"Avoiding Server-Side Request Forgery (SSRF) Vulns in CFML", with Brian Reilly

We're happy to announce the Online ColdFusion Meetup to be held Thursday Nov 11th at 12pm US Eastern Time, UTC-5.

Meeting URL: https://www.youtube.com/watch?v=-wu6cRZcRx0&list=PLG2EHzEbhy0-QirMKgSxhjkUyTSSTvHjL

TOPIC DESCRIPTION: (provided by the speaker)

Server-Side Request Forgery (SSRF) vulnerabilities allow an attacker to make arbitrary web requests (and in some cases, other protocols too) from the application environment. Exploiting these flaws can lead to leaking sensitive data, accessing internal resources, and under certain circumstances, remote command execution.

Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect. If these tags and functions process unvalidated user-controlled input, this can lead to SSRF vulnerabilities in your applications. In addition to providing a list of affected tags and functions, I'll cover some approaches for identifying and remediating vulnerable code. My goal for this talk is to raise awareness about what may be a security blindspot for some ColdFusion/CFML developers.

ABOUT THE SPEAKER(s): (provided by the speaker)

Brian is a security engineer focused on application security, penetration testing, vulnerability research, and offensive services. His professional experience has included work with organizations in the financial services, technology, higher education, and state/local government sectors.

RECORDINGS:

All meetings are recorded. As a Youtube live meeting, the URL offered here is the link to the recording as well. But the URL will also be posted after meeting at https://recordings.coldfusionmeetup.com, and via the Youtube playlist (https://www.youtube.com/playlist?list=PLG2EHzEbhy0-QirMKgSxhjkUyTSSTvHjL).

WANT TO PRESENT?

We welcome and indeed seek presentations from anyone wishing to speak about any projects regarding or tangentially related to CF. For more, see https://speak.coldfusionmeetup.com.