John Ramon - ColdFusion Blog - My Alternate Reality http://www.johnramon.com/ en-us Copyright 2012 John Ramon - ColdFusion Blog - My Alternate Reality http://www.johnramon.com/feed.xml Sun, 05 Feb 2012 02:35:53 MST http://www.johnramon.com/images/rssLogo.gif John Ramon - ColdFusion Blog - My Alternate Reality http://www.johnramon.com/ 97 97 Recent blog posts about ColdFusion, Web Applications, and CF Bloggy Application Penetration Test - Call to CF community for help! So next week an "Information Security and Compliance Company" is doing a 16 hour "Application Penetration Test" on an application we developed. It's on a dedicated server with all the latest patches and is on lock down with IP address validation through the firewall. We have made sure every query is protected from SQL injection attacks and made sure any file uploaded to the application is uploaded outside the root and can not be called from a URL. We think we have covered all the bases, here is a list of what the application will go through.
 

Input Validation

Buffer Overflow

Cross Site Scripting

URL Manipulation

SQL Injection

Hidden Variable Manipulation

Cookie Modification

Authentication Bypass

Code Execution
 

Now some of these are basic security 101, and ColdFusion has lots of tools to address the attacks. Has anyone ever gone through this? If so what type of things were found? Can anyone give me any suggestion of things to check?

]]> http://www.johnramon.com/index.cfm/id/39/Application-Penetration-Test---Call-to-CF-community-for-help! Tue, 17 Aug 2010 21:07:52 MST