Carnage04
04-08-2010, 06:49 AM
I recently inherited administration of a Cold Fusion driven Web Site. The Site has around 750 different pages/support files associated with it. It was written by a "Professional" development company two years ago. I do know some other languages but I am pretty new to Cold Fusion. I have written/reworked a few of the pages but by new means I am completely familiar with large portions of the site.
Just this week, our site was attacked by hackers. Large amounts of data were deleted, links were replaced by links to malware. I knew what that meant.....SQL Injection. I found the page they were hitting and it was pretty obvious when I looked at it. An Integer variable was being passed via URL with no Parameter/Val() to keep it from being abused. So much for the Professional development house. I knew of a few other places where variables were being passed via URL and checked them out. Same thing. I restored the site from backup and fixed the vulnerabilities.
However, now I am responsible for a web site whose creators obviously had a dubious grasp of web security practices. Needless to say I am very nervous about the security of the rest of the pages. Does anyone have any suggestions about the best way to test for exploitable pages on a ColdFusion site? Software I might run, companies I may contact, things I might read, best practices, anything? Any input I could get would be greatly appreciated.
Just this week, our site was attacked by hackers. Large amounts of data were deleted, links were replaced by links to malware. I knew what that meant.....SQL Injection. I found the page they were hitting and it was pretty obvious when I looked at it. An Integer variable was being passed via URL with no Parameter/Val() to keep it from being abused. So much for the Professional development house. I knew of a few other places where variables were being passed via URL and checked them out. Same thing. I restored the site from backup and fixed the vulnerabilities.
However, now I am responsible for a web site whose creators obviously had a dubious grasp of web security practices. Needless to say I am very nervous about the security of the rest of the pages. Does anyone have any suggestions about the best way to test for exploitable pages on a ColdFusion site? Software I might run, companies I may contact, things I might read, best practices, anything? Any input I could get would be greatly appreciated.