|
Top Security News |
Maiffret Talks REM, Apple, And Black Hat
eEye CTO Marc Maiffret chatted with SecurityProNews ahead of his firm's release of their hardware
appliance for managing security and asset vulnerability assessment ahead of the Black Hat conference.
Securing SSH Sessions The Easy Way
Recently I've had a good deal of people ask me about SSH connections, and how they can better secure them, and I've been shocked at the sheer number of people that still use keyboard-interactive password...
The Horror Of Spyware
Coding Horror's Jeff Atwood ventured onto the Internet in search of no-cd game patches for a fresh re-installation of Windows XP SP2, and got nailed by a drive-by malware installation. By venturing online to websites...
Firefox Automatic Update
Firefox automatic update might be something security folks need to watch out for when they automatically update. Most companies do not want employees to automatically update their software, they...
ColdFusion Security Reminder - READ NOW
I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production server... In the ColdFusion Admin, Debug Settings...
Unifying Fragmented...
One of the promises of Web 2.0 widgets is that it can take data from various inputs and output them into various formats, and views. Some of the more interesting technology like prediction models...
|
|
|
08.15.07
Ajax Security Features In ColdFusion 8
 By
Raymond Camden
There are some interesting new features in ColdFusion 8 related to security that I thought I'd share.
I just discovered them myself (I'm writing one of the Ajax chapters for CFWACK) and I thought I'd share.
JSON Prefixes
The first new feature is JSON Prefixes. A JSON prefix is simply a string put in front of your JSON to prevent malicious code from being executed automatically. If you go to your ColdFusion Administrator, you will see a new option under Settings:
Prefix serialized JSON with
This is disabled by default. If you do enable it the default is //, which represents a JavaScript comment. You can also set this security setting directly in your Application.cfc file using two new settings:
secureJSON
secureJSONPrefix
So for example, I could have this in my Application.cfc:
Now here is the truly cool part. All JavaScript code that ColdFusion generates will automatically work with these settings and remove the prefix before it works with your JSON. Seems darn easy to use.
Also - you can enable secureJSON at the CFFUNCTION level by adding secureJSON="true" to your method. You cannot, however, set a custom prefix.
VerifyClient
Now this is in an interesting one. You can now add verifyClient="true" to a CFFUNCTION, or add on top of a CFM page. When used, ColdFusion will look for a special encrypted token sent in by Ajax requests. The docs say that you should only use this option for CFC methods/CFM pages that are called by Ajax requests. You also have to enable client or session management for this to work.
For more information, see page 685 of the ColdFusion 8 Developer's Guide.
Comments
About the Author:
Raymond Camden, ray@camdenfamily.com
http://ray.camdenfamily.com
Raymond Camden is Vice President of Technology for roundpeg, Inc. A long
time ColdFusion user, Raymond has worked on numerous ColdFusion books
and is the creator of many of the most popular ColdFusion community web
sites. He is an Adobe Community Expert, user group manager, and the
proud father of three little bundles of joy.
|
