The Web Application Firewall Engine Based On Coldfusion

With the rapid development of the Internet technology, the Web applications are playing a more and more important role in people’s work and daily life. Those based on ColdFusion are even becoming the first choices of the military, government and large-scale enterprises, etc.. However, there exist so many loopholes; it is a disaster for the enterprises, even for the country, when the Web applications based on ColdFusion being attacked.Based on the above background, in this thesis, using the ColdFusion application server as a platform, combining with knowledge of Web Application Firewall and breaking through the key technologies—the development of the Web Application Firewall and the ColdFusion programming—a Web Application Firewall based on ColdFusion is designed. It can effectively protect the ColdFusion-based Web applications.For the above-mentioned purpose, the features of the security threats to the Web applications are firstly comprehensively analyzed. On those bases, a ColdFusion-based Web Application Firewall engine is designed and accomplish with CFML programme language and MySQL database. Its main functions are:Basic protection function:the firewall is able to effectively defend against SQL injuction attacks, cross-site scripting attacks, malicious file upload attacks, brute force attacks and path traversal attacks, etc., meanwhile, to a certain extent against application-layer denial of service attacks and buffer overflow attacks.Log audit function:the firewall owns a powerful logging system which can record a detail information of the Web requests, such as the request URL, port number, the request IP address, time, date, and exception description to help users to analyze the risk that the Web applications face.Configuration management function:through the simple configuration on the configuration interface, the firewall can defend the different specific Web application.This thesis describes the overall design and detailed design of the ColdFusion-based Web Application Firewall engine. And at last, as to the defense capabilities of the firewall, a comprehensive testing is going along. The test results show that this firewall engine can effectively prevent a variety of Web attacks. Meanwhile, it has laid a good foundation for further study.