Note: This blog post is from 2014. Some content, links and indeed comments from others may be outdated--though not necessarily. Corrections are welcome, in the comments. I may revise the content if necessary.While helping people with various problems in my CF server troubleshooting services, I often have the chance to help people identify security vulnerabilities, especially in their configuration of CF and/or their web server, and sometimes related to their code.
I was wanting to point out to someone the various ColdFusion security resources, and while I have a category on them in my CF411 site, I thought this was a list worth pulling out into its own blog entry and expanding a bit.
You may be surprised to find that there are more to CF security guidelines than just the venerable server "lockdown guide" (for those administering and configuring CF, the OS, and the web server, among other things).
Did you know that there have been "developer security guidelines" as well, focused instead on coding? This latter guide has gone through three iterations, including just recently, as I'll discuss along with the lockdown guides, below.
I've decided to offer the guides in reverse chronological order, starting with the most recent, which came out only months ago, and I suspect many are still not aware of it:
- CFML Developer Security Guide, written by Pete Freitag, Foundeo Inc.
28 pages, written in 2014. This is NOT the lockdown guide, but instead is a developer-oriented guide which covers these topics (including code examples): SQL Injection, Cross-Site Scripting/XSS, file upload vulnerabilities, file path injection, encryption & cryptography, error handling, validation, cross site request forgery/CSRF, cookie security, session security, authentication & authorization, PDF generation security, and more.
- ColdFusion 11 Lockdown Guide, written by Pete Freitag, Foundeo Inc.
62 pages. (And I contributed to improving it over the CF10 version, as mentioned at the bottom of the last page)
- ColdFusion 10 Server Lockdown Guide, written by Pete Freitag, Foundeo Inc.
58 pages. (There is a version of the document which appears as 87 pages, but it's just about differences in formatting.)
(As a side note for those using IIS, be aware that this guide was written assuming use of IIS 7.5, whereas the CF9 guide had been written for iIS 7. The issue there is the availability of a user interface for configuring Request Filtering. Both the CF10 and 9 versions of the guide cover use of Apache 2.2.)
- ColdFusion 9 Server Lockdown Guide, written by Pete Freitag, Foundeo Inc.
35 pages. (Continuing my point above, note that this version of the guide was written presuming use of IIS 7 rather than 7.5, as in the CF10 guide. Again, both cover use of Apache 2.2. Also, note that the CF9 version of the Lockdown Guide did have a few pages at the rear about developer security guidelines, which were removed from the CF10 Lockdown Guide but then restored as the new "CFML Developer Security Guide" listed first above.)
- ColdFusion 8 developer security guidelines, written by Erick Lee, Ian Melven, and Sarge Sargent
47 pages, written in 2007. Covers many of the same topics now in the "CFML Developer Security Guide" by Pete in 2014, as listed first above, but goes to show that Adobe was trying to encourage better security practices even several years ago.
And while the list above is focused on "guides", it would be downright criminal to discuss CF security resources without mentioning also Pete Freitag's awesome HackMyCF service, which offers
both a free and a paid version of an amazing tool to check the security of your CF server. Don't be put off by the name: he is not "hacking" in to your server, but rather he is making a small number of targeted requests to identify if you are indeed vulnerable to hackers. As he quotes me saying (via twitter) on his web site, "If you've not yet run free http://www.hackmycf.com (from @foundeo, @pfreitag) against your server, what are you waiting for?" Amen, brother. :-)
Finally, as for other CF-related security resources (guides, articles, presentations, and more), see listings such as OWASP's ColdFusion Security Resources, the Adobe ColdFusion Security Center site, and my CF411 site section, CFML-oriented Security Resources.
Did I leave anything out? Especially any still-older versions of these guides that may have existed? I could have sworn something did exist even for CF7, but I could not readily find it. I welcome your feedback, as always.