CodFusion

At our last ACFUG (Atlanta ColdFusion User Group) meeting Dean Saxe (http://www.fullfrontalnerdity.com/) from Foundstone talked about penetration testing (Pen Testing) and what to expect. As with most talks regarding security, things converted to a general discussion. It's always interesting to hear the various views and concerns about web security. Dean did a great job explaining the issues and how to address them.

The talk inspired me to start a new series for my blog and review the OWASP Top Ten web security vulnerabilities (http://www.owasp.org/index.php/Top_10_2007) and specially in regards to ColdFusion. So here it goes..

10. Failure to Restrict URL Access
"Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly."

So for example, you might have an application that has the following methodology: to view a product you may go to index.cfm?method=view.product&id=3

Though you might not directly show it. It does not take much imagination to see if the following would work: index.cfm?method=delete.product&id=3

Even if you think no one unauthorized would hit a part of your site doesn't mean you should not check the user's credentials first before processing any request.

Some other classic examples are:

To view the administrative section of a site..

 www.thesite.com/admin

To view the development version of a site. It might have debugging or RDS services on. In many cases if a development version of a site is accessible, it will not have the full security protections that the production server has.

dev.thesite.com or beta.thesite.com

Go to the ColdFusion administration page. You can use Google, in many cases, to search for these on the web.

 www.thesite.com/CFIDE/Administrator

Can someone access your CFCs with the CFC explorer? This is normally password protected, but it is just one password between a hacker and your internal system. It's a good idea to block access to the cfcexplorer.
  www.thesite.com/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=cfcname&path=/path/to/cfc/cfcname.cfc

Can someone expose your internal CFCs structure with a webservice call? Can they call methods?

 www.thesite.com/cfcname.cfc?wsdl

You might have a config file in your application. Can you hit the file directly? It would be better to move it outside the web accessible area of your site, but if it is accessible does it expose any information? Can you make the page throw an error which would expose anything?

 www.thesite.com/config.xml.cfm

Or even worse..

 www.thesite.com/config.xml

Some other items to consider..

 - Exposing setup files, README files, .sql files, etc. Anything that would  help show the structure of the application

 - Are you exposing your unit tests. Many people include their unit tests and selenium tests with their projects and then, as a result, ftp everything up to production.