Sunday, April 25, 2021

Second post - a blog introduction

A new security blog. In 2021. Um...yeah. 

I’ve been working in information security for the past 20+ years.  These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident response, security operations, network/security engineering, UNIX administration, and policy work too. 

Wednesday, April 21, 2021

SSRF in ColdFusion/CFML Tags and Functions

TL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect.  This can lead to Server-Side Request Forgery (SSRF) vulnerabilities in your code.  Developers should be sure to validate any user input passed to the affected tags and functions.