Thông tin tài liệu
From the authors
of the bestselling
HACK PROOFING
™
YOUR NETWORK
The Only Way to Stop a Hacker
Is to Think Like One
• Complete Coverage of ColdFusion 5.0 and Special Bonus
Coverage of ColdFusion MX
• Hundreds of Damage & Defense,Tools & Traps,and Notes
from the Underground Sidebars,Security Alerts,and FAQs
• Complete Coverage of the Top ColdFusion Hacks
™
1YEAR UPGRADE
BUYER PROTECTION PLAN
From the authors
of the bestselling
HACK PROOFING
™
YOUR NETWORK
Greg Meyer
David An
Rob Rusher
Sarge
Daryl Banttari
Steven Casco
Technical Editor
193_HPCF_FC.qxd 3/22/02 3:10 PM Page 1
solutions@syngress.com
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
193_HPCF_FM.qxd 3/19/02 11:43 AM Page i
193_HPCF_FM.qxd 3/19/02 11:43 AM Page ii
1YEAR UPGRADE
BUYER PROTECTION PLAN
Greg Meyer
David An
Rob Rusher
Sarge
Daryl Banttari
Steven Casco
Technical Editor
193_HPCF_FM.qxd 3/19/02 11:43 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY SERIAL NUMBER
001 UGH4TR45T6
002 PKTRT2MPEA
003 ZMERG3N54M
004 KGD34F39U5
005 Y7U8M46NVX
006 QFG4RQTEMQ
007 3WBJHTR469
008 ZPB9R575MD
009 S3N5H4BR6S
010 7T6YHW2ZF3
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing ColdFusion
Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-77-6
Technical Editor: Steven Casco Cover Designer: Michael Kavish
Technical Reviewer: Sarge Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Matt Pedersen Copy Editor: Beth A. Roberts
Developmental Editor: Kate Glennon Indexer: Kingsley Indexing Services
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
193_HPCF_FM.qxd 3/19/02 11:43 AM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg
O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia
Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers
Group West for sharing their incredible marketing experience and expertise.
Jacquie Shanahan,AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie
Moss of Elsevier Science for making certain that our vision remains worldwide in
scope.
Annabel Dent and Paul Barry of Elsevier Science/Harcourt Australia for all their help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan,
and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
193_HPCF_FM.qxd 3/19/02 11:43 AM Page v
193_HPCF_FM.qxd 3/19/02 11:43 AM Page vi
vii
Contributors
Daryl Banttari (CNE-3, CNE-4, Certified Advanced CF Developer) is a
Senior Consultant with Macromedia. He currently provides on-site services
for clients using ColdFusion for their projects, including load testing, archi-
tecture and code review, and incident resolution.With 20 years of com-
puting experience, his background includes programming, networking,
mainframe systems management, database administration, and security plan-
ning and implementation. Daryl is also the author of Daryl’s TCP/IP Primer
(www.ipprimer.com/) and Daryl’s ColdFusion Primer (www.cfprimer.com/).
Greg Meyer (Macromedia Certified Advanced ColdFusion 5.0
Developer) is a Senior Systems Engineer with Netegrity. He currently
plans and executes QA and programming efforts for a technical sales sup-
port team, and provides senior-level consulting on IT integration projects
within Netegrity. Greg provides lead programming duties for the support
intranet/extranet. Greg’s specialities include Macromedia ColdFusion,
Web application design and development, content management systems,
IT consulting, and general problem solving. His background includes
positions at Allaire, where he worked on the Web team and led an Allaire
Spectra QA team, and eRoom, where he worked in Professional Services.
Rob Rusher (Certified ColdFusion Instructor + Developer) is a
Principal Consultant with AYC Ltd. He currently provides senior-level
strategic and technical consulting services, classroom instruction, and
technology presentations. His specialties include application design and
development, project management, and performance tuning. Rob’s back-
ground includes positions as a Senior Consultant at Macromedia (Allaire),
and as a Senior Software Engineer at Lockheed Martin.
David Scarbrough is the Senior ColdFusion Developer for ICGLink,
Inc. in Brentwood,Tennessee (www.icglink.com). ICGLink, Inc. provides
world-class Web hosting and has been producing sites for a wide range
of clients since 1995. David also owns Nashville Web Works
193_HPCF_FM.qxd 3/19/02 11:43 AM Page vii
viii
(www.nashvillewebworks.com), a Nashville,Tennessee-based consulting
firm that specializes in ColdFusion Internet and intranet application
development, network design and back office system integration and
security. David has worked in the IT industry, in both the defense and
civilian sector, for almost 15 years and has a wide range of technical expe-
rience. He has a bachelor of science degree in Computer Science from
Troy State University in Montgomery,Alabama and has a Master
Certification in ColdFusion 4.5. David resides in Springfield,Tennessee
with his wife, Suzanne and their two daughters, Kelsey and Grace.
David Vaccaro is Senior Web Application Developer and President of
X-treme Net Development, Inc., also known as XNDinc.com, an
Internet application development firm in Massachusetts. David has been
developing with ColdFusion since version 0.0. During the development
stages of ColdFusion, David was in constant contact with J.J.Allaire,
watching this amazing new software develop while helping with bugs and
new ideas. ColdFusion has allowed David to build application driven Web
sites for companies such as AOL, Netscape, Nike, Motorola, MIT, and
OnVia. He also is founder of a ColdFusion developer source Web site,
allColdFusion.com. David has been involved with Internet technology
since 1976 and says that with ColdFusion as his development tool of
choice, he no longer believes that the Web has limits.
Samantha Thomas has been programming ColdFusion applications for
over two years. She works at Medseek, where she developed ColdFusion
modules for their SiteMaker product, a Web site content management
package for health care systems. She also trains clients nationwide on
SiteMaker. For 10 years prior, she was a graphic/Web designer, finding
Web backend functionality much more intriguing and challenging than
interface design.After viewing a then-current commercial for the
Volkswagen Jetta, in which a programmer, who codes 15 hours a day, hap-
pily jumps in his new car and spins off, she decided that was the job, and
car, for her. Samantha is currently focusing on programming in the .NET
arena with C#, as well as on COM+ integration. She also contributed to
the ColdFusion 5.0 Developer’s Study Guide. She would like to thank Mom
and Mikey for their support.
193_HPCF_FM.qxd 3/19/02 11:43 AM Page viii
ix
John Wilker (Macromedia Certified ColdFusion Developer) has been
writing HTML since 1994, and has been developing ColdFusion
Applications since early 1997. He has been published in the ColdFusion
Developers Journal, and is the President of the Inland Empire ColdFusion
Users Group (CFUG). During his career in IT, he has worked as a hard-
ware technician, purchasing agent, inside sales,Web developer, team lead,
and consultant. He’s written books on ColdFusion and the Internet
development industry. John contributed several chapters to the ColdFusion
5.0 Certified Developer Study Guide.
David An is the Director of Development at Mindseye. Mindseye, based in
Boston, Massachusetts, is a leading designer, developer and integrator of
award winning Web applications. David is responsible for leading the com-
pany’s technology direction, from research to implementation, from browser
to database. He is also the lead ColdFusion developer, and has been devel-
oping using Macromedia products—ColdFusion, Macromedia Spectra,
JRun, and Flash—for about four years.With Mindseye, David has worked
for such high-profile clients as Macromedia,Allaire, FAO Schwarz, Reebok,
Hewlett-Packard, DuPont, and Hasbro. His background includes previous
positions as a database administrator; Cisco,Web, mail, and security adminis-
trator at an ISP; and as a freelance Web architect. David would like to thank
Mindseye for lending resources and time to the research in this book, espe-
cially Beta Geek, Maia Hansen for technical and proofreading support.
Carlos Mendes, Jr. is an independent consultant who has developed
applications for companies such as WorldCom, Booz | Allen | Hamilton,
and Vexscore Technologies. He has been developing Web-based applica-
tions in ColdFusion since its birth, and also specializes in ASP and
LAN/WAN. Carlos also conducts seminars on Web technologies at the
local small business administration office, and has published several articles
on the subject. He volunteers his time consulting with small business
owners on technology needs for business growth. Carlos is a graduate of
the University of Maryland at College Park, holding bachelor’s degrees in
Management Information Systems and Finance.
193_HPCF_FM.qxd 3/19/02 11:43 AM Page ix
[...]... (RDS) Chapter 1 Thinking Like a Hacker Introduction Understanding the Terms A Brief History of Hacking Telephone System Hacking Computer Hacking Why Should I Think Like a Hacker? What Motivates a Hacker? Ethical Hacking versus Malicious Hacking Mitigating Attack Risk in Your ColdFusion Applications Validating Page Input Functionality with Custom Tags and CFMODULE The Top ColdFusion Application Hacks Form... nonprogrammers—are attractive attributes to hackers The purpose of this chapter to is to introduce you to the hackers who will try to break into your ColdFusion Web application, and to suggest tactics that you can use in your application building to mitigate the risks of hacking Hackers will attempt to target the weakest links in your application: you should know in advance what those areas are and how you can... box was the only device a non-phone-company employee could use to emulate the signals a phone was using The line was actually an internal line for Ma Bell, and only a few people knew of its existence.What the phreaker had to do was DTMF dial into the line via a blue box Being able to access the special line was the basic equivalent to having root access into Ma Bell .The irony of this elaborate phone... in various ways Security professionals hack into networks and applications because they are asked to; they are asked to find any weakness that they can and then disclose them to their employers.They are performing ethical hacking in which they have agreed to disclose all findings back to the employer, and they may have signed nondisclosure agreements to verify that they will not disclose this information... even realize the depth of what they are attempting to do However, as time goes on, and their skills increase, they begin to realize the potential of what they are doing.There is a misconception that hacking is done mostly for personal gain, but that is probably one of the least of the reasons More often than not, hackers are breaking in to something so that they can say they did it .The knowledge a hacker. .. ARPANET were The University of California at Los Angeles, Stanford, the University of California at Santa Barbara, and the University of Utah.These four connected nodes unintentionally gave hackers the ability to collaborate in a much more organized manner Prior to the ARPANET, hackers were able to communicate directly with one another only if they were actually working in the same building.This was... hacker amasses is a form of power and prestige, so notoriety and fame—among the hacker community—are important to most hackers (Mainstream fame generally happens after they’re in court!) Another reason is that hacking is an intellectual challenge Discovering vulnerabilities, researching a mark, finding a hole nobody else could find—these are exercises for a technical mind .The draw that hacking has for... if he has ever hacked Ask yourself if you have ever been a hacker .The answers will probably be yes.We have all hacked, at one time or another, for one reason or another Administrators hack to find shortcuts around configuration obstacles Security professionals attempt to wiggle their way into an application/database through unintentional (or even intentional) backdoors; they may even attempt to bring... work together as one large group, rather than working in small isolated communities spread throughout the United States .The ARPANET gave hackers their first opportunity to discuss common goals and common myths and even publish the work of hacker culture and communication standards (The Jargon File, mentioned earlier, was developed as a collaboration across the Net) Telephone System Hacking A name that is. .. of disclosing weaknesses that have been discovered and are exploitable Malicious hackers are more likely to exploit a weakness than they are to report the weakness to the necessary people, thus avoiding having a patch/fix created for the weakness.Their intrusions could lead to theft, a distributed denial-of-service (DDoS) attack, defacing of a Web site, or any of the other attack forms that are listed . UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,” Hack Proofing™,” and The Only Way to Stop a Hacker is to Think Like One ” are trademarks of Syngress Publishing,. Should I Think Like a Hacker? 8 What Motivates a Hacker? 8 Ethical Hacking versus Malicious Hacking 9 Mitigating Attack Risk in Your ColdFusion Applications 10 Validating Page Input 13 Functionality. security adminis- trator at an ISP; and as a freelance Web architect. David would like to thank Mindseye for lending resources and time to the research in this book, espe- cially Beta Geek, Maia Hansen
Ngày đăng: 25/03/2014, 11:18
Xem thêm: hack proofing coldfusion - the only way to stop a hacker is to think like one, hack proofing coldfusion - the only way to stop a hacker is to think like one