Web Application Security

Application security ought to be automatic for all developers, but too often it becomes secondary to meeting frantic deadlines and making the customer happy. After all, clients do not see security, but they do see that the submit button is 3 pixels too small.

Writing more-secure code is not hard. It just requires a bit of thought, and the use of standard functionality and libraries, regardless of the language used. No application is 100% secure since the security landscape changes too quickly. I believe we can write more-secure applications, which are designed to make it easier to adapt to new vulnerabilities and approaches to security.

To start with, listed below are web application security resources I consult often. This list may grow.

Resources

OWASP Top Ten Project
OWAP is the go-to spot for web application security. Their top 10 list of security issues was updated in 2013, from the previous 2010 version.
Jason Dean's Blog
Jason wrote a very good series of entries on application security.
Pete Freitag's Blog
Pete often writes about security topics related to ColdFusion.

Basic Web Application Security - Enforcing SSL

Many web applications deal with data considered to be confidential or sensitive in nature. Applications like this should use SSL to encrypt the traffic between the server and the user (you are using SSL...right?). Most web servers, however, are not configured to only accept a secure connection.

The programmatic method for redirecting an insecure request over http to one using https relies on checking the https variable in the CGI scope. If it is not set to on, then we know that a redirect is needed to enforce https.

The following code uses the tag to send a 301 HTTP status code, which tells the browser that the requested page is permanently relocated, followed by a Location header to refer the client to the correct URL, which uses https. The reset is used to throw away any content already generated to this point in the code so that it is not sent back to the client.

view plain print about
1<cfif cgi.https IS NOT "on">
2 <cfcontent reset="true">
3 <cfheader statuscode="301" statustext="Use SSL">
4 <cfheader name="Location" value="https://#cgi.http_host#">
5 <cfabort>
6</cfif>

The above example relies on the application to perform the SSL check. If you have control over your web server, you may be able to move the check up a level by using URL rewriting or a web server-specific setting.

Basic Web Application Security - SQL Injection

Web application security is growing to be an interest of mine, especially after going through a round of audits against the application that pays my salary. With those audits (almost) behind me, my intent is to write a series of articles detailing some of the common vulnerabilities found in web applications and how they can be resolved in ColdFusion.

First up, SQL injection.

[More]