ColdFusion Summit East Notes: Securing Mature CFML Codebases, Pete Freitag

even the wealthiest, biggest companies have security issues
not a good idea to ignore them

mature codebase -
has thousands of source code files
has code you hope you don’t have to see again
can take weeks, often months, of work to properly secure
can be hard to fix, brittle
probably uses outdated techniques

different approaches -
beast mode = fix everything fast! spend several weeks dedicated to identifying and fixing vulnerabilities
prioritize = spend time identifying the most critical vulnerabilities and patch less critical things as you see them
as you go = as you work on files, fix things as you see them, you may miss some vulnerabilities w/ this approach. (need to be aware of what the vulnerabilities look like to find them as you go.)
hire someone to find or fix the issues - can work well when you are too busy to find/fix them yourself

how do you get started?
can you delete any code? is there code that truly never runs?
example: “we have code for a coupon prom from 2006 that’s still on the site but never used any more”
— can delete stuff like that outright

old code is often full of security holes
each day we learn new security things and get better
but 10 years ago we knew less
older the code, the more likely it probably has security holes

version control -
you might be using home made version control
“index.old” files are probably full of vulnerabilities
keeps backups of all your code
sync sever source code w/ version control
identify if someone changed something on the server

spend some time identifying unused code
and delete it

ways to find obsolete code
on unix:
find /wwwroot -mtime +365

find /wwwroot/ -atime +365
can tell which files haven’t even been accessed in over a year

Patch the server -
Use CF 2016 or greater
Core support for CF11 ends in April 2019 (now)
Windows 2008 (EOL’d in 2015)
Java8+ (core pub support ended in early 2019)
Java7 was EOL’d in 2015
Java6 EOL’d in

Multiple vulnerabilities for Denial of Service in old version of Java
Path traversal via Null Byte, etc
tons more fixes in newer versions of Java

Follow the CF Lockdown guide
smaller attack surface
what user is the JVM running as?
if your CFML server is running as SYSTEM or root then the attacker can do a lot more harm
what permission does the user have?
if CF server user only has readonly access to webroot and CF server install directory then less harm can be done (easily)
does CF server need full write access to webroot or just 2 directories?

nearly 60% of breaches due to unpatched vulnerabilities
—serviceNow Survey

Equifax breach affected 100million+ people
it was due to an unpatched vulnerability that could have been fixed via a patch

don’t use known vulnerable components

Fixinator - cfml, js, jar — Looks for known vulnerable CFML libs (FCKeditor file upload vulnerabilities, old custom tags, etc) (commercial product)
OWASP Dependency Check (Java,C, Ruby, Python, NodeJS)
RetireJS

implement a WAF - Web Application Firewall
inspect http request / response
determines if they’re malicious, blocks them if so
provides defense in depth
you might have something you think is a redundant layer of def, but that layer can protect you in case some other layer failed
several options -
hardware
software / app level
-FuseGuard

Low Hanging Fruit -
things that don’t need to modify the codebase (or maybe just a minor update)

Identify High Risk vulnerabilities in your code -
How can we improve security of the code base?
prioritize
what types of vulnerabilities are the worst?
does it compromise my SERVER directly or the USER of the app?
if server then they can ALSO compromise users
so focus on things that compromise the server first:
ex:
sql injection
file upload / access
remote code execution

user compromises:
xss
csrf
session hijacking

both are important but start w/ server things.

Evaluate() can be very dangerous
commonly used when variable names are dynamic, like a list of checkboxes that are dynamically created, etc.

IIF() - also evaluates dynamically
Can use ternary or Elvis operators instead to keep the code one lien but no longer have dynamic evaluate concern

common yet dangerous - file uploads

don’t let uses upload things like .cfm files

3 rules for file uploads
1. never trust a MIME
mime type validation - don’t trust this in file upload code
CF10 added “strict” attribute to “action=upload”
instead of validation the mime type that the browser sends

2. check the file extension
validate against a “white list” of valid extensions
CF10+ allows you to specify file extensions are allowed in attribute

3. upload destination should be OUTSIDE of the webroot

additional tips - inspect file content - fileGetMimeType, isImageFile, isPDDFFile, etc
upload to static content server (s3)
make sure directory serving uploaded files cannot serve dynamic content
file extension white list on web server (IIS request filtering)
secureupload.cfc in this repo:
https://github.com/foundeo/cfml-security

new in latest CF update 2018 update 3
and CF2016 update 10
and CF11 update 18

application.cfc setting this.blockedExtForFileUpload
comma separated list
set to * to block all file uploads
so literally nothing can be uploaded anywhere in that app
set server wide in CF Administrator (good idea to also set it in the app)

Path Traversal Attacks -
in application.cfc
set this.compileExtForInclude = “cfm”
now ONLY cfm files will be compiled when they’re CFincluded
other files can still be CFincluded (like .html) but they won’t be compiled, they’re treated as plain text
(also gives a tiny performance improvement)

avoid variables in paths
if you really need to use a variable, strip out everything except a-z0-9

File Access Issues
can be more time consuming
have to review a lot of stuff
cffile, cfdocument, cfmodule, cfspreadshset
anywhere you could potentially have a file path

SQL injection -
use cfqueryparam
(cfsqltype attribute is not -always- required. sometimes req’d for datetime, numeric types for precision, etc, but you can sometimes get away without it.)

look for all your queries - cfquery, ormExecute, queryEecute(), etc.
Fixinator can find and fix them for you
use satic code analyzer (CFBuilder 2016+)

What’s next -
session handling - sessionRotate, sessionInvalidate
scope injection
lots more

petefreitag.com
foundeo.com
FuseGuard
hackmycf.com
Fixinator