Application Penetration Test - Call to CF community for help!

Scroll down page to body.

Aug

Posted in ColdFusion, SQL, Servers, Application Security

So next week an "Information Security and Compliance Company" is doing a 16 hour "Application Penetration Test" on an application we developed. It's on a dedicated server with all the latest patches and is on lock down with IP address validation through the firewall. We have made sure every query is protected from SQL injection attacks and made sure any file uploaded to the application is uploaded outside the root and can not be called from a URL. We think we have covered all the bases, here is a list of what the application will go through.

Input Validation

Buffer Overflow

Cross Site Scripting

URL Manipulation

SQL Injection

Hidden Variable Manipulation

Cookie Modification

Authentication Bypass

Code Execution

Now some of these are basic security 101, and ColdFusion has lots of tools to address the attacks. Has anyone ever gone through this? If so what type of things were found? Can anyone give me any suggestion of things to check?

Posted: Aug 17, 2010 at 9:07:PM by John Ramon | [3] Comments | Print | Views: 4172

3 Comments [add comment]

Perhaps you've covered this under XSS, but if you haven't, have a look at CSRF attacks (prounounced 'sea surf'). The famouse MySpace worm was one of these.

Dominic

Dominic Watson - Wednesday, August 18, 2010

Wow, my spelling blows!

Dominic Watson - Wednesday, August 18, 2010

Yep all user inputs are filtered for meta characters, and files are uploaded outside of root. I never thought I would learn so much about hacking a website going through this.

John Ramon - Wednesday, August 18, 2010

[add comment]

Latest via Twitter

Categories

Recent Comments

Links