https://github.com/foundeo/cfml-security-training

An INSECURE example website for use in CFML security training.
https://github.com/foundeo/cfml-security-training

cfml coldfusion

Last synced: 5 months ago
JSON representation

An INSECURE example website for use in CFML security training.

• Host: GitHub
• URL: https://github.com/foundeo/cfml-security-training
• Owner: foundeo
• License: apache-2.0
• Created: 2016-09-13T19:43:32.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2024-01-22T15:20:55.000Z (over 2 years ago)
• Last Synced: 2024-03-26T14:32:05.756Z (about 2 years ago)
• Topics: cfml, coldfusion
• Language: ColdFusion
• Homepage: https://foundeo.com/consulting/coldfusion/
• Size: 1.67 MB
• Stars: 28
• Watchers: 11
• Forks: 10
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# cfml-security-training

This is a CFML web application that intentionally contains many many security vulnerabilties for training purposes. It is used in [Foundeo's ColdFusion Security Training Course](https://foundeo.com/consulting/coldfusion/security-training/).

Here's a listing of some of the vulnerabilities you can find in this application:

* SQL Injection 

* Cross Site Scripting (XSS)

* Path Traversals

* Remote Code Execution

* File Upload Vulnerabilities

* Insecure Password Storage

* Cross Site Request Forgery

* Insufficient Authentication/Authorization

* Timing Attacks

## Setup / Installation

*Please run this in a virtual machine and keep restricted to localhost so you do not compromise your computer.*

Requires CF11+ or Lucee 4.5+.

### Clone / Download Repository

	cd /somewhere/

	git clone https://github.com/foundeo/cfml-security-training.git .

### Install CommandBox

We'll use commandbox or `box` for short to spin up a local CFML server. You can download it here: [https://www.ortussolutions.com/products/commandbox#download](https://www.ortussolutions.com/products/commandbox#download), please read the [commandbox installation docs](https://ortus.gitbooks.io/commandbox-documentation/content/setup/installation.html) for more info.

### Start CFML Server

Start up a CFML server, using commandbox you can just do:

	cd wwwroot

	box server start cfengine=adobe@2016

  

The above will start up a CF2016 server on a random port number and open your default web browser to the server.

### Optional: MySQL Setup

By default it is setup to use Apache Derby, which should work well for Adobe ColdFusion engines (since it is included by default). If you are using Lucee or want to use MySQL instead of Derby please follow these instructions:

1) Create a empty database called `bankofinsecurity`

2) Create a user account `bankofi` with password `bankofi` 

3) If running on Adobe ColdFusion you will need to add the MySQL database driver to your lib directory in `~/.CommandBox/server/{server-id}/adobe-{version}/WEB-INF/lib`

## History / About

Some of this work was inspired by the [_HackableType_](https://github.com/twelverobots/HackableType) application buily by Pete Freitag & Jason Dean way back 

in 2010. This is an attempt to modernize and simplify.

If you are in need of CFML security training at your organization, please contact [Foundeo Inc.](https://foundeo.com/contact/)