Wednesday, November 9, 2022

On ColdFusion, XXE, and other XML Attacks

An Introduction

This is the first of what may become a few blog posts based on my CFSummit 2022 talk.  Plus with the release of Adobe Security Bulletin APSB22-44 in October -- which fixed some security bugs that I reported and  improved the available ColdFusion XML security options -- I figured this was also a good opportunity to pull together some ColdFusion XML security best practices into one place.

XML data can live in lots of places, beyond the obvious instances of .xml files and XML-like file formats.  RSS Feeds.  REST API requests and responses.  SAML and SOAP messages.  Office Open XML files such as DOCX, XLXS, PPTX, etc.  And several file formats (such as PDF and PNG) include metadata fields that can contain XML.  

If your application consumes and processes XML, then XML eXternal Entities (XXE) is a vulnerability class that you need to be aware of and protect against.

Thursday, October 6, 2022

Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"

Photo credit: @coldfumonkeh

I attended my first CFSummit, where I talked about a handful of web vulnerability classes (SSRF, Session Puzzles, Cryptography flaws, and XML attacks) that might be overlooked by some ColdFusion/CFML developers.  It was a great conference, and I'm looking forward to returning for future events!  My slides are shared below, and I may turn some of the content into forthcoming blog posts.  

Friday, May 27, 2022

Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)


It's time to dive into another old vulnerability.  Let's go back to 2013.  Argo lit up the silver screen.  The dulcet sounds of Daft Punk filled the air.  And the kids would tick-tock away the hours online in six-second blocks watching funny Vines.

Old vulnerabilities are interesting history lessons.  They capture information about techniques that worked in the past and still could be applicable to modern software today.  They also provide guidance to modern software developers of some potential risks and pitfalls to avoid when building applications.