OS-level security by simply logging on as someone else—preferably someone who has more privileges!

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(),CF_GetODBCINI()

CF_SetDataSourceUsername(), CF_GetDataSourceUsername(),

CF_SetDataSourcePassword(), CF_SetODBCINI(), and CF_GetODBCINI() are undocumented functions. These functions read and write the properties of a datasource, including the ability to change username and password. They are useful in specific situations, but mostly create a security hole. If a hacker can start changing login credentials for your database, your whole application may crash. A hacker could also use these tags to glean information about valid database logins, and use that information to hack your database.

CF_GetODBCDSN()

CF_GetODBCDSN() is an undocumented tag. It lists all the ODBC datasources on the system, and is very, very useful to hackers who would like to break into your datasources.

CFusion_Encrypt(), CFusion_Decrypt()

CFusion_Encrypt() and CFusion_Decrypt() are undocumented functions. They perform the same function as the documented Encrypt() and Decrypt() functions, but use a different algorithm and produces different results. The result of CFusion_Encrypt() will only contain the numbers 0-9 and the letters A-F, but the result of Encrypt() can contain special characters. This is very useful for a hacker to attempt to unencrypt sensitive, encrypted data.

Read More Show Less

Table of Contents

Chapter 1
Thinking Like a Hacker
Chapter 2
Securing Your ColdFusion Development
Chapter 3
Securing Your ColdFusion Tags
Chapter 4
Securing Your ColdFusion Applications
Chapter 5
The ColdFusion Development System
Chapter 6
Configuring ColdFusion Server Security
Chapter 7
Securing the ColdFusion Server after Installation
Chapter 8
Securing Windows and IIS
Chapter 9
Securing Solaris,Linux, and Apache
Chapter 10
Database Security
Chapter 11
Securing Your ColdFusion Applications Using Third-Party Tools
Chapter 12
Security Features in ColdFusion MX
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)