Security Enhancements in ColdFusion Splendor – PBKDF2 and AntiSamy

ColdFusion 11 added few more security functions to the rich set of coldfusion security functions. Some of them includes protection against XSS using AntiSamy framework, PBKDF2 key derivation etc. In this blog post we will introduce you to the Antisamy and PBKDF2 key derivation functions added in coldfusion Splendor.

AntiSamy Support:

If there is a need to accept HTML/CSS input from the user then there is high possibility that the input containing XSS. In this case We can not use encoding functions as the HTML/CSS as the input need to be rendered by the browser. AntiSamy API provides an input validation technique which helps programmer to verify user-driven HTML/CSS input markup using a whitelist policy to ensure the input does not contain XSS. Antisamy validates using a policy file in which we can specify which HTML tags, attributes, css properties are allowed in the given input. The policy gives us more control on input validation/sanitization by providing directives,  regular expressions, rules for htmt tags and css properties . AntiSamy provides some example policy files which can be downloaded from here. They can be modified to suit your own project requirements. Check AntiSamy developer guide to know more about policy files.

Two new functions isSafeHTML and getSafeHTML were added which validates and cleans the given unsafe html as per the given policy.

isSafeHTML can be used to know whether the given input markup is in accordance with the rules specified in the antisamy policy. Returns true if valid else false if any violations are found.

getSafeHTML sanitizes the given input based on the the rules specified in an antisamy policy file. Returns cleanHTML string by cleaning the input against the defined policy.

The function syntax as below:

getSafeHTML(input [, PolicyFile ], throwOnError])
isSafeHTML(input [, PolicyFile ])
where

input
     
The HTML input markup text to sanitize/validate.

PolicyFile (Optional)
     Specify the path to the AntiSamy policy file. Given path can be an absolute path or a relative to the Application.cfc/cfc.Given path can be an absolute path or a relative to the Application.cfc/cfc.In case if not specified, there is a provision to set this at application level. Else the default policy file shipped with ColdFusion will be used. Default policy antisamybasic.xml can be found in the lib directory.

throwOnError (Optional)
      If set to true and given input violates the allowed HTML rules specified in the policy file an exception will be thrown. The exception message contains the list of violations raised because of the input. If set to false ignores the exception returns the HTML content filtered, cleaned according to the policy rules. Defaults to false.

Policy file can be set at application level using the key this.security.antisamypolicy in Application.cfc. The value must be an absolute path to the policy file or relative to the Application.cfc/cfm.

<cfcomponent>
<cfset this.security.antisamypolicy = "antisamy.xml">
</cfcomponent>

Here is a simple example which uses antisamy-tinymce.xml policy which allows many text formatting tags ,simple css properties and disallows javascript.

<!--- I am just using static input in this example when using this replace it with the relevant form parameter --->
<cfset unsafeHTML = "<script>alert('lorem ipsum lorem ipsum');</script><b>lorem ipsum lorem ipsum</b>">
<cfset isSafe = isSafeHTML(unsafeHTML)>
<cfset SafeHTML = getSafeHTML(unsafeHTML , "", false)>
 
<!--- returns No and provides the clean html as <b>lorem ipsum lorem ipsum</b> removes script from input  --->
<cfoutput> is Safe : #isSafe# Safe HTML : #SafeHTML# </cfoutput>
<cftry>
    <cfset SafeHTML = getSafeHTML(unsafeHTML , "", true)>
<cfcatch type="Application">
<!--- if throwOnError is true get the erros as specified below --->
<cfoutput>
    Errors in the input: <br/> #cfcatch.detail#
</cfoutput>
</cfcatch>
</cftry>

More detailed information and examples on antisamy can be found from here.

PBKDF2 Key Derivation:

PBKDF2 (Password based key derivation function) is a key derivation function which can be used to derive a cryptographic random key of desired key size from the humany-manageable passwords. PBKDF2 is widely used for generating random cryptography keys which can be used as key to encryption and HMAC algorithms. The function syntax as below

GeneratePBKDFKey(algorithm, inputString, salt, iterations, keysize)

algorithm
The encryption algorithm used to generate the encryption key. Supported algorithms are PBKDF2WithHmacSHA1, PBKDF2WithSHA1, PBKDF2WithSHA224,  PBKDF2WithSHA256,PBKDF2WithSHA384, PBKDF2WithSHA512.

inputString
Specify the input string (password/pass-phrase) which will be used for deriving the encryption key.

salt
Random cryptographic salt. Recommended length is 64 bits (8 characters) and must be randomly generated using a pseudo random number generator.

iterations
Desired Number of Iterations to perform the cryptographic operation. The minimum recommended number of iterations is 1000.

keySize
Desired arbitrary key length size in bits.

Below example shows how to derive a 192 bit encryption key from the given password. Then we are using key to encrypt and decrypt the data using AES algorithm. No need to store the encryption key as it will be derived from the password.

salt="A41n9t0Q";
        <!--- hard coding the password but in real password should be from some form parameter ---> 
	password = "Password@123";
	PBKDFalgorithm = "PBKDF2WithSHA224";
	dataToEncrypt= "Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua";
	encryptionAlgorithm = "AES";
	derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,192);
	writeOutput("Generated PBKDFKey (Base 64) : " & derivedKey);
	encryptedData = encrypt(dataToEncrypt, derivedKey, encryptionAlgorithm, "BASE64");
	writeoutput("Data After Encryption: " & encryptedData);

        
	salt="A41n9t0Q";
	password = "Password@123";
	PBEalgorithm = "PBKDF2WithSHA224";
	derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,192);
	decryptedData = decrypt(encryptedData, derivedKey, encryptionAlgorithm, "BASE64");
	writeoutput("Data After Decryption: " & decryptedData);

More information and examples on PBKDF2 can be found from here.

Public Beta for ColdFusion and ColdFusion Builder is now available!

In case you haven’t already noticed,the public beta for the major version of ColdFusion codenamed Splendor and for the next major version of ColdFusion Builder Thunder is now available.

Here is where you can get access to the public beta for both the products on Adobe Labs – http://labs.adobe.com/technologies/coldfusion/

You can quickly go over what’s new in ColdFusion Splendor here. There are also a couple of videos on the video tab that gives you a quick introduction to what’s new in ColdFusion. The link for the documentation home page is at – https://wikidocs.adobe.com/wiki/display/coldfusionen/Home

There are lots of new features and enhancements in Splendor and in Thunder. We look forward to hearing your feedback during the public beta.

 

 

 

 

trycf.com – Excellent learning initiative for ColdFusion

trycf.com is a new learning initiative by Abram Adams. The idea of the portal is to offer tutorials for new or beginner level ColdFusion developers with interactive tutorials using which you can type in CFML code on the browser and see the results live! This is a great way to quickly learn the CFML programming without having to download ColdFusion. 

What’s more, Abram Adams also has a contest running right now where the you, the ColdFusion community, can help take this initiative to the next levels by submitting tutorials that thousands of other developers can use to learn. The process of submitting the turorials for the contest is simple and is outlined here. The top entry in the contest will receive $300 and every valid entry will receive a copy of ColdFusion Builder! Submit your turotials now!

learncfinaweek.com, again a community driven initiative, is already a popular resource for learning the basics of ColdFusion in just a week’s time. I am confident that trycf.com too will turn out to be an excellent learning resource for CF developers.

 

 

New Security Update Available for ColdFusion 9.0, 9.0.1, 9.0.2 and 10

New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.

We recommend locking down your server by following the lock down guide and disable unused features in the production environments. 

ColdFusion case study: ITRX Corp.

One of the world’s leading open-source research websites was
experiencing performance issues because increasing volumes of data were taxing
the system’s available memory. To solve the problem, the Social Science
Research Network (SSRN) called on ITX Corp., an IT solutions provider. ITX
rebuilt the site using Adobe ColdFusion,
which helped eliminate memory problems, cut development times through the reuse
of modularized code, and streamline SSRN’s web technology infrastructure.

 

“Not only did the upgrade to 64-bit Adobe Cold Fusion help stop
server crashes, it also helped reduce the number of servers SSRN needs to run
its site,” says Fernando D’Agostino, lead architect at ITX. “Previously, SSRN
had 14 servers. Now it has 8, which reduces costs associated with server
purchases, maintenance, and support.”  http://adobe.ly/19XDRHf

Thank you for making CFSummit 2013 a success!

I thank each of the 503 attendees for the overwhelming response and great feedback for the first ever ColdFusion conference from Adobe. The positive feedback post the conference on social media – Twitter, Facebook and the blogs has been really encouraging. We have also made note of some of the improvements that have been suggested and will work on those for a better CFSummit next year.

The conference would not have been successful without the efforts from all the speakers. We had more than 1500 session surveys from the audience and the average session rating was a high 4.3/5 across all sessions. Kudos to each of our speakers!

A great line up of speakers and sessions was possible only because of the Content Committee. Thanks to Tim Cunningham, Dan Wilson and Jason Dean for helping us in the Content committee.

And finally, thanks to all the Adobe staff that ensured the event was successful.

CFSummit also gave Adobe an opportunity to showcase both the current and future of the product and receive valuable feedback from the community. We have responded to the feedback about lack of ColdFusion developers with two initiatives that can help increase the number of ColdFusion developers. One is the introduction of new curriculum to promote ColdFusion in education and the other is re-energizing ColdFusion User Groups.

We now have a new “Introduction to Web Application Development” curriculum available to be taught across various colleges and universities. Three colleges have already adopted the curriculum and many more will adopt during the upcoming Spring semester. Anyone from the ColdFusion community, who helps us in getting leads or contacts to colleges/universities eventually leading to a successful adoption of the curriculum at one of those colleges/universities, will win an iPad from Adobe for their contribution! Do reach out to me via email if you are keen on helping us with the contacts. Email: rakshith@adobe.com.

The number of active ColdFusion User Groups has also increased from 22 earlier this year to more than 70 now. We will continue to make progress here. If you have any issues related to User Groups, including starting a new ColdFusion User Group, reach out to Kishore Balakrishnan, Product Marketing Manager for ColdFusion. Email: kishore@adobe.com.

These initiatives take time before it begins to make a significant impact. We at Adobe are aware of this and are willing to be patient to see these initiatives contributing to the future of ColdFusion. On a related note, it was heartening to see quite a lot of new CF developers at the conference.

We are very pleased with the outcome of CFSummit2013 and are looking forward to seeing you all again at CFSummit 2014.

Until then, continue to rock with ColdFusion!

Amazon Web Services Webinar – Leverage the power of Adobe ColdFusion on AWS

Amazon is organizing a webinar on the 18th of September at 10 am PT titled ‘Leverage the power of Adobe ColdFusion on AWS’. You can register for this AWS webinar here

Learn about the AWS offering from,

Tom Laszewski, Solutions Architect, Amazon Web Services

Chandan Kumar, Computer Scientist, Adobe

Akhila K. Srinivas, Software Engineer, Adobe

 

ColdFusion Feature Usage Survey

Please participate in this ColdFusion feature usage survey. This is not a typical feature usage survey for ColdFusion. The purpose of this survey is to understand the usage of some of the old or not-so-popular features of ColdFusion.

The information gathered here will help Adobe deprecate/retain/provide alternate features in the next major version of ColdFusion.

Thanks for your time.

ColdFusion 10 update 11 – An update with 50+ fixes

ColdFusion 10 update 11 is now available for download within the ColdFusion 10 administrator. This is a significant update as it has more than 50 fixes across various areas of the product.

The most noteworthy additions are the support for Microsoft SQL Server 2012, MySQL 5.6 and 64-bit COM interoperability.

Here are the key areas and some fixes made in this update:

1. JSON – serialization issues 

2. Caching – ORM secondary cache and cached query with query params, 

3. File Management – Spreadsheet tag working with VFS files

4. Hotfix Installer – Error notification if a problem is encountered during hotfix installation

5. REST Services – Issues with RestInitApplication

6. Scheduler – onMisfire event handler, PauseAll/ResumeAll, Scheduled tasks – migrated or from CAR

7. Security – Accesing public methods of a CFC via WebSockets

8. Web Container/Tomcat – CGI.server_port, IIS custom error handlers

9. Web Services – IIS virtual folders and https access

10. WebSocket – CGI scope reset and CFC returning CGI Scope

Details of each of the fixes in update 11 is available in here.

 

JRun End of Sale post April 2013

Adobe JRun will no longer be available for purchase post April 2013. Adobe will continue to fulfill its obligations under existing maintenance contracts through the term of such contracts.

ColdFusion 9, however will continue to be under core support from Adobe.

Here’s the link to the updated JRun product page and FAQ page on adobe.com.