Difference between revisions of "Deconstructing ColdFusion"

From OWASP
Jump to: navigation, search
(Created page with '== The presentation == rightColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation …')
 
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]
 +
 +
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 +
<br>
 
== The presentation  ==
 
== The presentation  ==
  
[[Image:Owasp_logo_normal.jpg|right]]ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers.   
+
[[Image:Chris_Eng.jpg|right]]
 
+
ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers.  In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape.  We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code.  We’ll also delve into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level.  We'll discuss open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format.
In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape.  We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code.   
+
 
+
We’ll also delve briefly into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level.  Included in the talk is a detailed description of the WAR/EAR structure for compiled ColdFusion apps.  We&apos;ll release open-source tools to aid reverse engineers in working with ColdFusion&apos;s proprietary classfile format.
+
 
+
This talk is not about 0day vulnerabilities in the ColdFusion platform, nor is it about Adobe bashing.  It is intended to be pragmatic, arming attendees with information that they can take back and incorporate into their daily work.
+
  
== The speaker  ==
+
== Chris Eng ==
  
Speaker bio will be posted shortly.  
+
Chris Eng is Senior Director of Research at Veracode, where he helps define and implement the security analysis capabilities of Veracode’s service offerings.  He is a regular speaker at information security conferences including BlackHat, OWASP, and RSA, and has presented on a diverse set of application security topics ranging from attacking cryptography to building an SDLC.  Chris’ professional experience includes stints at Symantec, @stake, and the US Department of Defense, where he specialized in software security assessments, penetration testing, and vulnerability research. Along with experts from more than 30 US and international cyber security organizations, he recently helped develop the CWE/SANS Top 25 Most Dangerous Programming Errors.
  
 
[[Category:AppSec_DC_2010_Presentations]] [[Category:OWASP_Conference_Presentations]]
 
[[Category:AppSec_DC_2010_Presentations]] [[Category:OWASP_Conference_Presentations]]

Latest revision as of 16:57, 5 October 2010

468x60-banner-2010.gif

Registration | Hotel | Walter E. Washington Convention Center

The presentation

Chris Eng.jpg

ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers. In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape. We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code. We’ll also delve into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level. We'll discuss open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format.

Chris Eng

Chris Eng is Senior Director of Research at Veracode, where he helps define and implement the security analysis capabilities of Veracode’s service offerings. He is a regular speaker at information security conferences including BlackHat, OWASP, and RSA, and has presented on a diverse set of application security topics ranging from attacking cryptography to building an SDLC. Chris’ professional experience includes stints at Symantec, @stake, and the US Department of Defense, where he specialized in software security assessments, penetration testing, and vulnerability research. Along with experts from more than 30 US and international cyber security organizations, he recently helped develop the CWE/SANS Top 25 Most Dangerous Programming Errors.