ASCII / Cast() Attacks
"It was the best of times, it was the worst of times..."
So this latest Cast()/ASCII attack has now got many people's attention. The fix for it is very simple: do some basic data validation and make certain to parameterize variables before sending to a database. CFQueryParam has been around since ColdFuson 4.5 (that's roughly 10 years now). Why are people still not using it? My CFC based filter, Portcullis , can also provide protection against this latest xss attack, but I would like to address a bigger issue with this.
Some will make the necessary changes others will not and life goes on. The bigger point I would like to make is that this is only two attack vectors: sql injection and XSS. There are many more that I see people simply ignore or do nothing about. If the cast/ascii hack scared you a bit, that fear is really a good thing, because there is a lot more to consider with your applications.
Here are just a few of the bigger attacks that a web application should take into account:
-SQL Injection, injection sql code
-Cross-site request forgery (CSRF), similar to XSS but intended to authorize single operation attacks.
-Insecure urls, accessible webservices, cfcs, cfml pages that don't check for authorization, etc.
-Weak SSL Ciphers, allowing a 40bit cipher when 256bit should be the only one used. By default, the vulnerability is allowed with IIS servers.
Using CFQueryParam is not going to fix all of this and neither will CFStoredProc. Sorry, but security is work. There are no short cuts. Here is a small list of things to think about if you really want to start getting ahead of these things.
- Develop data validation rules for your application that will carefully look over the data before sending to a database. val() and cfqueryparam() are simply not enough.
- Are you validating files you upload to the server? I really shouldn't have to explain why do I :)
- Log the activity, it's not enough to block or attempt to block the attacks. You should log and actively monitor things.
- Check your session management, are you passing cfid and cftokens in your urls? Someone can easily steal a session with this information.
- Consider using SSL more, for example many login forms I see are not protected with a basic SSL cert
- Does the entire world really need to have access to your admin login screen? Try to restrict access to critical areas as much as possible. Limit login attempts, etc. Does a user in Vietname really need to be able to make 10,000 login attempts to your admin area without anything to block them?
- Check your CFCs, are you allowing outside remoting calls to them? Is your Flash remoting configuration in ColdFusion, BlazeDS or LCDS allowing access to public methods in your CFCs? You can also restrict remoting access to just a few CFCs instead of allowing any CFC to be called. For example, the "<source>*</source>" in your configuration is defaulted to access any CFC on your server. Why not limit that down a bit.
- Make certain your compiled Flash and Flex files aren't the debug versions. In flex, do a build export to make a true production version of your swf. Otherwise, you'll expose a lot of information to a hacker.
- Limit the permissions of your datasources, if it simply read/writes information, you don't need to give the login full database owner (DBO) level permissions to also alter or create tables.
- Limit the permissions of the ColdFusion server, the default install has full local system rights. Create a coldfusion user that has just enough rights to run the server. I explain how to do this here.
This, of course, is just a start. Security is NOT a one time event. It's a continuous process that we as system administrators, managers, and developers all have to do to everyday.
The original quote from above is from a Tale of Two Cities by Charles Dickens. Though not his best effort, it certainly has some good lines. The rest of the passage could probably apply easily to our own time.
"It was the best of times, it was the worst of times; it was the age of wisdom, it was the age of foolishness; it was the epoch of belief, it was the epoch of incredulity; it was the season of Light, it was the season of Darkness; it was the spring of hope, it was the winter of despair; we had everything before us, we had nothing before us; we were all going directly to Heaven, we were all going the other way."