Archive

Archive for the ‘Secure’ Category

ColdFusion – Cross Site Scripting

March 8, 2011 1 comment

I had to fix one site which was sharing server with other sites to be PCI compliant for Cross Site Scripting and DB Injections.

Here are the few things I did to accomplish this.

In Application.cfc, I have added following:

<cfset this.scriptProtect = “all” >

Note: If you are passing object/script or any html  etc tags in form or query variable, this will break your code

Make sure you have following section in your cfusion/lib/neo-security.xml:

<var name=”CrossSiteScriptPatterns”>
<struct type=”coldfusion.server.ConfigMap”><!– this one is for site scripting –>
<var name=”&lt;\s*(object|embed|script|applet|meta|iframe|style|img|form|xss|body|html|head|title|input|layer|br|bgsound|link|xml|frameset|table|div|hr|base|a%20href|a href)”>
<string>&lt;InvalidTag</string>
</var><!– following is for SQL injections –>
<var name=”;.*(select|insert|update|delete|drop|alter|create)”>
<string>SQL_INJECTION_ATTEMPT</string>
</var>
</struct>
</var>

Now all you need to do is find the respective string in your out-put and display the (send user to) appropriate error/ message page

Categories: ColdFusion, Secure

Configuring Secure Virtual Host on Mac OS X

May 23, 2010 Leave a comment

I had requirement to test my Flex Application, which I build for Raileasy in Secure environment.
It was quite difficult to configure my Mac, as I couldn’t find a good post/ Blog or any article on it.
I asked few of my friends, who are using Mac for their development work and only Andy Allan gave me few tips and links:

Following are the articles helped me to set-up my Mac:
1) Mark Liyanage – article on Configuring mod_ssl on Mac OS X

2) Generating an SSL Certificate with Apache+mod_ssl

Here are the steps I took to configure my Mac (which are based on above articles):
First Open a terminal window and type in these commands:

  • sudo -s
  • cd /etc/apache2
  • mkdir ssl
  • chmod 700 ssl
  • cd ssl
  • gzip -c –best /var/log/system.log > random.dat
    (This step will create a file with the name and zip the file, which we will use to generate key)
  • openssl rand -rand file:random.dat 0

I was looking for a certificate to put on my local machine (which is self signed certificate) and to get that, here are the steps I took:
Issue following command in the already opened terminal window (which should be all in one line):

Before run the command get following questions answers ready:
***********
* Country Name (2 letter code) [AU]:GB
* State or Province Name (full name) [Some-State]:London
* Locality Name (eg, city) []:London
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dev Co.
* Organizational Unit Name (eg, section) []:Development
* Common Name (eg, YOUR name) []:www.yourlocal.com
* Email Address []:admin@yourlocal.com
(It’s important that you enter the host name of your web server exactly as it will be used later on in the “Common Name” field, like http://www.yourlocal.com or ssl.yourlocal.com.)
***********
COMMAND to run in terminal window:
openssl req -keyout privkey-2010.pem -newkey rsa:1024 -nodes -x509 -days 365 -out cert-2010.pem

Make sure that “TextEdit” is not running, then type these lines into the terminal window:

  • chmod 600 privkey-2001.pem
  • chown root privkey-2001.pem

On Mac Snow – Apache comes with default config file for SSL
Open following files in any text editor

/etc/apache2/httpd.conf (main config file for Apache)
/etc/apache2/httpd-ssl.conf

1) In ssl.config file look for
VirtualHost definition
You would see like this:

But above setting didn’t work for me, I had to change it to like this, and I don’t know the reason though, but it worked:

Change the DocumentRoot to the right root for your web site.
You might need to Add Directory access rights for the document root:

allow from all
Options +Indexes

Find the following and change them with right path and file name:
SSLCertificateFile “/etc/apache2/ssl/cert-2001.pem”
SSLCertificateFile “/etc/apache2/ssl/cert-2001.pem”

Save the file

You need to un-comment following line in httpd.conf file
#Include /private/etc/apache2/extra/httpd-ssl.conf

Save the file

from terminal window

run pwd command and make sure you are at
/etc/apache2/

run following commands:
apachectl stop
apachectl start
Now your server will provide secure access to your website.

The one thing I didn’t understand was, by doing tis, all of my local website turned into secure websites.

But I was able to test my website under secure environment.

Thanks to the writers of above articles.

🙂