Blog of Shaun McCran - Architecting robust, elegant technical and business solutions - Security

Razer create a totally unnecessary cloud based system

Wed, 21 Nov 2012 04:07:00 -0000

A recent blog post on www.overclock.net sparked my interest in a particularly strange decision from Razer. Razer are a hardware manufacturer that produce gaming peripherals, like Mice and Keyboards. To use your new Razer device as the amazing multi button, Macro driven gaming peripheral that it was designed as, you have to have an account and a profile with them. Without this account your mouse reverts back to a 2 button standard Microsoft mouse. To facilitate this account Razer have released a new version of their peripheral profiling software, Synapse 2.0. Synapse 2.0 requires allows you to create an account to store your profile information against, things like settings and device profiles. Users have noticed that this software creates your account in a Cloud space. This has the knock on effect of a user having to be online when they create the account, and being online every time they want to use the device. Essentially if you aren't online then your account cannot be verified and your settings are not used. Now if I were writing requirements for mouse management software, being cloud based would not be one of them. There is one tenuous reason for a cloud based profile (same mouse used on multiple machines) but other than that the only technical reason I can see for doing this is tracking. Razer just want to know what you are doing. It's all about usage stats and product tracking. By doing this they now have a profile of exactly which of their devices are in the market, and the numbers of those devices. Couple this with average life of a device and you start to get pretty good sales forecasting, if you can work out how many people will re-purchase one of your products if the existing one fails. But I can't shake the feeling that this is a really poor use of a Cloud based solution. The user gains nothing from it at all, and is restricted at a fairly fundamental level if they don't agree with it. Personally a software firewall will block this every time for me, and I can't think a decent reason to let it through.

Samsung TouchWiz bug found and squash – in a day

Wed, 26 Sep 2012 06:42:00 -0000

Yesterday (Sept 25th) news site across the web were buzzing with the news that an entrapeneuring type had managed to find an exploit in the Samsung Touchwiz software. It basically allowed foreign code to be run on the phone, without the users authorisation or prompting, that formatted the handset.

You can read more here: http://techcrunch.com/2012/09/25/got-touchwiz-some-samsung-smartphones-can-be-totally-wiped-by-clicking-a-link/ By today (Sept 26th) the same news sites are reporting that Samsung have fixed the loophole and are urging users to download the fix for it. So if you are running a Samsung handset then go check for system updates. http://techcrunch.com/2012/09/26/samsung-speedily-plugs-remote-wipe-flaw-urges-galaxy-siii-owners-to-update/ That sort of timescale for bug fixes is admirable, whoever you are.

Using url rewriting ( .htaccess or httpd.ini ) to block hot linking resources

Tue, 14 Jun 2011 13:37:00 -0000

After my recent move to HostMediaUK I've been able to see more in depth statistics about one of my sites, including traffic and data usage. This also includes having visibility of other domains that are linking directly to my content. This is popularly known as hot linking, and if you haven't asked permission is considered very impolite.

This also uses up your servers bandwidth rather than theirs. This article explores how I use a URL access file, either .htaccess of http.ini depending on your platform, to stop other domains from linking directly to your hosted resources.

[More]

The Coldfusion Hash() function decoded - kind of

Sun, 23 Jan 2011 22:29:00 -0000

I've always believed that using the hash() function in ColdFusion is a one way process. If I wanted to reverse a string I had to use encode() and decode(). The Adobe documentation states that "It is not possible to convert the hash result back to the source string" - Adobe Docs for Hash(). Strictly speaking this is still true, but some bright spark has decided to host an MD5 string database and provide a lookup service. [More]

Permission denied for javascript methods, SSL security error between parent and child windows

Tue, 02 Nov 2010 15:53:00 -0000

I recently integrated a postcode lookup service into a checkout process, it constituted a pop up window, with a Webservice http call to return a JSON object of postcode data. The data itself was returning successfully, and is output into a select field, so that the user can choose one of the address records from the many returned. The problem I had arose when I ran a script to write the selected address data back from the pop up window to the parent window. Something like this:




	$(document).ready(function() {

		$('.submitButton').click(function() {

			var selectedPcode = $('.address').val();

			if (selectedPcode == undefined) {
				alert('Please select an address')
			}

			else {
				//split the string
				var mySplitResult = selectedPcode.split(",");

				var street = mySplitResult[0];
				var area = mySplitResult[1];
				var town = mySplitResult[2];

				street = jQuery.trim(street);
				area = jQuery.trim(area);
				town = jQuery.trim(town);

// set the parent form field values
window.opener.document.form.evAddress1.value = street;
window.opener.document.form.evAddress2.value = area;
window.opener.document.form.evTown.value = town;
window.close();

			}

		});
	});

The code above will just split out the address parts and write them out to the corresponding fields in a form in the parent window. At this point I was seeing an error message:


Permission denied for javascript.... Line xxx

The problem stems from the fact that the parent window is served under SSL and the pop up was not. So make sure that your parent and child windows are both served under the same protocol, otherwise I guess it is being stopped as an inject hack, as it appears to be on a different domain.

Securing server side Coldfusion code with cfcompile

Mon, 01 Nov 2010 11:46:00 -0000

If you ever need to protect your intellectual property, or you have suspicions that your code maybe be accessed on a server to be tampered with, then your best option is to compile your code base. This article addresses how to use the cfcompile command, and what it actually does to your code base. [More]

Forcing an SSL redirect using Coldfusion

Tue, 07 Sep 2010 14:36:00 -0000

I've never really coded much around individual Secure templates, but this afternoon I found myself working in a framework where certain templates were required to be called with the 'https' URL instead of standard non secure URLs. This turns out to be incredibly easy. There is a variable in the cgi scope that tells you if the request is served under a secure port or not, cgi.server_port_secure returns true or false (1/0), so you can use it to redirect people to where they should be.

I've used other cgi values above as I've put this in a 'prefuseaction' function in a fusebox CFC controller file. That way all requests to any actions in that file are routed to the SSL equivalent.

Flex webservices security error accessing url

Fri, 23 Jul 2010 15:24:00 -0000

I've been working with some client side flash developers recently and we came across an unusual error that was being thrown in a Flex application when we were sending a webservice request to a Coldfusion server. The error was "Security error accessing URL". I thought I'd overcome this a long time ago by using the cross-domain.xml file to allow server access to services. It appears that there is a security issue with Flash 9 that requires the following line to be added to the CrossDomain.xml file:

I'm guessing that it is enabling access for SOAP requests to any remote services on that server.

Changing the 404 template handler in IIS

Tue, 02 Mar 2010 15:36:00 -0000

You could use a 404 ColdFusion template to handle missing templates, or the onmissingtemplate Application CFC function. Luckily I have a client with half a dozen sites all on the same server, with nothing else on it, so it makes more sense to do this in Internet Information Services. 404 templates are a handy way of masking any site errors or missing templates. Not only are they a cosmetic fix to nasty display errors but they can also seriously help your server security. [More]

Internet dating disasters site - Online fraud and security

Wed, 20 Jan 2010 17:42:00 -0000

A popular daytime television show in the UK has recently broadcast an article on Internet security and Internet dating. With Online Dating being an industry I worked in for a brief period this was quite relevant to me. http://www.itv.com/lifestyle/thismorning/more/internetdatingdisasters/ The main aim of the Sally Cornock's site is to warn of 'love rats' and suspicious profiles online. It appears that she was stung by a serial dater online and has done something about it. It highlights the dilemma of free to join, fixed cost membership sites quite well though. Most dating sites are free to join. They provide very little functionality, and no interaction at all with other members UNLESS you upgrade your account and pay a fee. When you understand this it makes policing this near on impossible. Sally Cornock has raised the issue of potentially having a governing body to perform validation on members as they join, so that you know someone is who they say they are. This would discourage a massive percentage of the market, as signing up for free by providing only one or two fields of data is simple. But passing an online verification is an extra level of hassle to the "casual shopper", which most people are. When you look at the statistics only a tiny number of signups ever convert to full membership. It nicely highlights some of the less technical aspects of web usage, click through below to read more: http://www.crimestoppers-uk.org/crime-prevention/helping-prevent-crime/personal-safety/online-dating-safety http://www.e-victims.org/ http://www.suzylamplugh.org/personal-safety/personal-safety-tips/safety-on-the-internet/ http://www.victimsupport.org.uk/help%20for%20victims/Get%20information%20victims/Information%20about%20specific%20crimes/Cyber%20crime

Using Isapi / Apache rewriting to mask URL strings, for cosmetics and security

Tue, 22 Dec 2009 22:44:00 -0000

One of the more recent additions to my Coldfusion frameworks is masking the more ugly URL's using Isapi rewrite. In this article I'll be using Helicon's Isapi ReWrite, but Apache re write works in much the same way. Usually in your Coldfusion frameworks, most other technologies as well, you are passing around a variable or two to control the page content, and more often than not it is in the url. It never looks particularly clean if your URL has a long name value query string behind it, like this:


http://www.mysite.com/index.cfm?variable1=pagename&location=england&value=7

Cosmetic reasons

So for two reasons URL rewriting seems like a good idea. Firstly to mask those ugly URLS with a url rewriter. On a basic level this will re write specified request to the URL you tell it to, taking your ugly list of name value pairs and changing it into a user friend URL. If you are pitching this to a client this looks a lot more professional.

Security reasons

Secondly there is an added security benefit here. The URL gives a lot away about a website, like what the code base is, and is potentially a window on the internal workings of a website. Take a normal FuseBox application for example. The normal URL might be:


www.mysite.com/index.cfm?fuseaction=controller.action&othervalues=values

From here it is very easy to start messing around with the controller names, trying to dig out an 'admin' controller, or other common function controller. Similarly adding values to pages where it is obvious a Query has been fired is an easy way of testing of the developer is using 'cfQueryParam', with potentially disastrous results. Along the same lines it is quite simple to inject form values into the URL (like this http://www.mccran.co.uk/index.cfm/2009/7/30/Cross-site-Script-hacking-using-the-GET-method). By masking the URL and the values you make it considerably more difficult to do this, after all if you can see or get to the URL, how can you fool around with it? So far I am implementing a rewrite script that will rewrite URLs into friendly strings, here is a modified version of the .htaccess file I'm using.


# Helicon ISAPI_Rewrite configuration file
# Version 3.1.0.68

RewriteEngine on
RewriteBase /wwwroot/

#generic
RewriteRule requestID/(.*)/(.*)/ index.cfm?decryptURL=$1¶ms=$2

# site pages
RewriteRule home(/)? index.cfm?go=controller.home
RewriteRule contact(/)? index.cfm?go=controller.contact
RewriteRule login(/)? index.cfm?go=controller.login
RewriteRule privacy(/)? index.cfm?go=controller.privacy
RewriteRule about(/)? index.cfm?go=controller.about
RewriteRule faqs(/)? index.cfm?go=controller.faqs
RewriteRule search(/)? index.cfm?go=controller.search

This code starts off by turning the rewriteEngine on, then setting the rewriteBase, this is typically your webroot, or the root of the site the file is for. Then it rewrites any URL params to the URL string. The main part of the code is where we set individual rewriteRule's for each URL. The first example (home) looks for any URL requests to the 'home' string, and re writes this to the URL in the regular expression (index.cfm?go=controller.home). Pretty straight forward really. There is a lot more you can do with this, and hopefully I'll get to explore rewriting in more depth in the future.

Cross site Script hacking using the GET method

Thu, 30 Jul 2009 14:57:00 -0000

I've dealt with Cross Site scripting (XSS) attacks before ( http://www.mccran.co.uk/index.cfm/2009/4/6/Cross-Site-scripting-hack-test-form), so I'm familiar with the principles involved. In this example there is a subtle difference. In the example above the vulnerability was created by POSTING a text string through the form action. In this example we will examine a similar vulnerability using GET. IE we will simply pass the attacking string through the url of the form, setting the form field value in the traditional 'url?variable=N' way. To demonstrate this create a simple form:

Call your form in a browser. Now append on the end of that url the text string below. ?attributes.formValue==>"><%2Ftitle><%2Fiframe><%2Fscript><%2Fform><%2Ftd><%2Ftr>
<%2FIfRamE> Reading through the string you'll notice that it is an Iframe constructor that is calling a url, in this case www.Google.com. As the url is setting the value of 'attributes.formValue' this will be inserted into the form on the submit action. We are not posting it, so it will not be picked up by any custom POST action code. One interesting point to mention here is that testing this in IE 8, it will actually be blocked by default, as it has detected that scripts are running over different domains. So if you are in the habit of writing POST detection scripts, make sure you handle any other submissions as well!

Basic fusebox fuseaction to handle security references

Thu, 09 Jul 2009 10:50:00 -0000

I am a big fan of fusebox, I like the way it handles inheritance, and I love the fact that it instinctively lends itself to a modular approach. Part of the strength in using fusebox is in knowing exactly when each of the framework fuse actions run, and just what sort of functionality you can embed in them. In this case I'm using the "Pre fuse Action" to perform a basic security validation on any fuseactions in that circuit.

Above is a blank prefuseaction, insert any code you want to perform on any of the other fuseactions in that circuit here. Note that it runs before the circuit action. A basic session validation script could be something like:

In the code above I am checking for a valid session variables, and if it is not there sets an error message and redirects to the homepage. This is a pretty basic "catch all - are you logged in?" type query, but if you have an administration circuit then it provides good basic fuseaction protection. I've extended it out one step further by creating a cfc call to this code which just returns true/false. Something like this:


truefalse

I am currently extending this further with more robust security, and user roles and groups.

Coldfusion dropping session ID in fusebox application

Thu, 02 Jul 2009 15:53:00 -0000

I recently rolled out beta version of a new application I've been writing, only to discover that there was a bizarre session problem that didn't exist in dev, but does in live. I've worked it out, but I thought I'd explore it some more. It is a fusebox 5.5 non xml application. The error I had was that as soon as I made a call through a "new" circuit, IE one I hadn't called before ColdFusion would generate a new session ID, and thus invalidate my current active session. Looking through my application CFC I had this line of code present.

Setting this to true fixed the issue. This is because ColdFusion relies on the CFID and CFTOKEN to maintain the session state. You can either pass these two variables through the URL on every page request, which is a bit messy, or you can use a cookie. It is the variable above that lets the application use cookies on the user's session. The problem with setClientCookies is that it is persistent, IE it is built for that session, and left on the user's pc, even after the session has expired, or they have left the application. Also some users will accept per-session cookies, but not persistent session cookies. They are a lot more secure as per-session cookies, as they cannot be duplicated and hacked to spoof a previous user's session, and if you pass the token through the URL it is easy changed. You could put something like this in your onRequestend function in application.cfc

This will make them per-session. I originally thought that it was something to do with the Fusebox framework, but I had overlooked the simple fact that it was still a new page request, so would be lost. Although this doesn't explain why I wasn't getting this error in my development environment but did in live.

IE 8 Https security warning pop up prompt annoyances

Fri, 19 Jun 2009 11:57:00 -0000

With the continue rollout of IE 8 some issues rise to the top of pile in the way the browser interacts with users. I can see 'why' this next issue occurs, but it doesn't handle the user interaction very well at all. One of the more significant changes is the way that IE handles security exceptions. The message to the user has been changed to be inversed. Usually a user will look for an 'ok' button, but in this instance 'ok' is the wrong answer (see screenshot). This pop up happens when the site you are on is serving up non https content on an https URL, IE images and style links that are http://url/image.src rather than https://. The only work around for this seems to be either having a user manually edit their IE settings, like this:


Tools > internet options > security > custom level > display mixed content: Enable

This isn't exactly reasonable though. The other fix is to change all your content to be https. This is potentially a huge code change depending on how your site works. I was hoping to find an IE 8 compatibility setting to revert this back to the same handling method as IE 7, but that doesn't seem to exist. If anyone has any ideas feel free to comment!