Tag: PHP
-
OWASP A1 – Injection
Finally, we reach a more glamorous class of vulnerability. Injection attacks can take many forms; SQL injection, XPath/XML/SOAP injection, LDAP injection, and Command injection are just a few types. This post will cover some PHP countermeasures to the more common forms of injection, starting with SQL injection: SQL Injection Mitigations: The first step in preventing…
-
OWASP A7 – Insecure Cryptographic Storage
This week we will provide some examples for encrypting data with PHP. Data encryption is necessary to protect sensitive information such as passwords, credit card numbers, medical information, etc. PHP provides some easy to use functions to encrypt data so that it can be stored securely. There are two common but different scenarios for storing…
-
OWASP A6 – Security Misconfiguration with PHP
This will be another non-development related post. I am going to cover security configuration of the operating system, web server, and PHP environment for your web applications. It doesn’t matter how secure your application is if the OS, web server, or PHP configuration is insecure. I am not going to cover full hardening of your…
-
OWASP A4 – Insecure Direct Object References with PHP
Direct object references occur when an application enables a user to provide an actual database key, file name, URL, etc as input and obtains access to data as a result. Our example on OWASP A10 is an example of providing a direct object reference. In our post, the final solution enables the user to supply…
-
OWASP A10 – Unvalidated Redirects and Forwards with PHP
This is going to be a pretty short post. There are no directly associated ASVS requirements for OWASP A10. The closest ASVS requirement is 4.2: “Verify that users can only access URLs for which they possess specific authorization,” which will be covered in this post. The risk here is that an unvalidated redirect that accepts…
-
OWASP A9 – Insufficient Transport Layer Protection with PHP
This post will step back from coding a bit to focus on what is usually a web server and scripting language configuration issue. Most, if not all, OWASP A9 issues can be resolved with appropriate configuration of Apache and PHP. Since this is mostly a development related blog, and this topic is not completely development…
-
OWASP A5 – Cross-Site Request Forgery (CSRF) with PHP
We are going to cover Cross-Site Request Forgery (CSRF) countermeasures in this post. This is an often overlooked but potentially deadly vulnerability that can be easily remediated. CSRF is an attack that enables a malicious website to execute procedures on a web application for which the victim has already authenticated. For example, suppose a user…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 4
This is going to be a short post that expands upon input validation controls. These routines are in addition to those found in the OWASP ASVS and should be utilized where possible to help mitigate the risk of any type of injection attack (XSS, SQLi, LDAPi, XMLi, Command injection, etc). There are two other major…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 3
Last week we finished up input validation, which represents one half of the solution towards preventing XSS. This week we will cover the other half; output encoding. Output encoding protects the application in the event that malicious script data somehow makes its way into the database or a form parameter. It is a fail safe…
-
OWASP A2 – Cross-Site Scripting (XSS) with PHP Part 2
Today we will finish up ASVS section 5. Next week we will begin ASVS 6.x (Output Encoding/Escaping Requirements). This should be a pretty short post. ASVS 5.6 Requirement: Verify that a single input validation control is used by the application for each type of data that is accepted. ASVS 5.6 Solution: Watch out for data…
CodeWatch 