From 2012 to 2013, vulnerable Adobe ColdFusion servers fell under attack by hacktivist group Anonymous including allegedly British hacker Lauri Love. Operation Last Resort, as it was named by Anonymous, affected many government servers including those of NASA, the US Army, and the Federal Reserve. How was all of this achieved? Love and Anonymous employed a tactic known as SQL Injection to infiltrate “secure” databases. In October 2013, Love was arrested and had his assets and computers seized. As of 2018, his extradition to the United States has been denied due to a pre-existing mental condition. He currently awaits trial in England for his involvement in the crimes.
No server is 100% secure. However, this does not mean you shouldn’t strive for the highest level of security possible for your CFML servers and databases. Security vulnerabilities can take a major toll on your projects, clients, and companies. There are many ways that hackers can invade your CFML codebases. Fortunately, there are many ways you can prevent these types of attacks. Let’s find out what causes these attacks and how you can avoid them.
What You Should Know as CIO
Previously, cybersecurity concerns fell mainly on CSOs and CTOs. However, that is rapidly changing. CIOs should be concerned now more than ever when it comes to security and the integrity of your CFML databases. The number one reason for this is that the scope of attack for hackers has expanded. For many modern businesses, basic manuals and agendas have become digitized. These can offer an easy point of ingress for those with malicious intent.
Retail supergiant Target has recently suffered a data breach in which personal customer data became vulnerable. Latest reports show that Target has paid over $200 MILLION in damages and legal fees. Security needs to become a priority objective for CIOs of any level. If all is done properly, proper cyber security provides no bonus income to the company; it provides a safety net to both the reputation and current assets to the company. As a word of advice, CIOs should update their security concerns as part of their quarterly agendas.
A great way to regulate what needs to be completed is to establish a direct chain of command between CIOs and those who are most able to discern security problems. Many companies have an outdated way of reporting security concerns to the company board and executives. Create a proper system to address these problems and help alleviate future headache to your company’s reputation and bottom line. Cyber security is monumental to modern day CIOs.
For the Devs
To know how to fix the problem of hackers, you must first understand how hackers can infiltrate your system. This can happen a many number of ways. It is pivotal to stay on top of your security protocol.
How Hackers Infiltrate
The Evaluate Function
According to Pete Freitag, the evaluation function is one of the biggest windows of opportunity for hackers. The evaluation function was used mainly back in ColdFusion 3 and 4. However, it is not needed most of the time in modern CFML and ColdFusion versions. This was primarily used because at the time because scopes were not yet structures. The function is most commonly seen in older code databases. Here the evaluate function basically executes CFML statements. Anything that was placed inside of a CFSET tag can be executed via the evaluate function. Any script for variables could be exploited through the evaluate function. This becomes very handy for those attempting to get into your machine. This could mean that any function you can basically think of can be creating fresh new files with the intent to harm your system. The fix for using the evaluate function is rather simple. Instead of using the evaluate function, use square bracket notation instead.
For example, for forms code just use:
Storing API Keys within your Code
Nowadays, APIs are used in many if not most developer’s code. A common sight to see is API keys, passwords, encryption keys used for encrypting data found directly in the code itself. This is wrong for a many number of reasons. The code is hopefully stored on a proper version control system. These systems place your code on a third-party resource. Any user who then has access to your ColdFusion server now has direct access to your API keys. This can become very dangerous. The best way to avoid this is to make use of a key management service. Microsoft Azure and Amazon Web Services (AWS) both have excellent key management services. There should be no reason that your keys are left out in the open for anyone to take and use to access your code.
ColdFusion Session Hijacking
Pete defines session hijacking as an attacker was able to figure out what the session ID values were for a particular user. Session IDs must be protected at all costs. This is the best way to avoid session hijacking. Make use of SessionRotate. Whenever a new user enters, SessionRotate allows for a new Session ID to be created. This minimizes the chance of someone gaining access to your Session ID. Another easy fix is to simply invalidate Session IDs after completion of the session. This can be achieved by using the SessionInvalidate function.
Perhaps the most common way hackers can break into your database and manipulate your code is through SQL injection. SQL injection is the placement of malicious code into your SQL statements. Although entirely unavoidable, SQL injection can be prevented through the use of CfQueryParam in your SQL queries. Remember to always keep your guard up. Remain vigilant.
The next way hackers get into your system is through social engineering. This is caused by somebody convincing you to give out your passwords. This may seem like a no-brainer, but don’t give your passwords out to anybody. You might be surprised in how many people leave their passwords on yellow sticky notes surrounding their work stations. These individuals are also more likely to give them out over the phone to just anyone claiming to be from the IT department. For those who have trouble remembering passwords, avail of secure password storage banks.
Best Practices and Security Tools
By following Best Practices and using security tools, you can verify that you have the absolute best protection for your CFML codebase and servers. Here are 8 Best Practices you should follow when creating, deploying, and maintaining your CFML projects.
- Understand Basic ColdFusion
- This sounds like another no-brainer, but failure to understand your platform can lead to gross amounts of human error. Human error can lead to an obscene degree of improper coding and that carries over to security concerns as well.
- Write in Security
- By writing secure code and implementing security in the design, you can minimize the amount of attacks. However, if the attack does occur an extra level of cryptography or security will minimize the effects of the attack.
- Ensure your Security
- Be careful to maintain proper code design. When coding is complete, be sure to use proper security testing to make sure your system is as secure as you believe it is.
- Secure Deployment
- Along with proper testing, use security tools that will further hamper malicious attacks on your software. Sometimes, an extra layer of security will do the trick.
- Verify Code Compliance
- Compliances are set for a reason. Make sure your codes are up to snuff when publishing to catch easily preventable attacks.
- Train Yourself and Your Team
- Cybersecurity is an ever-changing battlefield. Stay up-to-date on current threats and the countermeasures for them. Continue to train yourself and your team for the current standards for program developing.
- Update your Platform
- When ColdFusion releases new security updates…UPDATE. Many web app attacks could have been easily prevented by keeping your platform updated. No need to undergo a full security troubleshoot due to simple complacency. Stay vigilant with your security updates.
- Backup regularly
- Be sure to perform regular backups of your OS and Databases.
Use these best practices in conjunction with tools designed to improve the security of your ColdFusion projects.
Hackmycf is a great third-party tool developed by Pete Freitag, founder of CFML security firm Foundeo. This tool works for both Adobe ColdFusion, Railo, and Lucee. Hackmycf works by sending a series of requests to your website to look for the absence of security hotfixes. After registering your site with Hackmycf, it sends back a security report. This report is broken down into many ways including the level of security vulnerability.
- Issues impose an immediate security risk. Must be taken care of ASAP.
- Issues have a security risk in certain conditions. Recommended to be taken care of in an expedited manner.
- These issues need to be fixed, but they pose no serious danger at the time.
Along with sending security threat information, the tool also gives you TLS/SSL report concerning your server including protocol reports. Recommendations are also made in accordance with this report to verify that you are up-to-date.
Hackmycf can detect over 120 different security issues as of now. Some of these are:
- ColdFusion Administrator is Public
- Lucee Docs are Public
- Server Header Version Disclosure
- ColdFusion Example Applications Installed
- Probe Unable to Check Hotfix Directory
- JSON Prefix is disabled
- Cross Site Scripting Vulnerability CVE-2010-1293
- Tomcat 7 Vulnerability
- Bitcoin Miner Discovered
- AdminAPI Exposed to the Public
- Lucee JSON Vulnerability LDEV-992
- OpenBD AdminAPI Exposed to the Public
The list is constantly updated as new issues are discovered.
There are multiple packages available. Some even come with free ColdFusion Security Consultations
FuseGuard is another security tool created by Pete Freitag and Foundeo Inc. It is a ColdFusion specific Web Application Firewall (WAF) that protects against common hacker exploits.
It inspects all web requests before your CFML code executes. If it is spots a malicious request it can either log it or block continued execution completely. It stops all common CF hacker attacking including:
- Malicious File Uploads
- Remote Code Execution
- Cross Site Scripting (XSS)
- SQL Injection
- Session Hijacking
- Cross Site Request Forgery
- Path Traversal Attacks
- Null Byte Injection
- Password Dictionary Attacks
- CRLF Injection
- Malicious User Agents
- XML Entity Injection
- XML External DTD Injection
According to the FuseGuard ColdFusion Web Application Firewall Documentation, this is how FuseGuard works.
A request comes in and is sent to the firewall via your Application.cfm or Application.cfc file.
The firewall runs each filter that you have configured, and the filter returns a threat level of 0-10 (10 being the most dangerous).
If a filter returns a threat level greater than or equal to your configured block level, the request is blocked, and remaining filters are not executed.
If a filter returns a threat level greater than or equal to your configured log level, the request is logged.
You can write your own custom logger or use one of the loggers included with the product.
If a filter returns a threat level greater than or equal to your configured filter level the request is filtered, meaning we attempt to escape or strip malicious characters. Not all filters support this operation.
If the request makes it through all filters successfully the request is allowed to continue to your Application.
This is a godsend if you have old or insecure code that you haven’t had time to fix yet. But don’t rely only on a WAF because hackers are always evolving new exploits. Reviewing your code for security vulnerabilities and remediating them is always recommended.
Getting started with FuseGuard is extremely simple as well. FuseGuard supplies the installation folder and the code required for setup. The whole process can be accomplished in less than 10 minutes.
FuseGuard is supported on the following platforms:
- Adobe ColdFusion versions 9, 10, 11, 2016, and 2018
- Lucee 4.5 and 5
- Railo 4
ColdFusion 2018 Auto Lockdown Feature
With the release of Adobe ColdFusion 2018 came one of the best help for CFML security. The auto lockdown feature. This feature automatically goes through the full process of locking down your CFML servers and databases. It helps to eliminate the human error component when manually locking down your project. With one simple click, full lockdown procedures will be systemically applied making sure all security measures are fail-safe and within compliance. After the lockdown, all systems are continuously monitored for breaches and potential security threats.
Remember, the security of your CFML projects is not something to be taken lightly. One intruder can take down your entire network and expose vulnerabilities for future attack. A lack of proper security can have seriously damaging effects on your company’s profit margin and reputation. Be sure to take advantage of every option available to ensure the safe continuous operation of your CFML servers and databases.
And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.
Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.
What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.
And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.
You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.
All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.
Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.
No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next
Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.
√ Easily create a consistent server architecture across development, testing, and production
√ A modern test environment to prevent bugs from spreading
√ Automated continuous integration tools that work well with CF
√ A portable development environment baked into your codebase… for free!
Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.