From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK The Only Way to Stop a Hacker Is to Think Like One • Complete Coverage of ColdFusion 5.0 and Special Bonus Coverage of ColdFusion MX • Hundreds of Damage & Defense,Tools & Traps,and Notes from the Underground Sidebars,Security Alerts,and FAQs • Complete Coverage of the Top ColdFusion Hacks ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK Greg Meyer David An Rob Rusher Sarge Daryl Banttari Steven Casco Technical Editor 193_HPCF_FC.qxd 3/22/02 3:10 PM Page 1 solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 193_HPCF_FM.qxd 3/19/02 11:43 AM Page i 193_HPCF_FM.qxd 3/19/02 11:43 AM Page ii 1YEAR UPGRADE BUYER PROTECTION PLAN Greg Meyer David An Rob Rusher Sarge Daryl Banttari Steven Casco Technical Editor 193_HPCF_FM.qxd 3/19/02 11:43 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 UGH4TR45T6 002 PKTRT2MPEA 003 ZMERG3N54M 004 KGD34F39U5 005 Y7U8M46NVX 006 QFG4RQTEMQ 007 3WBJHTR469 008 ZPB9R575MD 009 S3N5H4BR6S 010 7T6YHW2ZF3 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing ColdFusion Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-77-6 Technical Editor: Steven Casco Cover Designer: Michael Kavish Technical Reviewer: Sarge Page Layout and Art by: Shannon Tozier Acquisitions Editor: Matt Pedersen Copy Editor: Beth A. Roberts Developmental Editor: Kate Glennon Indexer: Kingsley Indexing Services Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 193_HPCF_FM.qxd 3/19/02 11:43 AM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan,AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent and Paul Barry of Elsevier Science/Harcourt Australia for all their help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. 193_HPCF_FM.qxd 3/19/02 11:43 AM Page v 193_HPCF_FM.qxd 3/19/02 11:43 AM Page vi vii Contributors Daryl Banttari (CNE-3, CNE-4, Certified Advanced CF Developer) is a Senior Consultant with Macromedia. He currently provides on-site services for clients using ColdFusion for their projects, including load testing, archi- tecture and code review, and incident resolution.With 20 years of com- puting experience, his background includes programming, networking, mainframe systems management, database administration, and security plan- ning and implementation. Daryl is also the author of Daryl’s TCP/IP Primer (www.ipprimer.com/) and Daryl’s ColdFusion Primer (www.cfprimer.com/). Greg Meyer (Macromedia Certified Advanced ColdFusion 5.0 Developer) is a Senior Systems Engineer with Netegrity. He currently plans and executes QA and programming efforts for a technical sales sup- port team, and provides senior-level consulting on IT integration projects within Netegrity. Greg provides lead programming duties for the support intranet/extranet. Greg’s specialities include Macromedia ColdFusion, Web application design and development, content management systems, IT consulting, and general problem solving. His background includes positions at Allaire, where he worked on the Web team and led an Allaire Spectra QA team, and eRoom, where he worked in Professional Services. Rob Rusher (Certified ColdFusion Instructor + Developer) is a Principal Consultant with AYC Ltd. He currently provides senior-level strategic and technical consulting services, classroom instruction, and technology presentations. His specialties include application design and development, project management, and performance tuning. Rob’s back- ground includes positions as a Senior Consultant at Macromedia (Allaire), and as a Senior Software Engineer at Lockheed Martin. David Scarbrough is the Senior ColdFusion Developer for ICGLink, Inc. in Brentwood,Tennessee (www.icglink.com). ICGLink, Inc. provides world-class Web hosting and has been producing sites for a wide range of clients since 1995. David also owns Nashville Web Works 193_HPCF_FM.qxd 3/19/02 11:43 AM Page vii viii (www.nashvillewebworks.com), a Nashville,Tennessee-based consulting firm that specializes in ColdFusion Internet and intranet application development, network design and back office system integration and security. David has worked in the IT industry, in both the defense and civilian sector, for almost 15 years and has a wide range of technical expe- rience. He has a bachelor of science degree in Computer Science from Troy State University in Montgomery,Alabama and has a Master Certification in ColdFusion 4.5. David resides in Springfield,Tennessee with his wife, Suzanne and their two daughters, Kelsey and Grace. David Vaccaro is Senior Web Application Developer and President of X-treme Net Development, Inc., also known as XNDinc.com, an Internet application development firm in Massachusetts. David has been developing with ColdFusion since version 0.0. During the development stages of ColdFusion, David was in constant contact with J.J.Allaire, watching this amazing new software develop while helping with bugs and new ideas. ColdFusion has allowed David to build application driven Web sites for companies such as AOL, Netscape, Nike, Motorola, MIT, and OnVia. He also is founder of a ColdFusion developer source Web site, allColdFusion.com. David has been involved with Internet technology since 1976 and says that with ColdFusion as his development tool of choice, he no longer believes that the Web has limits. Samantha Thomas has been programming ColdFusion applications for over two years. She works at Medseek, where she developed ColdFusion modules for their SiteMaker product, a Web site content management package for health care systems. She also trains clients nationwide on SiteMaker. For 10 years prior, she was a graphic/Web designer, finding Web backend functionality much more intriguing and challenging than interface design.After viewing a then-current commercial for the Volkswagen Jetta, in which a programmer, who codes 15 hours a day, hap- pily jumps in his new car and spins off, she decided that was the job, and car, for her. Samantha is currently focusing on programming in the .NET arena with C#, as well as on COM+ integration. She also contributed to the ColdFusion 5.0 Developer’s Study Guide. She would like to thank Mom and Mikey for their support. 193_HPCF_FM.qxd 3/19/02 11:43 AM Page viii ix John Wilker (Macromedia Certified ColdFusion Developer) has been writing HTML since 1994, and has been developing ColdFusion Applications since early 1997. He has been published in the ColdFusion Developers Journal, and is the President of the Inland Empire ColdFusion Users Group (CFUG). During his career in IT, he has worked as a hard- ware technician, purchasing agent, inside sales,Web developer, team lead, and consultant. He’s written books on ColdFusion and the Internet development industry. John contributed several chapters to the ColdFusion 5.0 Certified Developer Study Guide. David An is the Director of Development at Mindseye. Mindseye, based in Boston, Massachusetts, is a leading designer, developer and integrator of award winning Web applications. David is responsible for leading the com- pany’s technology direction, from research to implementation, from browser to database. He is also the lead ColdFusion developer, and has been devel- oping using Macromedia products—ColdFusion, Macromedia Spectra, JRun, and Flash—for about four years.With Mindseye, David has worked for such high-profile clients as Macromedia,Allaire, FAO Schwarz, Reebok, Hewlett-Packard, DuPont, and Hasbro. His background includes previous positions as a database administrator; Cisco,Web, mail, and security adminis- trator at an ISP; and as a freelance Web architect. David would like to thank Mindseye for lending resources and time to the research in this book, espe- cially Beta Geek, Maia Hansen for technical and proofreading support. Carlos Mendes, Jr. is an independent consultant who has developed applications for companies such as WorldCom, Booz | Allen | Hamilton, and Vexscore Technologies. He has been developing Web-based applica- tions in ColdFusion since its birth, and also specializes in ASP and LAN/WAN. Carlos also conducts seminars on Web technologies at the local small business administration office, and has published several articles on the subject. He volunteers his time consulting with small business owners on technology needs for business growth. Carlos is a graduate of the University of Maryland at College Park, holding bachelor’s degrees in Management Information Systems and Finance. 193_HPCF_FM.qxd 3/19/02 11:43 AM Page ix [...]... (RDS) Chapter 1 Thinking Like a Hacker Introduction Understanding the Terms A Brief History of Hacking Telephone System Hacking Computer Hacking Why Should I Think Like a Hacker? What Motivates a Hacker? Ethical Hacking versus Malicious Hacking Mitigating Attack Risk in Your ColdFusion Applications Validating Page Input Functionality with Custom Tags and CFMODULE The Top ColdFusion Application Hacks Form... nonprogrammers—are attractive attributes to hackers The purpose of this chapter to is to introduce you to the hackers who will try to break into your ColdFusion Web application, and to suggest tactics that you can use in your application building to mitigate the risks of hacking Hackers will attempt to target the weakest links in your application: you should know in advance what those areas are and how you can... box was the only device a non-phone-company employee could use to emulate the signals a phone was using The line was actually an internal line for Ma Bell, and only a few people knew of its existence.What the phreaker had to do was DTMF dial into the line via a blue box Being able to access the special line was the basic equivalent to having root access into Ma Bell .The irony of this elaborate phone... in various ways Security professionals hack into networks and applications because they are asked to; they are asked to find any weakness that they can and then disclose them to their employers.They are performing ethical hacking in which they have agreed to disclose all findings back to the employer, and they may have signed nondisclosure agreements to verify that they will not disclose this information... even realize the depth of what they are attempting to do However, as time goes on, and their skills increase, they begin to realize the potential of what they are doing.There is a misconception that hacking is done mostly for personal gain, but that is probably one of the least of the reasons More often than not, hackers are breaking in to something so that they can say they did it .The knowledge a hacker. .. ARPANET were The University of California at Los Angeles, Stanford, the University of California at Santa Barbara, and the University of Utah.These four connected nodes unintentionally gave hackers the ability to collaborate in a much more organized manner Prior to the ARPANET, hackers were able to communicate directly with one another only if they were actually working in the same building.This was... hacker amasses is a form of power and prestige, so notoriety and fame—among the hacker community—are important to most hackers (Mainstream fame generally happens after they’re in court!) Another reason is that hacking is an intellectual challenge Discovering vulnerabilities, researching a mark, finding a hole nobody else could find—these are exercises for a technical mind .The draw that hacking has for... if he has ever hacked Ask yourself if you have ever been a hacker .The answers will probably be yes.We have all hacked, at one time or another, for one reason or another Administrators hack to find shortcuts around configuration obstacles Security professionals attempt to wiggle their way into an application/database through unintentional (or even intentional) backdoors; they may even attempt to bring... work together as one large group, rather than working in small isolated communities spread throughout the United States .The ARPANET gave hackers their first opportunity to discuss common goals and common myths and even publish the work of hacker culture and communication standards (The Jargon File, mentioned earlier, was developed as a collaboration across the Net) Telephone System Hacking A name that is. .. of disclosing weaknesses that have been discovered and are exploitable Malicious hackers are more likely to exploit a weakness than they are to report the weakness to the necessary people, thus avoiding having a patch/fix created for the weakness.Their intrusions could lead to theft, a distributed denial-of-service (DDoS) attack, defacing of a Web site, or any of the other attack forms that are listed . UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,” Hack Proofing™,” and The Only Way to Stop a Hacker is to Think Like One ” are trademarks of Syngress Publishing,. Should I Think Like a Hacker? 8 What Motivates a Hacker? 8 Ethical Hacking versus Malicious Hacking 9 Mitigating Attack Risk in Your ColdFusion Applications 10 Validating Page Input 13 Functionality. security adminis- trator at an ISP; and as a freelance Web architect. David would like to thank Mindseye for lending resources and time to the research in this book, espe- cially Beta Geek, Maia Hansen