The Top 25 Most Dangerous Programming Errors

Under the head of the MITRE Corporation and the SANS Institute, experts from more than 30 international cyber security organizations compiled a list of the top 25 most dangerous programming errors that lead to security breaches and cyber exploits.

The list, that was published on January 12, 2009, is intended to raise the understanding by programmers and help in the production of more robust code.

The Top 25 Errors

Category: Insecure Interaction Between Components

CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
CWE-319: Cleartext Transmission of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-362: Race Condition
CWE-209: Error Message Information Leak

Category: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642: External Control of Critical State Data
CWE-73: External Control of File Name or Path
CWE-426: Untrusted Search Path
CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
CWE-494: Download of Code Without Integrity Check
CWE-404: Improper Resource Shutdown or Release
CWE-665: Improper Initialization
CWE-682: Incorrect Calculation

Category: Porous Defenses

CWE-285: Improper Access Control (Authorization)
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-259: Hard-Coded Password
CWE-732: Insecure Permission Assignment for Critical Resource
CWE-330: Use of Insufficiently Random Values
CWE-250: Execution with Unnecessary Privileges
CWE-602: Client-Side Enforcement of Server-Side Security

Read the full report: CWE/SANS TOP 25 Most Dangerous Programming Errors.

January 15th, 2009 in Programming | Tags: security | No comments

Session management in ColdFusion

Being inherently stateless, the web provides no means to remember a user’s data between page visits. That’s where an application server like ColdFusion can be of great help through the use of session variables.

Session variables defined

Session variables are non-persistent variables maintained in the server memory. They can hold all types of data, including complex values like structures and arrays. Being non-persistent, their values don’t persist between server restarts.

How to enable session variables

First of all, session variables must be enabled at server level in the ColdFusion Administrator (Memory Variables > Enable Session Variables).

Then, session variables must be enabled at application level in your code (using Application.cfc).

<!--- Uniquely identify your application
      on the ColdFusion server --->
<cfset this.name = "MyApplication">
<cfset this.sessionManagement = "yes">

How to use session variables

ColdFusion provides a SESSION variable scope that can be used to get/set session variables, by prefixing the variable name.

<cfset session.someVariable = 0>

This scope is treated like a structure, meaning that all structure functions can be used, like structDelete() to delete session values.

<cfset structDelete(session,"someVariable")>

Session expiration

Default behaviour

Traditionally, ColdFusion uses two persistent cookies (cfid and cftoken) to identify a web client (that is, the browser) and track a user session.

By default, session expiration is time based and controlled at application level (in Application.cfc) with the sessionTimeout attribute.

<cfset this.sessionTimeout = createTimeSpan(0,1,0,0)>

If this value is not provided, it defaults to whatever is set in the Variables page of the ColdFusion Administrator.

So, whenever a client visits pages of your web application within a certain period of time, the page requests are considered to be part of the same session. When the interval between two page requests is greater than the defined timeout, the session “expires” and all session information is discarded from the server memory.

With this behaviour, if you close your browser and reopen it, you will still be part of the same session.

Expiration at browser close

There is a way to make session variables expire when the browser closes, it’s by using J2EE session variables. They can be enabled on the Memory Variables page of the ColdFusion Administrator (Use J2EE Session Variables check box).

In this mode, ColdFusion uses a non-persistent cookie (jSessionID) to track the session, meaning that when the browser is closed, the session-tracking cookie is discarded.

When you reopen the browser to access again the web application, a new session will be created automatically.

January 11th, 2009 in Web development | Tags: ColdFusion | No comments

The CSS box model

Structure
CSS box model - Structure

Margin = space outside an element.
Padding = space inside an element — between border and content.

Background

Width

Visible width = element width + padding left + padding right + border left + border right.
Total width = visible width + margin left + margin right.

January 6th, 2009 in Web design | Tags: CSS | No comments

How to get a user’s locale?

The purpose of this tip is to show you how to transparently determine a user’s locale so that the content delivered by your web application could be adjusted accordingly.

What is a locale?
A locale is the language and cultural elements (like date/number/currency formatting, spelling, writing direction…) that are specific to a geographic area (country or region within a country).

A user’s locale is then determined based on the language settings defined in the user’s browser.

Where are languages defined in your browser?
Depending on your browser, use the menu commands below:

Microsoft Internet Explorer 7: Tools > Internet Options > Languages (button).
Mozilla Firefox 3.0.5: Tools > Options > Content (tab) > Languages.
Google Chrome 1.0: Customize and control Google Chrome > Options > Minor Tweaks (tab) > Change font and language settings (button) > Languages (tab).

Additional resource: W3C I18n FAQ: Setting language preferences in a browser.

How to retrieve browser languages in your ColdFusion template?
Browser languages are available via the CGI.HTTP_ACCEPT_LANGUAGE variable as a comma-separated list of values (e.g. en-us,fr-BE;q=0.7,fr-FR;q=0.3).

Obviously, when the ColdFusion template is requested by a web spider instead of a browser, this variable will contain an empty string.

In order to use a value extracted from that list in a subsequent call to the ColdFusion function setLocale(), we have to make sure that it is formatted appropriately: 2 lowercase letters optionally followed by an underscore and 2 uppercase letters.

Sample code.
Here is a sample function that will return the first available language as defined in the user’s browser, correctly formatted:

<cfscript>
function getUserLocale()
{
  var language = listFirst(CGI.HTTP_ACCEPT_LANGUAGE,",");
  if (len(language) eq 5)
    language = left(language,2) & "_" & uCase(right(language,2));
  return language;
}
</cfscript>

December 24th, 2008 in Uncategorized | Tags: ColdFusion, g11n | No comments

The Big Ask: Campaign for a strong climate law

December 23rd, 2008 in Climate change | Tags: climate | No comments

cfsqlqueryparam and NVARCHAR on SQL Server 2005

On SQL server 2005, storing Unicode data is dependant on the use of the NVARCHAR data type, which is actually a VARCHAR that supports two-byte characters. You must also prefix all Unicode strings with a capital N. So, a typical update statement would look like this :

update tablename set columnname = N'value'

What do you do in ColdFusion with the example above if you want to prevent issues like SQL injection attacks? You use the cfqueryparam tag:

update tablename set columnname = <cfqueryparam value="value" cfSqlType="CF_SQL_VARCHAR">

Of course, with such a construct, the “N” prefix is not allowed. Hopefully, there is an option in the ColdFusion Administrator to manage Unicode strings for you automatically:

Go to Data & Services > Data Sources;
Edit you data source;
Show Advanced settings;
Check String Format (Enable High ASCII characters and Unicode for data sources configured for non-Latin character);
Submit your changes.

That’s all. As simple as that.

August 21st, 2008 in Uncategorized | Tags: ColdFusion, SQL | No comments

UNION vs. UNION ALL

Yes, sometimes your assumptions on a subject are wrong. And you never know when you will discover it. Hopefully, when you’re a programmer, testing is there to avoid embarrassing situations.

Two days ago, I was working with a colleague on a SQL query when we came across a behaviour that we were not expecting. We were using the UNION operator to combine two queries into a single result set, and then do a sum on a few columns to get the data for a new intranet report. After some tests, it appeared that the results were not exactly what we were waiting for: records were missing. Actually, only one of a set of ten identical records was returned. Short of ideas to explain this, I turned to the documentation to find that:

By default, the UNION operator removes duplicate rows from the result set.

Either we knew this behaviour but forgot about it or we were using the operator in ignorance… Whatever the case, the solution was to use the UNION ALL operator to get the correct results. Which brings me to the conclusion that refreshing your knowledge on a subject proves again its use, especially for technologies you use on an every day basis.

January 23rd, 2008 in Uncategorized | Tags: SQL | No comments

Rake, a better make

Recently, while investigating for a possible use of Ruby at work, I discovered Rake — a build tool similar to the well-known make, but written in that same language. I have never been much exposed to make, except on rare occasions. All my software development efforts have always been targeted at Windows, where I never had to go that low to build an application, all was handled by the IDE.

But when I looked at sample rakefiles, I was hooked. The same language that I wanted to use for writing admin tools could also be used for automating build activities (and many other tasks). So, I decided to delve deeper and see what I could do with it.

So far, my first use of Rake has been in the automatization of the deployment process of the main Delphi application I’m maintaining at work. Typical tasks are the packaging as a ZIP file, the creation of a self-extract executable, and the upload of the generated files to our Intranet.

It’s only a start but I think I will not miss any opportunity to use this flexible tool in the future.

Some interesting links to follow on the subject:

January 14th, 2008 in Uncategorized | Tags: Ruby | No comments

Resources for technical writers

Over the years, while surfing for information related to business and/or technical writing, I found a lot of interesting stuff and collected a lot of links. Obviously, this list is far from being complete but should rather be seen as a good starting point on the subject.

Society for Technical Communication — STC is an individual membership organization dedicated to advancing the arts and sciences of technical communication.
EServer Technical Communication Library — The EServer TC Library is a free, nonprofit index for professional, scientific and technical communicators (such as technical writers).
Institute of Scientific and Technical Communicators — The ISTC is the largest UK-based society for professional communicators.
TECHWR-L — The official TECHWR-L, the Internet forum for technical communicators.
A Week in the Life of a Technical Communicator — An introduction to the career of technical communicator. Developed by Texas Tech alumni at National Instruments in Austin.
Writing Revisable Manuals — A Guidebook for Business and Government.
Online Technical Writing: Online Textbook
Harry Miller’s Technical Writing Blog — Mostly podcasts about documentation, technical writing, and technical editing.
Geoff-Hart.com — The web site of Geoff Hart: an editor, writer, and translator based in Pointe-Claire, Quebec (Canada).
JimRoyal.com — The web site of Jim Royal: a web designer and technical writer based in Longueuil, Quebec (Canada).
Strategies to Succeed in Technical Writing - School for Champions — Free online lessons to give you a start at improving your technical writing skills, to show how to apply writing in the business world, and to give tips on a writing career.
Technical Writing for Everyday People
Resources for Technical Writers at Tech Pubs — Resources provided by Michael Bradley, a technical writer based in Oakland, California (USA).
Allyn & Bacon’s TechCommunity — A resource website for teachers, students, and practitioners of technical communication.

January 2nd, 2008 in Technical writing | Tags: writing | No comments

Build an Ajax-enabled search page using the Rico JavaScript library, ColdFusion MX 7, and Windows Indexing Service

I have a new article on IBM developerWorks:

Build an Ajax-enabled search page using the Rico JavaScript library, ColdFusion MX 7, and Windows Indexing Service

A Web site or intranet has such a high volume of information available that you need special tools to index the content and provide access to it in a fast and convenient way. Learn how to do just that and provide a state-of-the-art search facility with the help of an Ajax library coupled with mature technologies like ColdFusion and Microsoft Windows Indexing Service.

December 18th, 2007 in Articles | Tags: ajax, ColdFusion | No comments

←Older

randour.net

Philippe Randour