Search Site
Search Site
BotFence ColdFusion Injection WAF

Ugh, Injection and 'Hackers'


  • Home
  • Blog
  • Ugh, Injection and 'Hackers'
Jul 16, 2020

I have most of my client sites (as well as mine) set to email me errors in the application onError function. I started getting batches of error emails from multiple sites. It appears as though "Someone" is trying to "hack" php. I use URL rewrites so it's not blatantly obvious that I am using ColdFusion. In the emails, I receive there are cfdumps of multiple scopes in order to help me in tracking down the issue. This has been very helpful and has allowed me to fix many errors before clients are even aware or can contact me. This is what I noticed in the latest batches of error emails:

CGI.QUERY_STRING

URL Scope

I have used BotFence in the past on my windows server. It is very straight forward and helps block most RDP, FTP and SMTP brute force attacks. I is not a WAF however awhile ago they added a Wordpress Plugin to block too many failed login attempts. What interested me was that it blocked IP's on the windows firewall level thus blocking attackers from ANY services, not just RDP, FTP, etc. but all services using the windows firewall. BotFence does offer a free 30 day trial and I have to say it is a little comforting to see all the malicious brute-force attacks it mitigates for you automatically. My thought is that if someone is trying the kind of attack mentioned above on my CF sites I would want to block then from the server completely, not just web services or a specific site running on my server.

Just in case you were wondering... no I don't work for BotFence or get anything from them, in fact, I don't even know for sure if they are actively updating the software. I do know that it does work with Windows Server 2019 since that is what I am running it on at the moment. I found Server Solutions which makes BotFence a while ago and they make some pretty useful apps. Check them out and try out BotFence, or if you want to just see the attacks it detects but not block anything they also offer a free utility, AttackTracker that will only display the detected events. While BotFence is not free I think the price point is pretty reasonable considering each license covers the server and not any kind of per-site license.

I know there are ColdFusion WAF out there, most notably FuseGuard. I have used FuseGuard and it is a great product. My thought on this situation was:

  1. I wanted to block IP's from the entire server, not just CF pages
  2. I wanted something I could use without a lot of "integration" into all the sites running on my server
  3. I wanted an option that would not have to manage all the tracking of requests, IP's, etc. in each application.
  4. I wanted an option that was "Server Wide" but didn't have to use cflock to lock the server scope when updating IP lists, etc.

While BotFence does not have integration with CF I did think about the WordPress Plugin that was included. With a little review of the PHP code, I discovered the WordPress plugin is simply making a SOAP call and I thought "Well, CF can do that too!". The way the WP Plugin was designed is that it just posts IP, TimeStamp, Target, and Username every time there is a failed WP login attempt. BotFence handles managing everything else. After 10 failed login attempts within an hour the IP address is banned and BotFence handles un-banning the IP after the configured time frame. So now how to implement a CF process and how to "hijack" this failed login process to block IP addresses for other attacks, like SQL Injection, the PHP attack above, possibly even Web Form Spam, and of course failed login attempts if our website has logins!

With my wishlist above in mind, I decided to create a CFC and I created what I now refer to as CFBotFence or CFBF! I placed the CFBF.CFC in a folder outside of any web sites roots and created a CF Mapping in the CF Administrator. This allows me to manage one CFC for the entire server and any sites running on the server. I will note that it can be installed on a single site, however in my experience when one of the sites on my server starts getting hit almost always the other does as well.

Now I can instantiate my CFC from any site running on my server. My my preferred method is to place it in the application scope so it does not need to be instantiated with every request.

I figured there would be some requests or checks that would not need immediate banning (i.e. Failed Logins like BotFence already accommodates) however there are also some blatantly malicious attacks that can be detected (like the one above). The logic thus far is that I create a struct that is passed into "Check" functions and the function returns the result. This struct has two boolean value keys, "ban" and "banNow". If ban and banNow are both true then I loop 10 times and submit the IP 10 times in a row, thus immediately banning the IP otherwise if ban is true then I just submit the IP once and let BotFence manage it from there.

I also added optional CF logging so that every detected attack & IP is logged in the CF Administrator in a CFBotFence log.

You can view the code at https://gitlab.com/oistech/CFBotFence. Keep in mind this is in its infancy and I will be trying to develop it further. If you wish to help develop it further please feel free to email me mike@ColdFusion.rocks or reach out via GitLab!

Links:

Categories BotFence ColdFusion Injection WAF

Michael Rigsby

I have been building web applications with ColdFusion since 1999. ColdFusion has always been my server of choice and I have utilized it to build and improve numerous business processes, tasks and systems for numerous clients. It has always proven to be the most reliable, stable, powerful and agile tools in my Toolbox.

Comments

Write A Comment