August 31, 2009

Prevent Session Hijacking in ColdFusion

Posted in Session Hijacking - CF at 3:52 pm by borawlings

Session Hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.  This is a vulnerability for all web applications, not just those written in CF.

They can access thisinformation:

  • Direct access to the user’s computer to access their cookies.
  • Packet sniffing to intercept the cookie being passed back and forth from client to server.
    • SSL on login pages can prevent sniffing the cookie at that time, but other pages thata are not encrypted will stillsend this data.
  • Directly from a user who may have posted/sent a URL with the session identifier in the URL.
  • Cross Site Scripting attack.

 To prevent , log on to the Coldfusion Administrator, then:

Check the box beside “Use J2EE session variables”.  By default this is not checked.

Quickest and easiest way to prevent session hijacking is to enable J2EE session variables in the Coldfusion Administrator.

  • Enabling J2EE session variables limits the effectiveness session hijacking.
  • It uses the variable jessionid rather than DVID and CFTOKEN.
  • J2EE Sessions have other advantages as well:
    • You can share session variables between ColdFusion and JSP pages.
    • The session ends for the user when all browser windows are closed.  However, the session remains open on the server.
    • The session is serializable – used in clusters.

Cross Site Scripting : to prevent, log on to the ColdFusion Administrator, under “Server Settings” click “Settings”.  Then check “Enable Global Script Protection”.

 Use error handling.  Sites should never show ColdFusion error page.

  • Errors can be handled using a variety of methods (usually more than one at a time)
  • Try/catch blocks
  • onError method of Applciation.cfc
  • Specifying a site wide error handler in ColdFusion Administrator
  • Specifying a missing template handler in ColdFusion Administrator

 Turn off robust exception information.

  • If an error happens to get through, you do not want the information displayed with robust exception information falling into the hands of a hacker (or any user for that matter)
  • A hacker can gain information about:
    • Server operating system
    • File structure
    • Database structure

Remove unneeded permissions from datasources.

  • When deploying to production environments, remove any unnecessary permissions in the CF Administrator, from your datasources, such as:
  • Create
  • Drop
  • Alter
  • Grant
  • Revoke

Having these permissions might be O.K. for development, but probably not needed for production.

 Create a database user specifically for ColdFusion.

  • You should never use the ‘sa’ or ‘root’ user for database access in production environments
  • Give the user the lowest level of permissions needed to run your application.
Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.