As part of PCI compliance our servers were run through third party security auditing and one warning we received was "Missing Secure Attribute in an Encrypted Session (SSL) Cookie". This warning referred to the JSESSIONID cookie being set in our SSL enabled pages not having the SECURE attribute set. In ColdFusion there is no way for you to do this programatically (since you would not explicitly create the JSESSIONID cookie) or even via the administrator. After a lot of searching and reading I found the solution thanks to comment on this post:

http://www.bennadel.com/blog/785-Ask-Ben-Hiding-Encrypting-ColdFusion-CFID-And-CFTOKEN-Values.htm

The solution is quite simple, add:

<cookie-config>
<cookie-secure>true</cookie-secure>
</cookie-config>

after the </persistence-config> element in your jrun-web.xml file which is usually located in C:\JRun4\servers\yourservername\cfusion-ear\cfusion-war\WEB-INF\jrun-web.xml. If you are running in multiserver mode of CF Enterprise and have multiple application instances, you must add this to the jrun-web.xml of every application instance.

My recent experiences with several hacking attacks has made me think more about application and data security on the web. In today's world nothing can be taken for granted and security should be of the highest concern, no mater how simple you think your application or trivial the data you store. Many web applications are hosted on shared servers or virtual private servers where the first line of defense is often left to the hosting provider. The first line of defense is perimeter security such as hardware firewalls and other network related prevention. You are also at the hands of the hosting provider when it comes to software security, that is, your operating system, web server, application servers and scripting languages and ftp patches.

The first thing that and good security plan should have is a proper review of these basic things. Contact your hosting provider and find out about patch management and other security options that may be their responsibility. If you manage your own server then you need to be aware of firewalls (software or hardware), antivirus, patch management and user security.

Now, on to your web application security. In my previous article on preventing sql injection attacks in coldfusion  there are quite a few tips for securing the applications. One other place developers tend to ignore is the transmission of data to and storage of data in the database. So let's look at some of the options for securing data.

Database access:

If your budget supports it, the first thing that should be implemented would be to have your database on a separate physical machine from your application server or public web server. This has two positive effects. Firstly, moving the database server to another machine will take the load off the web server or application server which can only be a good thing. Secondly, you public web server would be the first machine to be attacked, thus if a breach were to occur having the database on another machine would add some level of defense.

Ensure that the web application database user has the bare minimum rights to the database. That is, if the web application has no need to add tables or drop tables then the user should not have CREATE or DROP rights. Ensure, under no circumstances that your web application uses ROOT, SA or any other master login to access your database. Create a separate user for each application and give it the required rights.

One other thing I like to do is limit remote access to the database, if you can get SSH/RDP access to the server limit that to specific IP addresses. This causes remote administration to be a pain but the security benefits outweight the inconvenience.

Data storage:

Now, once you have the correct rights on your database and secured it from web access the next step would be to secure the actual data being stored. You will want to ensure that the forms that submit information are secured with a valid strong SSL certificate. Now, you may not be interested in using SSL encryption for all forms on  your site but it is a good practice to secure forms such as registration, login, shopping carts and checkout forms. Basically, any form that has any user information should be secured.

This same thinking should extend to storing the data in the database. Many developers encrypt passwords and store them in the database, but I think other things like usernames, email addresses and any other information that can potential be regarded as sensitive information should be encrypted and stored in the database. There are two options for this. Let the database encrypt the data for you or let your application encrypt the data before it is inserted in the database.

In SQL Server 2005, you can achieve this using some special functions. You can read more about this method in the following articles:

http://www.sql-server-performance.com/articles/dev/encryption_2005_1_p1.aspx

http://www.sql-server-performance.com/articles/dev/encryption_2005_2_p1.aspx

Other popular databases would have similar features.

The other option would be to encrypt the data before storing it in the database and then decrypting it when it needs to be used. In ColdFusion, this can be achieved using the encrypt and decrypt functions. These functions allow you to choose and encryption algorithm (SHA1, Blowfish etc) and a security key. The major drawback to this method is speed. This would slow down the communication of data between the web application and the user, however I think this is a fair trade off for the security concious.

This is an article I came across on Ben Forta's blog. This gives some very good tips on preventing SQL  injection attacks and provides some excellent best practices.

 http://www.adobe.com/devnet/coldfusion/articles/sql_injection.html

When I took up my current position we had to do a vulnerability scan to become PCI compliant and well we originally failed horribly. After much work we got it compliant and fixed all of the security holes identified. The article above gives some ColdFusion specific items but also defines some techniques that can be applied to other languages. A few things that are of note are:

• Database user privileges
• Use of stored procedures
• Use of dynamic table names

These three points are usually overlooked by the average developer and should really be implemented. 

Database User Access:

Only give the user the minimum rights required to perform the task. So if your user only needs to perform select and update operations they should not have delete, create or other rights.

Stored Procedures:

Stored procedures provide a very good way to abstract and hide database logic from your code. This is a problem with many of the frameworks that use Active Record patterns like Rails and CakePHP or ORM systems like Reactor in ColdFusion but stored procedures can provide significant performance improvements as well as having security benefits.

Dynamic Table Names:

By prefixing your database tables with a custom string, you can build queries that use a dynamic string for accessing the table information instead of hardcoding the table name. This is another good idea since many systems use generic table names like users, categories, groups etc which can be easily guessed.

It is very important to analyse every section of code and perform a security audit ensuring that all forms are protected since this is the first place that attackers target.

I recently posted an article about a security breach on my web server which was as a result of my own stupidity but when a site that I manage and host on HostMySite.com is breached twice in 4 days I get extremely peeved. The incident occurred on their ColdFusion shared hosting plan and an attacker was able to successfully inject code into all index files for the site. I noticed the first breach and after cleaning the site alerted HMS. Several hours later I was alerted that there was a problem with the permissions on the site and that it was patch and the files were cleaned (even though I had already removed all the malicious code from the files). 

I decided to forgive this faux pas even though I have seen this before some time ago on a site hosted by HMS, that site however was using LAMP and the breach was caused by a vulnerability in the PHP version. The affected site was flagged up in Google as containing malware, this time however, Google was telling the truth! However, this morning, the site was once again compromised and code injected into the index files. After cleaning and submitting a bitter support ticket I received a response stating some nonsense about permissions being reapplied. I am amazed at some of these responses sometimes, since they are deliberately written to sound more impressive than they are. I am not a newbie and I understand very well what happened.

I am sorely disappointed in HMS, there have been numerous problems on their shared hosting environment with ColdFusion crashes, site time outs and now security breaches. This makes me look stupid to my client and it is costing me in support because I have to get it fixed, for FREE! I have never forgiven Dell for shipping a server with cables disconnected and I don't think HMS will have any business going forward. You simply cannot say you are providing a service, say you are the best at it then allow things like this to happen, it is simply not acceptable!

I am guilty of an unforgiveable crime. I deployed an unsecured webserver and in IT that is THE ULTIMATE IN STUPIDITY! I am sorry and will not let it happen again. As a result the server was infected and became a zombie covertly attacking other servers. 

The machine was infected with the Downandup/Conficker trojan. This attacks unpatched Windows servers deploys software that prevents the machine from visiting security related websites and running security software. The software also disabled automatic updates on the server, which is a big deal! It was very difficult to remove. In the end tools from McAfee, Norton, Microsoft got rid of the infection. See a list of software that was used to clean the machine below.

So here is a little information on securing a webserver on the cheap. Even though this is not the idea solution it will prevent all but the most determined attacks. All of these solutions are software based. I would recommend a hardware firewall but again, this is the el cheapo solution.

• Ensure that automatic updates are enabled and that the machine is currently updated with the latest OS patches.
• Install a firewall. I've reviewed a few options but chose the Outpost Pro Firewall (http://www.agnitum.com/products/outpost/) which was easy to set up, extremely intuitive, had a very good learning mode and was very affordable. It also includes an antispy and web protect component. The web component is used for web surfing, since this is for a web server, no one should be browsing the net from this machine! One configuration setting that is important is to set the firewall to run in stealth mode so it makes it look like the computer simply isn't there.
• Install an antivirus program. This is optional in my opinion, if you are starting with a clean machine and have sufficiently protected it. However, it is a good idea to periodically run virus scans on the machine.

A list of the software used to remove the infection:

• http://download.microsoft.com/download/4/A/A/4AA524C6-239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe (Microsoft Malicious Software Removal Tool)
• http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
• CSI Prevx - This is a paid for tool, however, it detects an EXE file that is related to the infection that the above tools did not detect. In the free mode you can detect the file and manually delete it once you have run the products listed above.

TechRepublic had an interesting article on Botnets and Hosts file pharming. This is something that most people are unaware of while their computers are being silently used by remote attackers. 

http://blogs.techrepublic.com.com/security/?p=738&tag=nl.e036

There are a few tools that I would recommend getting Kaspersky Antivirus 2009 which is a pretty comprehensive threat protection suite.

As one of two technical people at my company I am one of the people who gets called on whenever there is a hardware or software issue of any kind. We have tried to school our users on the dangers of attachments and have implemented software to attempt to prevent viruses entering the network but sometimes they do slip through. Today I had a tough time diagnosing a problem with one of the machines running Windows XP Professional. 

Initially, the computer was just very slow and started with pop ups so I followed the tried and true method of cleaning using Spybot Search & Destroy, AdAware and HiJack This!. After running these three programs and restarting the desktop (i.e. explorer.exe) would not load at all, not even in Safe Mode. Needless to say, panic started to set in! We were running ClamWin on that specific machine and well, I hate to say this but, it is crap. It does not protect the computer actively and cannot remove many of the infections that were found on the system. So I put a proper antivirus program on there, Kaspersky 2009. This was able to find infections but could not remove a particularly troublesome one that was disguised as svchost.exe. So after browsing Google for a while I was able to find a reference to SDFix.exe which solved most of my problems. After downloading and following the instructions the desktop once again loaded and Kaspersky was able to destroy the other infections.

So I'm going to add SDFix to my arsenal of spyware removal tools and so should you!