WebApp Sec mailing list archives
Re: Source code review tools for ColdFusion
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Mon, 2 Apr 2007 15:30:07 -0400
IIRC, Fortify has a CF module that you can use.If you don't have access to Fortify a couple of quick regexes will give you a lot of insight. The easy ones are looking for unsafe functions, such as preserveSingleQuotes(), the harder ones look for queries which don't use CFQUERYPARAM or unsanitized output. Back in 2003/2004 I wrote a parser in Perl to help automate some of the more boring code review tasks in CF. Unfortunately, the source was left with my previous employer and never released as planned. Was it perfect? Heck no. Did it help catch a lot of bugs that would have otherwise been missed? Absolutely.
-dhs Dean H. Saxe, CISSP, CEH dean () fullfrontalnerdity com"If liberty means anything at all, it means the right to tell people what they do not want to hear."
-- George Orwell, 1945 On Mar 26, 2007, at 2:55 PM, Darren Bounds wrote:
Is anyone aware of any 'reasonably good' tools to assist with source code review in ColdFusion? I've been having a difficult time finding anything at all. -- Thank you, Darren Bounds---------------------------------------------------------------------- ---Sponsored by: Watchfire Methodologies & Tools for Web Application Security AssessmentWith the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!https://www.watchfire.com/securearea/whitepapers.aspx? id=701500000008fHK ---------------------------------------------------------------------- ----
------------------------------------------------------------------------- Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF --------------------------------------------------------------------------
Current thread:
- Re: Source code review tools for ColdFusion Dean H. Saxe (Apr 02)
- Re: Source code review tools for ColdFusion Darren Bounds (Apr 02)