Archive for the ‘Secure’ Category

ColdFusion – Cross Site Scripting

March 8, 2011 1 comment

I had to fix one site which was sharing server with other sites to be PCI compliant for Cross Site Scripting and DB Injections.

Here are the few things I did to accomplish this.

In Application.cfc, I have added following:

<cfset this.scriptProtect = “all” >

Note: If you are passing object/script or any html  etc tags in form or query variable, this will break your code

Make sure you have following section in your cfusion/lib/neo-security.xml:

<var name=”CrossSiteScriptPatterns”>
<struct type=”coldfusion.server.ConfigMap”><!– this one is for site scripting –>
<var name=”&lt;\s*(object|embed|script|applet|meta|iframe|style|img|form|xss|body|html|head|title|input|layer|br|bgsound|link|xml|frameset|table|div|hr|base|a%20href|a href)”>
</var><!– following is for SQL injections –>
<var name=”;.*(select|insert|update|delete|drop|alter|create)”>

Now all you need to do is find the respective string in your out-put and display the (send user to) appropriate error/ message page

Categories: ColdFusion, Secure

Configuring Secure Virtual Host on Mac OS X

May 23, 2010 Leave a comment

I had requirement to test my Flex Application, which I build for Raileasy in Secure environment.
It was quite difficult to configure my Mac, as I couldn’t find a good post/ Blog or any article on it.
I asked few of my friends, who are using Mac for their development work and only Andy Allan gave me few tips and links:

Following are the articles helped me to set-up my Mac:
1) Mark Liyanage – article on Configuring mod_ssl on Mac OS X

2) Generating an SSL Certificate with Apache+mod_ssl

Here are the steps I took to configure my Mac (which are based on above articles):
First Open a terminal window and type in these commands:

  • sudo -s
  • cd /etc/apache2
  • mkdir ssl
  • chmod 700 ssl
  • cd ssl
  • gzip -c –best /var/log/system.log > random.dat
    (This step will create a file with the name and zip the file, which we will use to generate key)
  • openssl rand -rand file:random.dat 0

I was looking for a certificate to put on my local machine (which is self signed certificate) and to get that, here are the steps I took:
Issue following command in the already opened terminal window (which should be all in one line):

Before run the command get following questions answers ready:
* Country Name (2 letter code) [AU]:GB
* State or Province Name (full name) [Some-State]:London
* Locality Name (eg, city) []:London
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dev Co.
* Organizational Unit Name (eg, section) []:Development
* Common Name (eg, YOUR name) []
* Email Address []
(It’s important that you enter the host name of your web server exactly as it will be used later on in the “Common Name” field, like or
COMMAND to run in terminal window:
openssl req -keyout privkey-2010.pem -newkey rsa:1024 -nodes -x509 -days 365 -out cert-2010.pem

Make sure that “TextEdit” is not running, then type these lines into the terminal window:

  • chmod 600 privkey-2001.pem
  • chown root privkey-2001.pem

On Mac Snow – Apache comes with default config file for SSL
Open following files in any text editor

/etc/apache2/httpd.conf (main config file for Apache)

1) In ssl.config file look for
VirtualHost definition
You would see like this:

But above setting didn’t work for me, I had to change it to like this, and I don’t know the reason though, but it worked:

Change the DocumentRoot to the right root for your web site.
You might need to Add Directory access rights for the document root:

allow from all
Options +Indexes

Find the following and change them with right path and file name:
SSLCertificateFile “/etc/apache2/ssl/cert-2001.pem”
SSLCertificateFile “/etc/apache2/ssl/cert-2001.pem”

Save the file

You need to un-comment following line in httpd.conf file
#Include /private/etc/apache2/extra/httpd-ssl.conf

Save the file

from terminal window

run pwd command and make sure you are at

run following commands:
apachectl stop
apachectl start
Now your server will provide secure access to your website.

The one thing I didn’t understand was, by doing tis, all of my local website turned into secure websites.

But I was able to test my website under secure environment.

Thanks to the writers of above articles.