Prerequisite knowledge
ColdFusion Builder
User level: All
Required products


The Security analyzer scans through your ColdFusion code and flags potential security flaws in the code.

Security vulnerabilities being addressed

Here is a list of the top security vulnerabilities that the Security Analyzer catches:
SQL Injection

Hackers use SQL Injection widely. In SQL Injection, you can log in, get user details, know tables names, drop tables, and so on.
For example, if a vulnerable website accepts the password " 'admin' OR 1=1", a hacker can invade the system by executing the following SQL:
Select * from users where user = #URL.userid# and password = 'somepasword will be interpreted as
Select * from users where user = 'admin' OR 1=1 and password = 'somepasword'
In ColdFusion, we recommend using cfqueryparam for such scenarios.
Cross-site scripting (XSS) attacks are also widely used security vulnerability. XSS can be persistent or non-persistent. Using XSS, a hacker can perform the following:
  • Steal user cookies, which can have session info
  • Manipulate the DOM
  • Execute any harmful script
  • Log keystrokes
  • Execute login pop-up at search and ask user for credentials
Filepath Injection
Avoid using untrusted inputs in file operations.
Example attack
<cfinclude template="views/#header#">
User Requests --> ?header=../../server-config.txt
The code should always validate the file paths.
 Validate the file path for cffile, cfdirectory, and their corresponding functions.
In ColdFusion we recommend using various encoding functions before sending any variable as output.
The cfhtmltopdf tag introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. Since HTML is rendered by the server, exercise caution when using variables in the PDF document.
All precautionary measures related to XSS (see the prior section) also apply to variables written in the cfhtmltopdf tag. While rendering using the cfhtmltopdf tag, JavaScript can execute.
Since the JavaScript executes in the server during rendering, the risks are quite different from a client-side XSS attack. Some of the risks include denial of service, potential unknown vulnerabilities in Webkit, and bypassing of network firewall. 
Cross Site Request Forgeries (CSRF) vulnerabilities occur when an attacker tricks an authenticated user into clicking a URL, or embeds a URL in a page that is requested by an authenticated browser.
In ColdFusion, we recommend using a combination of CSRFGenerateToken and CSRYVerifyToken to avoid this attack.
Uploading Files
Validate the file path and file type. The ‘accept’ attribute is not reliable as the mime type can be changed. Use the ‘strict’ attribute.
Use the functions IsImageFile, IsPDFFile, IsSpreadsheetFile, and FileGetMimeType to upload files.
If a cookie contains sensitive information (for example, session identifiers), send the cookie over a secure transport mechanism. Enable the secure attribute.
Get Vs Post
GET is less secure than POST because data sent is part of the URL. Do not use GET when sending passwords or other sensitive information! For example, anyone can bookmark GET requests and later view any sensitive information present in it.
If you pass CFID and CFToken as URL parameters, there can be a security risk. Make Addtoken as false.
Unnamed Application
It is recommended that you avoid creating unnamed applications.

Running security analyzer from builder

To run Security Analyzer from ColdFusion Builder (2016 release):
Step 1
Enable RDS to run this tool.
Step 2
Right click on any folder or file which you want to scan and the click Run Security Analyzer.
Step 3
Once the scan is over, you can see a notification.
Step 4
The pane at the bottom lists all the errors found by the scan. It is categorized according to the vulnerability types. You can also further drill down to errors or warnings level. The section on the right suggests the solution for the particular vulnerability.
Step 5
Click any error to go to the exact location in the corresponding cfm file.
Step 6
To export the error report, click Export.
The report is in a graphical format. A sample is shown below: