Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Source code review tools for ColdFusion

from [Darren Bounds] Network Security [Permanent Link]
Subject: Re: Source code review tools for ColdFusion
Date: Mon, 2 Apr 2007 15:51:43 -0400 
Thanks Dean,

We've' been doing similar things with regular expressions and home
grown tools. I was just surprised how difficult (currently impossible
but perhaps Fortify will change that) it is to find a commercial tool
that supports CF considering how prevalent it is.

Contrary to information I've received from several list members,
neither SPIDynamics nor OunceLabs support it.

Darren


On 4/2/07, Dean H. Saxe <dean@fullfrontalnerdity.com> wrote: 
IIRC, Fortify has a CF module that you can use.

If you don't have access to Fortify a couple of quick regexes will
give you a lot of insight.  The easy ones are looking for unsafe
functions, such as preserveSingleQuotes(), the harder ones look for
queries which don't use CFQUERYPARAM or unsanitized output.  Back in
2003/2004 I wrote a parser in Perl to help automate some of the more
boring code review tasks in CF.  Unfortunately, the source was left
with my previous employer and never released as planned.  Was it
perfect?  Heck no.  Did it help catch a lot of bugs that would have
otherwise been missed?  Absolutely.

-dhs

Dean H. Saxe, CISSP, CEH
dean@fullfrontalnerdity.com
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
    -- George Orwell, 1945


On Mar 26, 2007, at 2:55 PM, Darren Bounds wrote:

> Is anyone aware of any 'reasonably good' tools to assist with source
> code review in ColdFusion? I've been having a difficult time finding
> anything at all.
>
> --
>
> Thank you,
> Darren Bounds
>
> ----------------------------------------------------------------------
> ---
> Sponsored by: Watchfire
>
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats,
> web application security assessments should be considered a crucial
> phase in the development of any web application. What methodology
> should be followed? What tools can accelerate the assessment
> process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?
> id=701500000008fHK
> ----------------------------------------------------------------------
> ----
>




--

Thank you,
Darren Bounds

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Source code review tools for ColdFusion, Dean H. Saxe
Next by Date:  IIS 5 cookie encryption password, Serguey Forcade
Previous by Thread:  Re: Source code review tools for ColdFusion, Dean H. Saxe
Next by Thread:  [CFP] VNSECON 07 - Call for Papers / HCMC - August 03-04, 2007, rd
Indexes:  [Date] [Thread] [Top] [All Lists]