Sunday, September 18, 2011

NCDevCon: Presentation Slides and Code

The NCDevCon 2011 conference is on its way to be concluded. Many interesting and well rounded presentations. Meeting friends from all over again and chatting about the best and worst way of doing things.
I am continuing to be impressed what the team (Dan Wilson, Jim Priest, Shawn Dunning) is able to do with so little resources. Way to go team.

As promised I am posting the links to the slides to my presentations:
Practical Application Security:
Practical Application Security Slides
I posted the code for URLEncoder on RIAforge as open source project.

Client Side MVC with Sencha Touch:
Client Side MVC with Sencha Touch Slides
Download Sencha MVC code. Please review the Readme_first.txt file on how to get this going.

Please feel free to explore code and slides.
The conference also posts the video of the presentations.


CF: Using URLEncoder to secure URL Parameter against CSRF and XSS

In my presentation about ColdFusion Application Security I also showed a reference implementation of an URLEncoder that can assist with three scenarios:

Cross Site Scripting: If scripts are injected through URL parameters, this encoder will ensure that no user inputs besides the one set by CF are accepted.

Insecure Direct Object Reference: By encrypting the object references in passed URL the object reference are no longer exposed to users and cannot be changed by users.

Cross Site Request Forgery: By adding additional reference in the encrypted packages the URLEncoder will assist with Cross Site Request forgery attempts.

The URLEncoder allows a very flexible way of transporting data via URL parameters in a secure fashion. It is not restricted to primitive/simple data types. Complex data such as arrays and structures can easily passed  via the URL using this component as well.

Moreover, additional security option are available. During encoding, you can specify whether the generated URL has an expiration and or can only be used from the originating URL.

During the decoding phase the URLEncoder you can specify which scope the transported data from the URL parameters will be placed in. By default this will be placed into Request.URL, however, you can change this to be placed into the regular URL scope so that legacy application will only need minimal change to add this layer of security.

Here is the link to the download to the project from RIA Forge.