Create a ColdFusion project or use an existing project. Ensure that the project is aligned to the preferred server. You can verify it by choosing the appropriate server in project properties. (Right-click in the navigator and choose properties).
The Security Code Analyzer is only available to ColdFusion (2016 release) Enterprise license users.
For any web application, security plays a critical role. It is important to avoid security pitfalls while developing web applications.
Security Analyzer is a new feature in Adobe ColdFusion (2016 release). This feature is integrated into ColdFusion Builder to enable developers to avoid common security pitfalls and vulnerabilities while writing ColdFusion code.
Use this feature to view:
The Security Analyzer feature of the server is exposed as a service, a request to which is made by the builder. You can get a list of security vulnerabilities for a file, folder, or a project.
Follow the steps below to access Security Analyzer in ColdFusion Builder:
You have three options in Security Analyzer:
Follow the steps below to use Security Analyzer for your project folder or file:
Create a ColdFusion project or use an existing project. Ensure that the project is aligned to the preferred server. You can verify it by choosing the appropriate server in project properties. (Right-click in the navigator and choose properties).
Right-click the project folder or project file and choose Security Analyzer > Run Security Analyzer. Security analyzer analyzes the code and displays a pop-up dialog when the task is completed.
Click OK.
You can view all the vulnerabilities in the bottom pane of the Editor as shown below.
Click Security Issues on the left pane to view the list of vulnerabilities.
You can notice the Both drop-down list as grayed out sometimes. This happens when your cursor is already pointing to Errors or warnings issue type in the left pane. You can bring it back to active state by selecting the Security Issues folder.
When you fix the error in the code, right-click the corresponding error on the middle pane and choose the status as Fixed. Mark the status as Ignore if you ignore the error.
You can move the error back to To fix status by using the same step.
Rerunning Security analyzer (Security Analyzer > Run Security Analyzer) does not show the vulnerabilities that are ignored. If the user has marked the vulnerabilities as Fixed but are not fixed, then server reports these errors.
Click Export on the upper-right corner of the Security Analyzer pane to export all the vulnerabilities to a report.html file. You can view the graphical representation of all vulnerabilities for your resource in the exported file, as shown below:
You can increase the Security Analyzer timeout in the RDS Configuration settings.
The default is 30 seconds.
Perform one of the following:
As shown in the following sample code, the attacker can create arbitrary SQL statements to execute against the database by passing values into the url.id variable. For example, the attacker can pass a value of 1 DELETE FROM news to delete all news articles in the table or 0 UNION SELECT username, password FROM users to extract username and password values from the database.
<cfquery>
SELECT headline, story
FROM news
WHERE id = #url.id#
</cfquery>
Vulnerable scenarios
datasource="cfdocexamples">
select FROM Employee
WHERE Emp_ID=#var#
</cfquery>
All the above code samples use an unknown variable inside the query statement, which makes them vulnerable.
<cfoutput>Hello #url.name#</cfoutput>
Using the above code, the attacker can pass JavaScript into the url.name variable to be executed in the browser of anyone visiting the URL. Attackers also try to post XSS code that can be stored in a database and execute later. For example, posting a comment to display for all visitors of a page.
Vulnerable scenarios
The cfhtmltopdf tag, introduced in ColdFusion 11 provides powerful HTML rendering, powered by WebKit to produce PDF files. As the server renders the HTML, be cautious while using variables in the PDF document.
All preventative measures pertaining to cross site scripting also apply to variables written in the cfhtmltopdf tag. JavaScript can be executed during rendering, in the cfhtmltopdf tag.
Because the JavaScript would be executed on the server during rendering, the risks are different from a client side cross site scripting attack. Some of the risks include denial of service and potential exploit for unknown vulnerabilities in Webkit. In addition, there is a risk of bypassing the network firewall as the server can be behind a firewall with network access to other systems.
Vulnerable scenarios
<h1>Hello <cfoutput>#pf2#</cfoutput></h1>
</cfhtmltopdf>
<h1>Hello <cfoutput>#url.name#</cfoutput></h1>
</cfhtmltopdf>
<cfoutput> #hello#
</cfoutput>
<cfdocumentitem type="header" >
<cfoutput>#abc#</cfoutput>
</cfdocumentitem>
</cfdocument>
Cross Site Request Forgeries (CSRF) vulnerabilities are exploited when an attacker can trick an authenticated user into clicking a URL, or by embedding a URL in a page requested by a user’s authenticated browser.
Vulnerable scenarios
When CSRFGenerateToken() function is not used, the code is vulnerable.
When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken
function, the code is vulnerable.
<cfform method="POST" action='/csrf/dummy.cfm'>
<cfinput type="hidden" name="token" value="#var2#" />
<cfinput type="submit" value="Make Administrator" />
</cfform>
When there is no corresponding CSRFVerifyToken () function for CSRFGenerateToken
function in the action page that is specified.
Avoid appending the session identifiers to the URL query string. End users email, or publish URLs without realizing their session identifier is in the url.
Vulnerable scenarios
When the attribute “addtoken” is explicitly set to true.
When the “addtoken” is not specified, the default value of true is taken.
<cflocation url="random.cfm" addtoken="#addtoken1#">
When a variable is used by “addtoken” attribute, which is set to true.
Cookies can contain sensitive information.
Vulnerable scenarios
When both “httponly” and “secure” attributes are set to false explicitly, the code is vulnerable.
When either of “httponly” and “secure” attributes is set to false explicitly, the code is vulnerable.
When “httponly” and “secure” attributes are not set, default value of false is taken, making the code vulnerable.
Do not store passwords in plain text.
Vulnerable scenarios
<cfcache action="get" timespan="#createTimeSpan(0,0,10,0)#" password="#password#">
In all above scenarios, hardcoded passwords are used which makes the code vulnerable.
Whenever files are uploaded to the server, take extreme caution to ensure that you have properly validated the file path and file type.
Vulnerable scenarios
destination = "c:\folder1\folder2" accept = "text/html"
nameConflict = "MakeUnique" strict="false">
destination="#getTempDirectory()#" nameconflict="overwrite" strict="false">
In the above scenarios, strict is explicitly set to false, hence making it vulnerable. Also when “getTempDirectory()” function is not used for destination, it throws a warning.
Do not send sensitive information over a GET method.
Vulnerable scenarios
<cfinput name="userName" type="text" >
<cfinput name="token" value="#CSRFGenerateToken()#" type="hidden" >
<cfinput name="submit" value="Say Hello!!" type="submit" >
</cfform>
When method is explicitly set to “get”, the code is vulnerable.
<cfinput name="userName" type="text" >
<cfinput name="token" value="#CSRFGenerateToken("a")#" type="hidden" >
<cfinput name="submit" value="Say Hello!!" type="submit" >
</cfform>
When method is not set to any value, by default “get ” method is used.
<cfinclude template="views/#header#">
The above vulnerable sample code does not validate the value of the #header# variable before using it in a file path. An attacker can use the vulnerable code to read any file on the server that ColdFusion has access to. For example, by requesting ?header=../../server-config.txt the attacker can read a configuration file that is not meant to be public.
Vulnerable scenarios
In all of the above scenarios, an unknown variable is used for file path or directory path, so they are vulnerable.
Sign in to your account