Note:
The Security Code Analyzer is only available to ColdFusion (2016 release) Enterprise license users.
For any web application, security plays a critical role. It is important to avoid security pitfalls while developing web applications.
Security Analyzer is a new feature in Adobe ColdFusion (2016 release). This feature is integrated into ColdFusion Builder to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code.
Use this feature to view:
- Vulnerable code in the editor
- Vulnerability or type of attack (Error and Warning)
- Severity level of vulnerability (High, Medium, and Low)
- Suggestion to avoid the vulnerability.
Note:
- Security Analyzer works only with ColdFusion Enterprise or Enterprise (trial) and with Developer profile.
- Security Analyzer does not work with ColdFusion Developer or Standard edition and with Production or Production secure profile.
- Security Analyzer does not work with ColdFusion Builder default local server.
The Security Analyzer feature of the server is exposed as a service, a request to which is made by the builder. You can get a list of security vulnerabilities for a file, folder, or a project.
Follow the steps below to access Security Analyzer in ColdFusion Builder:
- Right-click the project folder or project file in the navigator pane.
- Choose Security Analyzer > Run Security Analyzer.
You have three options in Security Analyzer:
- Run Security Analyzer – Analyzes and displays vulnerabilities of the code.
- Clean Run Security Analyzer - Clears the history of all ignored messages and warnings. It clears the ignored vulnerabilities (which are marked as Ignore during the Run Security Analyzer) and displays all vulnerabilities for the project.
- Clear Security Markers – Removes all security warnings and resources. Run the security analyzer again to view the vulnerabilities for your resource.
-
Click Security Issues on the left pane to view the list of vulnerabilities.
- As shown in the left pane of the snapshot, click the vulnerability type (such as SQL Injection or XSS attack) to view the corresponding problem statement. You can also view the suggested solution at the right pane.
- Alternatively, you can click any error on the middle pane to view the corresponding statement and solution at the right pane.
- Double-click each error on the middle pane to view the corresponding line in the Editor.
- Use filters for File Name, Attack Name, Severity Level, and Type in the middle pane. Start typing the file name in the search area to locate the files with vulnerabilities. You can narrow down your search based on severity level as high, medium and low by clicking All drop-down list.
Note:
You can notice the Both drop-down list as grayed out sometimes. This happens when your cursor is already pointing to Errors or warnings issue type in the left pane. You can bring it back to active state by selecting the Security Issues folder.
-
When you fix the error in the code, right-click the corresponding error on the middle pane and choose the status as Fixed. Mark the status as Ignore if you ignore the error.
You can move the error back to To fix status by using the same step.
Note:
Rerunning Security analyzer (Security Analyzer > Run Security Analyzer) does not show the vulnerabilities that are ignored. If the user has marked the vulnerabilities as Fixed but are not fixed, then server reports these errors.
You can increase the Security Analyzer timeout in the RDS Configuration settings.
The default is 30 seconds.
- Right click on the server or choose Windows > Show View > Other.
- Type RDS in the text field.
Perform one of the following:
- Open access to port 8500 using the Windows firewall.
- Set up a virtual directory for the site for /CFIDE in IIS and the uriworkermap.properties file for the given connector. In the file, remove the ! in front of /CFIDE/* = cfusion.
- Security Analyzer is exposed as a service by the ColdFusion Server.
- By running Security Analyzer for a file or a set of files, the builder makes a request to this service.
- The builder displays the vulnerabilities in a separate view for each file, along with corresponding line numbers.
- You can double-click on the vulnerabilities and open the file in the editor window with cursor pointing at the corresponding line with a red icon.
- Also, by single click, you get a brief description about the attack and about possible ways to avoid it.
As shown in the following sample code, the attacker can create arbitrary SQL statements to execute against the database by passing values into the url.id variable. For example, the attacker can pass a value of 1 DELETE FROM news to delete all news articles in the table or 0 UNION SELECT username, password FROM users to extract username and password values from the database.
<cfoutput>Hello #url.name#</cfoutput>
Using the above code, the attacker can pass JavaScript into the url.name variable to be executed in the browser of anyone visiting the URL. Attackers also try to post XSS code that can be stored in a database and execute later. For example, posting a comment to display for all visitors of a page.
Vulnerable scenarios
- <cfoutput>Hello #name2#</cfoutput>
- <cfparam name = "id12" default = "my default value" type="string">
- <cfoutput>#id12#</cfoutput>
When a variable declared through cfparam is of type “string”, it is vulnerable code. - <cfoutput > <b>LINK to URL:</b> <a target="_blank" href="http://#url#">#url#</a> </cfoutput>
As an unknown variable is used for the url link in the anchor tag, it is vulnerable to XSS attack.
The cfhtmltopdf tag, introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. As the server renders the HTML, be cautious while using variables in the PDF document.
All preventative measures pertaining to cross site scripting also apply to variables written in the cfhtmltopdf tag. JavaScript can be executed during rendering, in the cfhtmltopdf tag.
Because the JavaScript would be executed on the server during rendering, the risks are different from a client side cross site scripting attack. Some of the risks include denial of service and potential exploit for unknown vulnerabilities in Webkit. In addition, there is a risk of bypassing the network firewall as the server can be behind a firewall with network access to other systems.
Vulnerable scenarios
- <cfhtmltopdf>
<h1>Hello <cfoutput>#pf2#</cfoutput></h1>
</cfhtmltopdf>
- <cfhtmltopdf>
<h1>Hello <cfoutput>#url.name#</cfoutput></h1>
</cfhtmltopdf>
- <cfdocument format="PDF">
<cfoutput> #hello#
</cfoutput>
<cfdocumentitem type="header" >
<cfoutput>#abc#</cfoutput>
</cfdocumentitem>
</cfdocument>
Cross Site Request Forgeries (CSRF) vulnerabilities are exploited when an attacker can trick an authenticated user into clicking a URL, or by embedding a URL in a page requested by a user’s authenticated browser.
Vulnerable scenarios
- <cfform method="POST">
<cfinput type="submit" value="Make Administrator"/></cfform>
When CSRFGenerateToken() function is not used, the code is vulnerable.
- <cfform method="POST">
<cfinput type="hidden" name="token" value="#CSRFGenerateToken()#" />
<cfinput type="submit" value="Make Administrator" />
</cfform>
When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken
function, the code is vulnerable.
- <cfset var2 = CSRFGenerateToken2("make-admin")>
<cfform method="POST" action='/csrf/dummy.cfm'>
<cfinput type="hidden" name="token" value="#var2#" />
<cfinput type="submit" value="Make Administrator" />
</cfform>
When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken
function in the action page that is specified.
Avoid appending the session identifiers to the URL query string. End users email, or publish URLs without realizing their session identifier is in the url.
Vulnerable scenarios
- <cflocation url="random.cfm" addtoken="true">
When the attribute “addtoken” is explicitly set to true.
- <cflocation url="random.cfm">
When the “addtoken” is not specified, the default value of true is taken.
- <cfset addtoken1 = "true">
<cflocation url="random.cfm" addtoken="#addtoken1#">
When a variable is used by “addtoken” attribute, which is set to true.
Cookies can contain sensitive information.
Vulnerable scenarios
- <cfcookie name="sample" value="random" httponly="false" secure="false">
When both “httponly” and “secure” attributes are set to false explicitly, the code is vulnerable.
- <cfcookie name="sample" value="random" httponly="true" secure="false">
When either of “httponly” and “secure” attributes is set to false explicitly, the code is vulnerable.
- <cfcookie name="sample" value="random" >
When “httponly” and “secure” attributes are not set, default value of false is taken, making the code vulnerable.
Whenever files are uploaded to the server, take extreme caution to ensure that you have properly validated the file path and file type.
Vulnerable scenarios
- <cffile action = "upload" fileField = "FileContents"
destination = "c:\folder1\folder2" accept = "text/html"
nameConflict = "MakeUnique" strict="false">
- <cffile action="upload" filefield="photo" accept="image/gif,image/png,image/jpg"
destination="#getTempDirectory()#" nameconflict="overwrite" strict="false">
- <cffile action="uploadall" destination="#expandpath('./upload')#" accept="text/html" strict="false">
Vulnerable scenarios
- <cfform method="get" action="sayHello.cfm">
<cfinput name="userName" type="text" >
<cfinput name="token" value="#CSRFGenerateToken()#" type="hidden" >
<cfinput name="submit" value="Say Hello!!" type="submit" >
</cfform>
When method is explicitly set to “get”, the code is vulnerable.
- <cfform action="sayHello.cfm">
<cfinput name="userName" type="text" >
<cfinput name="token" value="#CSRFGenerateToken("a")#" type="hidden" >
<cfinput name="submit" value="Say Hello!!" type="submit" >
</cfform>
When method is not set to any value, by default “get ” method is used.
<cfinclude template="views/#header#">
The above vulnerable sample code does not validate the value of the #header# variable before using it in a file path. An attacker can use the vulnerable code to read any file on the server that ColdFusion has access to. For example, by requesting ?header=../../server-config.txt the attacker can read a configuration file that is not meant to be public.
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.