Monday, July 7, 2008

ColdFusion Security Checklist

Validate Input Parameters
All input parameters (url, form, cookie, cgi) are controlled by outside sources and should not be trusted. Always be sure to validate this data on the server side before using it. Don't forget that hidden form fields are not hidden! Do not rely on JavaScript to validate variables. Look into isValid() for an easy way to validate data.

Along with validating data types, the htmlEditFormat() function can be used to help prevent cross-site scripting attacks. In general the htmlEditFormat() function should be used on all input parameters.

Use cfqueryparam in Dynamic Queries
Any query that makes use of dynamic data should employ cfqueryparam. This tag not only helps validate the data and prevent SQL injection attacks, it also results in a faster query. (In most database systems.)

Turn Off Robust Exception Information
The ColdFusion administrator has an option to show a great deal of information when errors occur. While this is handy on a development machine, it shows too much information on a productionmachine. Turn this off.

Use Error Handling
ColdFusion allows for easy error handling using the onError method of Application.cfc, the tag, or the global error handler defined in the Administrator. At best, you should log errors and email reports to the administrator. At the least you should ensure errors do not get presented to the user.

Use username/password attributes of , do not store in DSN
When creating a DSN, you have the option of setting the username and password. You should instead store the username and password in the code itself. This prevents your DSN from being useable across a shared server. Note that your ISP can (and should) use sandbox security, which would make this tip irrelevant. The flip side to this is that if someone gains access to your code, they will have access to the username and password. If working on a shared server, you must ensure that the ISP has protected your files and folders. Again - use sandbox security. Do not use the sa or root level username and password for connecting to a DSN.

Remove permissions from DSNs
ColdFusion lets you restrict what types of operations can be done via a DSN. Remove any unnecessary permission.

Use Encryption
ColdFusion comes with built-in encryption tools. There is no reason to not encrypt sensitive information like credit card numbers and password. See encrypt() and encryptBinary(). for more information.)

Keep files out of web root
Any file that does not need to be in web root (like an include, custom tag, etc), should be moved. The only files that should live under web root are files that your intend to directly serve up in the browser.

Run ColdFusion as a User
By default ColdFusion will run as a system user. You should create a user with the bare minimum rights and have ColdFusion run as that user.

No comments: