Entries tagged "security"

The Jetty documentation for Configuring SSL/TLS is long and daunting, but makes no mention of how to work with the EFF's Let's Encrypt certificate authority, which provides free automated certificates with the aim of having the entire web available over HTTPS.

This article provides the steps for obtaining a Let's Encrypt certificate, importing it into Jetty, enabling HTTPS using the certificate, and handling renewals.

It assumes you have Jetty setup in a home/base configuration, serving over HTTP for one or more Internet-facing domain names.

As with all such guides, it is recommended to read all steps before making any changes, and ensure you have backups for any existing files you may modify.

Continue.

Earlier this year I gave a talk on Password Security at Digital Croydon #5, and didn't want to simply put up the slides without any commentary, so I've written this article to accompany them. It is primarily for the benefit of those that attended - by which I mean it wont explain every slide or go into detail on everything the talk covered, but will explain the key points, provide links, etc.

Similarly, as mentioned in the talk, it didn't cover everything there is to know, and this article wont do that either - it's an introduction, not a comprehensive guide.

(At some point I do hope to write up more detailed articles, both on the points covered and on related subjects - if/when that happens I will add the relevant links to this article.)

Continue.

The release candidate for the next version of QueryParam Scanner is available on GitHub.

So what's changed?

Well it now runs on FW/1 rather than Fusebox, and the UI has a new theme - the previous gold/beige is gone, and in its place is a theme based on a "new" logo which I've actually had sitting around for several years. There's CSS used that will require a modern browser - FF4 and IE9 both work, but no guarantees for anything older.

Functionality-wise there's a couple of fixes: an error is now thrown when a directory doesn't exist (previous behaviour was to return 0 matches in 0 files), and the IDs returned in data structures are now content-based hashes (previously they were ever-changing UUIDs). Oh, and the IDs are now displayed with the HTML results, in preparation for future functionality that'll potentially use them.

A new experimental (i.e. buggy) feature has been added to seperate the query code into SELECT/FROM/WHERE/etc parts, when returning data structures. This may help with post-processing the data, but has known flaws so use with care. (The existing ORDER BY functionality has also been marked as experimental to similarly indicate that it's not perfect.)

There's a minor change in that relative paths are officially not supported - the UI always stated absolute paths or mappings were required, but there was ugly code in place to try and make relative paths work too - that code has been removed. If you used relative paths before, you need to resolve them before passing to qpscanner.

In summary:

Changed:  Switched to FW/1 and removed unnecessary files.
Changed:  New logo and front-end UI.
Removed:  Dropped unofficial relative path support.
Added:    Experimental ability to separate query code into segments
Fixed:    IDs now use content-based SHA hashes, not random UUIDs.
Fixed:    Throw error when path does not exist, instead of zero results.
Supports: ColdFusion 9/10 and Railo 3.3/4.0/4.1

That's it for now. There are several new features planned to make qpscanner faster, more flexible and more useful, but you'll have to wait for a future release for those.

As ever, if you have any feedback, feature requests, or find any bugs, then please go ahead and get in touch via the GitHub issue tracker.

Earlier this week I promoted the release candidate for 0.7.5 of QueryParam Scanner to full release.

For anyone unaware, QueryParam Scanner is a simple tool for identifying unparameterised variables in CFML queries (which may indicate a potential SQL injection risk).

This version has a handful of bug fixes and code cleanups, resulting in faster more accurate scanning than previous versions, plus the addition of JSON output format, giving a more lightweight option if used in scripted processes.

For further details on these, see the previous RC article; other than a couple of trivial fixes and a new readme, nothing has changed since that.

To download the latest version, you can either clone the git repo, or grab it as a zip archive from the GitHub tags page.

For any feedback, problems, or questions, please use the issue tracker.

I have just pushed an update of QueryParam Scanner to GitHub, containing various improvements.

This update is on the rc0.7.5 branch, and it'd be nice if people could take it for a spin and make sure there are no issues with it. (There is a zip download for anyone without git.)

The visible changes which you might notice are:

• Added JSON output format, giving an alternative to XML for anyone using qpscanner in a scripted process.
• Added variable for number of potential risk files, and improved related wording in HTML output.
• Fixed bug where identical queries were causing incorrect line numbers.
• Fixed bug where query names were not being detected.
• Fixed bug where blank lines were incorrectly removed.

However, there are also significant under-the-hood changes. I removed my obsolete "Java Regex Utils" library (replacing it with the object part of cfRegex), and made a number of little code clean-ups.

A result of these changes is that qpscanner rc0.7.5 appears to be almost twice as fast as previous versions.

If you have any feedback, please feel free to contact me via GitHub, and similarly if you find any bugs then please raise them on the issue tracker.