ASCII / Cast() Attacks

Jul 22, 2008

"It was the best of times, it was the worst of times..."

So this latest Cast()/ASCII attack has now got many people's attention. The fix for it is very simple: do some basic data validation and make certain to parameterize variables before sending to a database. CFQueryParam has been around since ColdFuson 4.5 (that's roughly 10 years now). Why are people still not using it? My CFC based filter, Portcullis , can also provide protection against this latest xss attack, but I would like to address a bigger issue with this.

Some will make the necessary changes others will not and life goes on. The bigger point I would like to make is that this is only two attack vectors: sql injection and XSS. There are many more that I see people simply ignore or do nothing about. If the cast/ascii hack scared you a bit, that fear is really a good thing, because there is a lot more to consider with your applications.

Here are just a few of the bigger attacks that a web application should take into account:
-SQL Injection, injection sql code
-Cross-site scripting (XSS), injecting javascript and/or other code that executes on the victims browser.
-Cross-site request forgery (CSRF), similar to XSS but intended to authorize single operation attacks.
-Insecure urls, accessible webservices, cfcs, cfml pages that don't check for authorization, etc.
-Weak SSL Ciphers, allowing a 40bit cipher when 256bit should be the only one used. By default, the vulnerability is allowed with IIS servers.

Using CFQueryParam is not going to fix all of this and neither will CFStoredProc. Sorry, but security is work. There are no short cuts. Here is a small list of things to think about if you really want to start getting ahead of these things.

- Develop data validation rules for your application that will carefully look over the data before sending to a database. val() and cfqueryparam() are simply not enough.
- Are you validating files you upload to the server? I really shouldn't have to explain why do I :)
- Log the activity, it's not enough to block or attempt to block the attacks. You should log and actively monitor things.
- Check your session management, are you passing cfid and cftokens in your urls? Someone can easily steal a session with this information.
- Consider using SSL more, for example many login forms I see are not protected with a basic SSL cert
- Does the entire world really need to have access to your admin login screen? Try to restrict access to critical areas as much as possible. Limit login attempts, etc. Does a user in Vietname really need to be able to make 10,000 login attempts to your admin area without anything to block them?
- Check your CFCs, are you allowing outside remoting calls to them? Is your Flash remoting configuration in ColdFusion, BlazeDS or LCDS allowing access to public methods in your CFCs? You can also restrict remoting access to just a few CFCs instead of allowing any CFC to be called. For example, the "<source>*</source>" in your configuration is defaulted to access any CFC on your server. Why not limit that down a bit.
- Make certain your compiled Flash and Flex files aren't the debug versions. In flex, do a build export to make a true production version of your swf. Otherwise, you'll expose a lot of information to a hacker.
- Limit the permissions of your datasources, if it simply read/writes information, you don't need to give the login full database owner (DBO) level permissions to also alter or create tables.
- Limit the permissions of the ColdFusion server, the default install has full local system rights. Create a coldfusion user that has just enough rights to run the server. I explain how to do this here.

This, of course, is just a start. Security is NOT a one time event. It's a continuous process that we as system administrators, managers, and developers all have to do to everyday.

Note:
The original quote from above is from a Tale of Two Cities by Charles Dickens. Though not his best effort, it certainly has some good lines. The rest of the passage could probably apply easily to our own time.

"It was the best of times, it was the worst of times; it was the age of wisdom, it was the age of foolishness; it was the epoch of belief, it was the epoch of incredulity; it was the season of Light, it was the season of Darkness; it was the spring of hope, it was the winter of despair; we had everything before us, we had nothing before us; we were all going directly to Heaven, we were all going the other way."

 

Comments

Roland Girouard

Roland Girouard wrote on 07/23/08 12:42 AM

Great info, am I correct that http://portcullis.riaforge.org/ will only work with cf6 or later? We are stuck w/5 at the moment but are in the process of upgrading to cf8. unfortunately it is a fairly large site written by 10 different programmers, in 10 different ways. ;(

Any help with a quick fix for CF5 is appreciated. I have learned a lot today about CFQUERYPARAM and understand the importance but I think that would be quite the project with a site like ours.. Then again, I'm just the SEO guy so what do I know...

Thanks~ Hurtin' for certain
John Mason

John Mason wrote on 07/23/08 12:56 AM

Yep that is correct since it's a CFC.

However, Portcullis was inspired by an older custom tag, called xssblock and written by Shawn Gorrell, which hits many of the same points. This will work on CF5 and older.

http://www.illumineti.com/documents/xssblock.txt
Roland Girouard

Roland Girouard wrote on 07/23/08 1:10 AM

Can't thank you enough... Now, if I can just get some time from our very busy programmer, perhaps we can stop this thing.... BTW, Would you be interested in sharing any comments on our immediate plan to move from CF5 / SQL7 to CF8/MySql?
Eventually I'm thinking php with mysql since programmers for coldfusion seem hard to come by these days...

Again, thanks for the help~
Roland Girouard

Roland Girouard wrote on 07/23/08 1:33 AM

Looking for help to implement the
http://www.illumineti.com/documents/xssblock.txt on smtnet.com. Of course willing to pay. Right now I'm running sql queries to fix what i can. For instance, UPDATE databasename
set source = replace (source,'"></title><InvalidTag src="http://1.verynx.cn/w.js"></script><;!--','')

This is working but I'm not sure I can keep up with this thing and I do have to go to bed at some point. So, any pointing to immediate help for this fix would be great.
John Mason

John Mason wrote on 07/23/08 1:43 AM

PHP has a bigger following, but much of the code is substandard in my opinion. Their Security Response Group has also had a number of defections and other problems. For example, http://www.darkreading.com/document.asp?doc_id=112994. Looks like many of the quality coders in the PHP world have moved on to other things.

ColdFusion, if coded properly, is a great language. Try to create a pdf or image in another language and get ready to write a ton of code. Part of your problem is you are looking for a ColdFusion programmer. Yep, there are few that are currently available. There is a lot of demand for CFers. My recommendation is to find a solid programmer (perhaps right out of college). CF is extremely easy to learn for a trained programmer. Perhaps just a weekend. This also holds true for people looking for Flex developers. Just look for a programmer, they can learn the syntax in a couple of days without much of a problem.

ColdFusion 8 is a world apart from CF 5. It does run on Java, so things like memory management are quite different. You just need to fully test out things before upgrading. You got about 7 years of catch up - so it's going to take some work.

SQL Server or MySQL - unless MySQL adds a lot more features. I would stick with SQL Server. For the price, there are few database engines that are better. From transactional logging to resource governors (coming in SS 2008), SQL Server is probably one of the few products from Microsoft that I truly like.
John Mason

John Mason wrote on 07/23/08 1:48 AM

Setup is fairly simple.

Consider restricting access to your site first. Otherwise the attack will simply undo your efforts to clean things up.

Next put the xssblock.cfm page in your custom tags directory.

Then in your application.cfm or application.cfc call the custom tag <cf_xssblock.../>

You may need to modify some of the settings for the tag. So test a few settings and when you think you got it, open the access back up.
Roland Girouard

Roland Girouard wrote on 07/23/08 2:09 AM

Thanks, thought I could get through it myself. I got to the step of trying to update the application.cfm file but I have no clue how to call the custom tag. You are dealing with a non-programmer here unfortunately...

Here is what application.cfm file has for code (this is the application.cfm file found in CFAppMan. Am I at least in the right place?

<!--- SourceSafe $Logfile: /Forums/CFAppMan/Application.cfm $ $Revision: 7 $ $Date: 2/08/99 5:08p $
*
*
--->


<!--- enable the client management --->
<CFAPPLICATION name = "AppManager" clientmanagement="yes">

<CFIF Server.OS.Name is "UNIX">
   <CFSET DSEPAR = "/">
<CFELSE>
   <CFSET DSEPAR = "\">
</CFIF>


<!--- global settings --->
<CFSET DSN = "CFApplications">
<CFSET FONTSIZE = "1">
<CFSET FONTFACE = "MS Sans Serif">
<CFSET GROUP_ADMINISTRATORS = 1>


<CFIF ParameterExists(Form.UserName) and ParameterExists(Form.Password)>
   <!--- handle the passed login params --->
   <CFINCLUDE template="Login_Action.cfm">
</CFIF>



<!--- retrieve admin's record --->
<CFQUERY name="Admin" datasource="#DSN#" maxrows=1>
   SELECT *
   FROM Administrators
   WHERE CFID = #Val(Client.CFID)#
      AND CFTOKEN = #Val(Client.CFTOKEN)#
</CFQUERY>


<CFIF Admin.RecordCount is not 0 and ParameterExists(Username)>
   <CFCOOKIE name="CFAppMan_Open" value="1">
</CFIF>

<CFIF Admin.RecordCount is 0 or not ParameterExists(Cookie.CFAppMan_Open)>
   <!--- authentication failed - force login --->
   <CFIF ParameterExists(Username)>
      <CFSET ErrorMessage = "Login Failed - try again">
   </CFIF>
   <CFINCLUDE template="Login_Form.cfm">
   <CFABORT>
</CFIF>
Roland Girouard

Roland Girouard wrote on 07/23/08 2:54 AM

Well, I don't think I broke anything, I simply added this line of code to the bottom of app file: <CFINCLUDE template = “xssblock.cfm”>
Roland Girouard

Roland Girouard wrote on 07/23/08 1:13 PM

Attacked again, url subdomain changed this time. Obviously I didn't set that script up right
John Mason

John Mason wrote on 07/23/08 1:38 PM

You can email me directly about this at..

mason at fusionlink.com

Write your comment



(it will not be displayed)