Security on CF8 Ajax Request
Hi All, I'd like to know which kind of security trick do you use to develop CF Application with the Ajax Request to CFCs (for example with jquery request $.get('MyComp.cfc?method=mymethod')) My doubts are mainly prevent a cross-site scripting and to prevent the cfc methods with access=remote could be intercepted when invoked with ajax Request. I red about verifyClient in CF8 but i did not understand if it provides for all securities. some links: http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=ajaxdata_11.html#1156357 http://www.coldfusionjedi.com/index.cfm/2007/8/7/More-on-VerifyClient--ColdFusion-8-Ajax-Security-Feature ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326080 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security on CF8 Ajax Request
If the request is coming from a logged in user, it would be validated onRequest(). If the request is not from a logged in user, then abort or output something else. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326092 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Security on CF8 Ajax Request
Since Ajax requests are just like any other HTTP request your browser sends, they come with all the cookies your application has set. With that in mind, I secure them just like any other page on my site. A decent framework like ColdBox can be handy here since I use an event interceptor to ensure the person is logged in, and that code runs for all events-- even the ones proxied for Ajax calls. Also, leaving a cfc in a web-accessible directory with methods marked remote that don't enforce security is NOT an example of Cross-site Scription (XSS), it's just a bad idea. You wouldn't do that for the same reasons you don't leave any other sensitive page of your site without a security check. I don't know what you mean by cfc methods being intercepted. If you want the methods to be secure, secure them. If you want the data they receive and return to be encrypted, use SSL. verifyClient() is just a built-in way of allowing the browser to send you a special key via URL that proves it is the same client that the initial page was sent to. You add verifyClient=yes to your cffunction and any ColdFusion Ajax calls you do add the special key to the URL they hit for the Ajax call. What this ensures is that the client making the HTTP request to the cfc is the same client that requested a page containing CF Ajax calls earlier in the same session and not a random one-time request. verifyClient in no way makes sure the user making the request is authenticated to your site via whatever authentication method you are using. And, just like cookies, it can be defeated with a good man-in-the-middle attack unless you are using SSL. ~Brad Original Message Subject: Security on CF8 Ajax Request From: Davide Campo boy_on_ea...@yahoo.it Date: Tue, September 08, 2009 7:25 am To: cf-talk cf-talk@houseoffusion.com Hi All, I'd like to know which kind of security trick do you use to develop CF Application with the Ajax Request to CFCs (for example with jquery request $.get('MyComp.cfc?method=mymethod')) ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326091 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security on CF8 Ajax Request
I would suggest watching Simon Free's excellent presentation on Creating Public Facing API's, which would apply to Ajax applications, Flex and Flash based applications, AIR applications, and more. He presented this to the Nashville CFUG a while back, and I seem to remember some very nice ideas around ensuring security of your data access. https://admin.adobe.acrobat.com/_a17673838/p90858137/ Steve Cutter Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326100 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4