Security on CF8 Ajax Request
Hi All,
I'd like to know which kind of security trick do you use to develop CF
Application with the Ajax Request to CFCs (for example with jquery request
$.get('MyComp.cfc?method=mymethod'))
My doubts are mainly prevent a cross-site scripting and to prevent the cfc
methods with access=remote could be intercepted when invoked with ajax Request.
I red about verifyClient in CF8 but i did not understand if it provides for
all securities.
some links:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=ajaxdata_11.html#1156357
http://www.coldfusionjedi.com/index.cfm/2007/8/7/More-on-VerifyClient--ColdFusion-8-Ajax-Security-Feature
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326080
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security on CF8 Ajax Request
If the request is coming from a logged in user, it would be validated onRequest(). If the request is not from a logged in user, then abort or output something else. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326092 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Security on CF8 Ajax Request
Since Ajax requests are just like any other HTTP request your browser
sends, they come with all the cookies your application has set. With
that in mind, I secure them just like any other page on my site. A
decent framework like ColdBox can be handy here since I use an event
interceptor to ensure the person is logged in, and that code runs for
all events-- even the ones proxied for Ajax calls.
Also, leaving a cfc in a web-accessible directory with methods marked
remote that don't enforce security is NOT an example of Cross-site
Scription (XSS), it's just a bad idea. You wouldn't do that for the
same reasons you don't leave any other sensitive page of your site
without a security check. I don't know what you mean by cfc methods
being intercepted. If you want the methods to be secure, secure them.
If you want the data they receive and return to be encrypted, use SSL.
verifyClient() is just a built-in way of allowing the browser to send
you a special key via URL that proves it is the same client that the
initial page was sent to. You add verifyClient=yes to your cffunction
and any ColdFusion Ajax calls you do add the special key to the URL they
hit for the Ajax call. What this ensures is that the client making the
HTTP request to the cfc is the same client that requested a page
containing CF Ajax calls earlier in the same session and not a random
one-time request. verifyClient in no way makes sure the user making the
request is authenticated to your site via whatever authentication method
you are using. And, just like cookies, it can be defeated with a good
man-in-the-middle attack unless you are using SSL.
~Brad
Original Message
Subject: Security on CF8 Ajax Request
From: Davide Campo boy_on_ea...@yahoo.it
Date: Tue, September 08, 2009 7:25 am
To: cf-talk cf-talk@houseoffusion.com
Hi All,
I'd like to know which kind of security trick do you use to develop CF
Application with the Ajax Request to CFCs (for example with jquery
request $.get('MyComp.cfc?method=mymethod'))
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326091
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security on CF8 Ajax Request
I would suggest watching Simon Free's excellent presentation on Creating Public Facing API's, which would apply to Ajax applications, Flex and Flash based applications, AIR applications, and more. He presented this to the Nashville CFUG a while back, and I seem to remember some very nice ideas around ensuring security of your data access. https://admin.adobe.acrobat.com/_a17673838/p90858137/ Steve Cutter Blades Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326100 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
