Requirements
 
Prerequisite knowledge
ColdFusion Builder
 
User level: All
 
 
 
Required products
 

 
Introduction

The Security analyzer scans through your ColdFusion code and flags potential security flaws in the code.
 

 
Security vulnerabilities being addressed

Here is a list of the top security vulnerabilities that the Security Analyzer catches:
 
SQL Injection

Hackers use SQL Injection widely. In SQL Injection, you can log in, get user details, know tables names, drop tables, and so on.
 
For example, if a vulnerable website accepts the password " 'admin' OR 1=1", a hacker can invade the system by executing the following SQL:
 
Select * from users where user = #URL.userid# and password = 'somepasword will be interpreted as
 
Select * from users where user = 'admin' OR 1=1 and password = 'somepasword'
 
In ColdFusion, we recommend using cfqueryparam for such scenarios.
 
 
XSS
Cross-site scripting (XSS) attacks are also widely used security vulnerability. XSS can be persistent or non-persistent. Using XSS, a hacker can perform the following:
 
  • Steal user cookies, which can have session info
  • Manipulate the DOM
  • Execute any harmful script
  • Log keystrokes
  • Execute login pop-up at search and ask user for credentials
Filepath Injection
 
Avoid using untrusted inputs in file operations.
 
Example attack
 
<cfinclude template="views/#header#">
 
User Requests --> ?header=../../server-config.txt
 
The code should always validate the file paths.
 
 Validate the file path for cffile, cfdirectory, and their corresponding functions.
 
For example, https://testasp.vulnweb.com/Search.asp?Search=<JAVASCRIPT_CODE_FOR_LOGIN_POPUP>
 
In ColdFusion we recommend using various encoding functions before sending any variable as output.
 
 
PDF XSS
The cfhtmltopdf tag introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. Since HTML is rendered by the server, exercise caution when using variables in the PDF document.
 
All precautionary measures related to XSS (see the prior section) also apply to variables written in the cfhtmltopdf tag. While rendering using the cfhtmltopdf tag, JavaScript can execute.
 
Since the JavaScript executes in the server during rendering, the risks are quite different from a client-side XSS attack. Some of the risks include denial of service, potential unknown vulnerabilities in Webkit, and bypassing of network firewall. 
 
 
CSRF
Cross Site Request Forgeries (CSRF) vulnerabilities occur when an attacker tricks an authenticated user into clicking a URL, or embeds a URL in a page that is requested by an authenticated browser.
 
In ColdFusion, we recommend using a combination of CSRFGenerateToken and CSRYVerifyToken to avoid this attack.
 
 
Uploading Files
Validate the file path and file type. The ‘accept’ attribute is not reliable as the mime type can be changed. Use the ‘strict’ attribute.
 
Use the functions IsImageFile, IsPDFFile, IsSpreadsheetFile, and FileGetMimeType to upload files.
 
 
Cookies
If a cookie contains sensitive information (for example, session identifiers), send the cookie over a secure transport mechanism. Enable the secure attribute.
 
 
Get Vs Post
GET is less secure than POST because data sent is part of the URL. Do not use GET when sending passwords or other sensitive information! For example, anyone can bookmark GET requests and later view any sensitive information present in it.
 
 
CFLocation
If you pass CFID and CFToken as URL parameters, there can be a security risk. Make Addtoken as false.
 
 
Unnamed Application
It is recommended that you avoid creating unnamed applications.
 

 
Running security analyzer from builder

To run Security Analyzer from ColdFusion Builder (2016 release):
 
 
Step 1
Enable RDS to run this tool.
 
 
Step 2
Right click on any folder or file which you want to scan and the click Run Security Analyzer.
 
file
 
Step 3
Once the scan is over, you can see a notification.
 
file
 
Step 4
The pane at the bottom lists all the errors found by the scan. It is categorized according to the vulnerability types. You can also further drill down to errors or warnings level. The section on the right suggests the solution for the particular vulnerability.
 
file
 
Step 5
Click any error to go to the exact location in the corresponding cfm file.
 
file
 
Step 6
To export the error report, click Export.
 
file
The report is in a graphical format. A sample is shown below:
 
file