I want to prevent SQL injection attacks. We have a form that asks for the user's AD username and password. Then our processing code looks something like this:
<cfldap name="ldap_result" action="query" server="999.999.999.999"
attributes="userprincipalname,title,samaccountname,sn,name,mail,cn"
filter="(&(objectclass=user)(sAMAccountName=#form.username#))"
start="dc=us,dc=company,dc=lan"
scope="subtree"
username="US\#form.username#"
password="#form.password#">
I would never run a query with user input without cfqueryparam (to wrap the username and password inputs), but is something like that even available to cfldap? (We're on CF10 if that makes a difference.)
UPDATE:
To clarify, when I tried this, I got the following error:
Attribute validation error for tag CFLDAP.It does not allow the
attribute(s) CFSQLTYPE,VALUE.
No, you cannot use the cfqueryparam tag within your cfldap tag. The cfqueryparam is used specifically for SQL queries. You are thinking correctly though. NEVER TRUST USER INPUT
The cfldap tag does give you some protection in and of itself.
LDAP injection
ColdFusion uses the <cfldap> tag to communicate with LDAP servers. This tag has an ACTION attribute that dictates the query performed against the LDAP. The valid values for this attribute are: add, delete, query (default), modify, and modifyDN. All <cfldap> calls are turned into JNDI (Java Naming And Directory Interface) lookups. However, because <cfldap> wraps the calls, it will throw syntax errors if native JNDI code is passed to its attributes, making LDAP injection more difficult.
From page 14 of the ColdFusion 8 developer security guidelines which you should read if you have not done so already. It was written for ColdFusion 8 but much if not all of it is still relevant. There is an updated version of the document for ColdFusion 11 but it actually references the version 8 document as a reference as well.
I would suggest that you go with a whitelist approach here. Your active directory has specific requirements for the username and password fields; only lowercase and uppercase letters, numbers, etc. Create a regular expression that checks the user input for those valid characters only. If either field contains anything else then deny the submission and do not run the cfldap call.
Related
Currently I am using database accounts as my authentication schema and as a result anyone with a valid database account may login. I would like this to be more restrictive. All my users have a prefix in their user account names which specifies the group they belong to. An example would be dev_john, qa_cindy, etc. I would only like a specific group with a certain prefix in their username to be able to login. Database accounts seems to just allow all. I see there is a custom auth, but I am unsure how to get databse users from here.
I think the problem with this would be how to check the Oracle users' passwords from within your custom authentication function. Hopefully there is no way you can find out their passwords to check them, so how can you establish they typed the correct password? Maybe there is a way, I don't know.
However, perhaps more appropriate for this rule would be an authorization scheme. The user can log in, but if their username fails your authorization scheme test, they can't access the application. The test would be a PL/SQL expression like:
:APP_USER like 'QA%' or :APP_USER like 'TEST%'
When user DEV_JOHN logs in, the log in succeeds but all they get is a page saying e.g.
Only QA and TEST users are allowed to access this system.
I am creating a saas, software as a service site with django.
Due to the project requirements the users are inside schemas/tenants, for that im using the fantastic django-tenant-schemas app, one user can have accounts inside different schemas (they share username and password) ... i want to let the user move throught the different schemas they are in more or less freely ... for that i have created a view where the user can select on what schema he wants to be on.
When i use an application wide cookie session that is when i have the cookie setting as ".domain.ext" (django documentation) that works fine but its NOT the behaviour we really want for our application.
What we really need is to be able to have different versions of the app on different browser tabs.
So we have to set the cookie configuration to "domain.ext", then everything breaks because the original view is on one tenant and the next view (where the just logged user really belongs) is inside other tenant then the old cookie is deleted.
So the question is how can i programmatically set the cookie correctly on the new view so the user that really belongs to that tenat is still authenticated.
Or is there any alternative approach we could use for that? Any examples?
EDIT TO CLARIFY as demanded:
Person A belongs to 2 schemas SH1 and SH2 on both of them he has the same username and password.
On every password change the password hash is replicated on all the schemas they belong to so they dont have to remember specific passwords or usernames.
When the person is logged on SH1 the url will be sh1.domain.com when he is logged on SH2 the url will be sh2.domain.com
So lets say the person is now logged on schema SH1, he decides to switch to schema SH2, to be able to do that i need the user to still been authenticated so that view has to be on the SH1 schema, but then its redirected to the new schema force authenticating the user but since the cookie is set as domain specific (default django behaviour) when the user lands on the next url sh1.domain.com/whatever the previous cookie is deleted and thus he has to log in again to be able to access.
If I'm understanding correctly, you want the ability to have the behavior of a cross-domain cookie, but without actually using a cross-domain cookie.
The immediate answer that comes to mind is "well, use a cross-domain cookie". This is pretty much the vanilla example of a situation where you'd want to use use a cross-domain cookie. Engineering a complex solution so that you can avoid using the simple solution never ends well :-) Unless there's some other constraint in play that you haven't revealed, I'd start by questioning whether you shouldn't just be doing this the easy way.
However, assuming there is a good reason (and, frankly, I'd be interested to know what that is), the problem you're going to face is that browser security is essentially trying to stop you doing exactly what you're proposing. You want to know, from domain SH2, whether something has happened to a cookie set on domain SH1. That's exactly the situation that cookie security policies are designed to prevent.
The only way you're going to be able to work around this is to have a third party that can share knowledge. When user A logs into SH1, you do password authentication as normal - but you also post a flag somewhere that says "User A is now on SH1". When A logs into SH2, you post the corresponding flag. If A goes back to SH1, you check against the central source of truth, discover that they're currently on SH2, and force a login.
You probably could do this by manipulating cookies and session keys, but I suspect an easier way would be to use an Authentication backend. What you'll be writing is an authentication backend that is very similar to Django's own backend - except that it will be making checks of cross-domain login status against the central source of truth.
How you implement that "source of truth" is up to you - an in memory cache, database table, or any other source of data will do. The key idea is that you're not trying to rewrite cookies so that the same cookie works on every site - you're keeping each site's cookies independent, but using Django's authentication infrastructure to keep the cookies synchronised as a user moves between domains.
I am wondering where the best place to put XSS protection in our website. Our team is split up into a front end and back end teams and are using REST as an API between our two groups since we use different platforms. We have a field that could hold a subset of HTML that should be protected and I was wondering at what layer this should be done?
Should it not be allowed into the database by the webservice or should it be validated by the consumer on the way out, ensuring safety? For fields that cannot contain HTML, we are just saving as the raw input, and having the front end escape them before presentation.
My viewpoint is that the webservice should respond that the data is invalid (we have been using 422 to indicate invalid updates) if someone tries to use disallowed tags. I am just wondering what other people think.
It's probably not an either/or. The web service is potentially callable from many UIs, and Uis change over time, it should not assume that all its callers are careful/trusted. Indeed could someone invoke your service directly by hand-crafting a query?
However for the sake of usability we often choose to do friendly validation and error reporting in the UI. I've just finished filling in an online form at a web site that barfs in the service layer if any field contains a non alpha-numeric. It would have been so much nicer if the UI had validated a the point of entry rather than rejecting my request after 3 pages of input.
(Not to mention that if the web site asks you for an employer's name, and the name actually contains an apostrophe you seem a bit stymied!)
You should be using both. The typical pattern is to attempt to sanitize scary data on the way in (and you should really be rejecting the request if sanitization was necessary for a given value) and encoding on the way out.
The reason for the former is that encoding sometimes gets missed. The reason for the latter is that your database cannot be trusted as a source of data (people can access it without hitting your client, or your client might have missed something).
A site I am working on (using django) requires that users can access a subset of the functionality temporarily by following a URL sent by email, instead of having to login properly (i.e. with username and password).
I am, of course, aware of the potential security issues with this proposal. Therefore, the tokens included in the url are randomly generated and stored on the server (instead of hashing the username or something similar), and expire.
In addition, I would like to restrict the permissions of users accessing the site through such a token URL, so that they can only access some (very limited) information, while their credentials are required for any more substantial actions.
I had implemented this in a rather crude way: Briefly, instead of authenticating the user through the token, it is stored as a session variable, and the few views that recognize the token validate it. However, it would be great to have an extended solution: For example, a global user.has_token check would be brilliant. I can't imagine, however, how a more elegant solution might be achieved.
So my question is: How would you implement such a system? Is it, for example, possible to temporarily allocate or restrict permissions in django? Might a custom middleware be necessary here?
Any help would be much appreciated. Thanks a lot!
Edit: Following the discussion below, I would like to further specify the question: Would it be efficient to assign groups through a middleware on every page view? Would it be feasible to add properties to the user object at run-time (similar to the user.has_token example above)?
usings django groups you can restict access
below link gives you the example:
http://bradmontgomery.blogspot.com/2009/04/restricting-access-by-group-in-django.html
I'm about to launch a forms auth membership site that will include forms that both international and American users can use to update their profile info and submit requests for info on products (but no actual e-commerce). I'm using asp.net validation controls on the text inputs and I had it pretty tightly filtered for chars using regex detection. Getting some push-back from marketing to open that up some (a lot), so I was looking for some advice on what chars are highest priority to filter in an asp.net form page from a security stance?
Thanks for any tips on this!
When you say submit requests for info on products I'm envisioning a free-text field where a user can enter anything they want, right? In that case you shouldn't be filtering anything. If it's as tight as I think it is then I bet this very answer would be considered bad, which would frustrate your users. =)
We ran into something similar recently where the security folks wanted a whole bunch of special characters locked down. Turns out users can't use periods or apostrophes or hyphens or slashes in their comments - woops! Also turns out that it wasn't required because the ORM being used was already generating parameterized SQL statements that were safe to execute against the DB.
If you're using a modern-day ORM or manually executing parameterized queries against your database I wouldn't worry much at all about enforcing special character restrictions on profile fields.
The main thing is to make sure you aren't exposing yourself to SQL injection. Easiest(?) way to handle that in .net/MSSQL is to make sure you are using either stored procedures or parameterized queries.
Depending on how the content being entered on these forms will later be displayed, you'll also want to check for client-side vulnerabilities (like people trying to enter iframe markup or javascript)