4
coderme
6y

Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.

At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.

PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.

Comments
  • 1
    Sqlinjection? PDO? :)
  • 1
    @Christian1998 This is actually Coldfusion, and a lot of it is some pretty old code, so no prepared statements. I updated most of the DB queries to use prepared statements and the problem went away.
  • 1
    @coderme Good job. Just dumped a shop yesterday bc of a sqli :D
  • 1
    @Christian1998 yeah, vulnerable code is not something to mess around with!
Add Comment