Writing Secure CFML

Speaker:  Pete Freitag
July 10, 2013

This presentation is to show you how to prevent the vulnerabilities by writing more secure CFML. Both the latest version of ColdFusion and Railo have integrated OWASP ESAPI which provide better functions for encoding and decoding input which is critical for preventing various attacks. In depth code samples will be shown which demonstrate the proper way to mitigate vulnerabilties. A demonstration of OWASP ZAP will also be done to give an example of how developers can test their code without relying on expensive web application scanners.

  • Understanding proper way to prevent SQLi, beyond just <cfqueryparam>
  • How to use canonicalize() and why it is important
  • Proper use of EncodeForHTML, EncodeForHTMLAttribute, etc.
  • Properly validate file uploads
  • Properly secure session tokens
  • Proper salting and hashing of passwords

Presentation Links

Pete Freitag

Pete Freitag has well over a dozen years of experience building web applications with ColdFusion. In 2006 he started Foundeo Inc, a ColdFusion consulting and products company. Pete helps clients develop and architect custom ColdFusion applications, as well as review and improve the performance and security of existing applications. He has also built several products and services for ColdFusion including a Web Application Firewall for ColdFusion called FuseGuard and a ColdFusion server security scanning service called HackMyCF. Pete holds a BS in Software Engineering from Clarkson University.