Deconstructing ColdFusion
- Type
- Paper
- Tags
- ColdFusion
- Authors
- Brandon Creighton, Chris Eng
- Event
- Black Hat USA 2010
- Indexed on
- Mar 27, 2013
- URL
- https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
- File name
- BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
- File size
- 207.2 KB
- MD5
- 47893047f3f5e9aedbbb463bccc2d0fc
- SHA1
- 0618ba068bc926d92f2f18218d0050235ccc517e
ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers. In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape. We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code. We’ll also delve into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level. Included in the talk is a detailed description of the WAR/EAR structure for compiled ColdFusion apps. We'll release open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
