A recent pentest generated some 500 errors like this:

javax.servlet.ServletException: ROOT CAUSE: 
java.lang.IllegalArgumentException: err.io.short_read
    at coldfusion.filter.FormScope.parsePostData(FormScope.java:326)
    at coldfusion.filter.FormScope.fillForm(FormScope.java:296)
    at coldfusion.filter.FusionContext.SymTab_initForRequest(FusionContext.java:408)
etc...

Does anyone know anything about avoiding that? Clearly this isn't normal traffic, the pentesters are actively trying to blow things up and poke holes, but ideally they don't succeed.

it's a malformed request?

Probably, that's one thing pentesters do.

Well, it appears the servlet blocked the request 🙂

is this app protected by fuseguard? ours are and when the pentesters test with it active ain't nuffin blowing up on our end, fwiw

The point of a pentest is to send as much bad crap as possible at your application to break it, bend it, crash it or "own it". Your logs should be full of bad requests, oversized requests, so on and so forth. You can clear up some of those items by running a stateful proxy waf in front of your coldfusion instance.

It's hard for me to tell if the "intruder" achieved anything, we'll get the full report in a few days. I just like to be able to tell our people that we've got control of the nasties, more or less, and 500 errors doesn't quite seem like it. No FuseGuard. We're a non-profit, solvent, but pretty financially conservative, have to be.

Just because a pentest manages to get your server to throw an error, doesn't mean they "penetrated" anything. Often times that's just your server rightly rejecting the requests. Of course, that doesn't prevent of a lot of pentest software from trying to report an exception as a "finding".

@bdw429s yes exactly, my people look at me sidewise when they see 500s, even if I tell them they're harmless. I'm supposed to fix "errors"! But it's also hard to validate that nothing bad or revealing of anything happened, unless I have the actual tool the pentesters used.

You do not need to be a fortune 1000 company to run a WAF (Web application firewall). While Fuseguard is maybe one, if not the best WAF for Coldfusion @foundeo , you can use open source products such as Mod_evasive, mod_security, nginx, Squid, mod_rewrite, and or follow the Adobe Coldfusion server lockdown guides as well as the NSA's guide and TSA's guide on hardening your windows server. (personally, I say move to linux and only run what you need from windows in a container instance.