WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Source code review tools for ColdFusion

From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Mon, 2 Apr 2007 15:30:07 -0400
IIRC, Fortify has a CF module that you can use.
If you don't have access to Fortify a couple of quick regexes will give you a lot of insight. The easy ones are looking for unsafe functions, such as preserveSingleQuotes(), the harder ones look for queries which don't use CFQUERYPARAM or unsanitized output. Back in 2003/2004 I wrote a parser in Perl to help automate some of the more boring code review tasks in CF. Unfortunately, the source was left with my previous employer and never released as planned. Was it perfect? Heck no. Did it help catch a lot of bugs that would have otherwise been missed? Absolutely. 

-dhs

Dean H. Saxe, CISSP, CEH
dean () fullfrontalnerdity com
"If liberty means anything at all, it means the right to tell people what they do not want to hear." 
    -- George Orwell, 1945


On Mar 26, 2007, at 2:55 PM, Darren Bounds wrote:


Is anyone aware of any 'reasonably good' tools to assist with source
code review in ColdFusion? I've been having a difficult time finding
anything at all.

--

Thank you,
Darren Bounds
---------------------------------------------------------------------- --- 
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx? id=701500000008fHK ---------------------------------------------------------------------- ---- 




-------------------------------------------------------------------------
Sponsored by: Watchfire
It's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself. 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: