Difference between revisions of "PHP Security for Developers"

From OWASP
Jump to: navigation, search
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Placeholder==
+
=[[PHP Project Frontispiece|Frontispiece]]=
{{Template:Stub}}
+
=[[PHP Project Authentication|Authentication]]=
[[Category:PHP]]
+
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Best Practices
 +
#Forms based authentication
 +
#Strong Authentication
 +
#Federated Authentication
 +
#Positive Authentication
 +
#Multiple Key Lookups
 +
#Referer Checks
 +
#Browser remembers passwords
 +
#Default accounts
 +
#Choice of usernames
 +
#Change passwords
 +
#Weak password controls
 +
#Reversible password encryption
 +
#Automated password resets
 +
#Brute Force
 +
#Remember Me
 +
#Idle Timeouts
 +
#Logout
 +
#Account Expiry
 +
#Self registration
 +
#CAPTCHA
 +
#Further Reading
 +
=[[PHP Project Authorization|Authorization]]=
 +
#Objectives
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Best Practices
 +
#Best Practices in Action
 +
#Principle of least privilege
 +
#Centralized authorization routines
 +
#Authorization matrix
 +
#Controlling access to protected resources
 +
#Protecting access to static resources
 +
#Reauthorization for high value activities or after idle out
 +
#Time based authorization
 +
#Be cautious of custom authorization controls
 +
#Never implement client-side authorization tokens
 +
#Further Reading
 +
=[[PHP Project Session Management|Session Management]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Best practices
 +
#Exposed Session Variables
 +
#Page and Form Tokens
 +
#Weak Session Cryptographic Algorithms
 +
#Session Token Entropy
 +
#Session Time-out
 +
#Regeneration of Session Tokens
 +
#Session Forging/Brute-Forcing Detection and/or Lockout
 +
#Session Token Capture and Session Hijacking
 +
#Session Tokens on Logout
 +
#Session Validation Attacks
 +
#Further Reading
 +
=[[PHP Project Data Validation|Data validation]]=
 +
#Objective
 +
#Platforms Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Definitions
 +
#Where to include integrity checks
 +
#Where to include validation
 +
#Where to include business rule validation
 +
#Data Validation Strategies
 +
#Prevent parameter tampering
 +
#Hidden fields
 +
#ASP.NET Viewstate
 +
#URL encoding
 +
#HTML encoding
 +
#Encoded strings
 +
#Data Validation and Interpreter Injection
 +
#Delimiter and special characters
 +
#Further Reading
 +
=[[PHP Project Interpreter Injection|Interpreter Injection]]=
 +
#Objective
 +
#Platforms Affected
 +
#Relevant COBIT Topics
 +
#User Agent Injection
 +
#HTTP Response Splitting
 +
#SQL Injection
 +
#ORM Injection
 +
#LDAP Injection
 +
#XML Injection
 +
#Code Injection
 +
#Further Reading
 +
#SQL-injection
 +
#Code Injection
 +
#Command injection
 +
=[[PHP Project Canoncalization, locale and Unicode|Canoncalization, locale and Unicode]]=
 +
#Objective
 +
#Platforms Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Unicode
 +
#http://www.ietf.org/rfc/rfc#
 +
#Input Formats
 +
#Locale assertion
 +
#Double (or n-) encoding
 +
# HTTP Request Smuggling
 +
# Further Reading
 +
=[[PHP Project Error Handling, Auditing and Logging|Error Handling, Auditing and Logging]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Best practices
 +
#Error Handling
 +
#Detailed error messages
 +
#Logging
 +
#Noise
 +
#Cover Tracks
 +
#False Alarms
 +
#Destruction
 +
#Audit Trails
 +
#Further Reading
 +
#Error Handling and Logging
 +
=[[PHP Project File System|File system]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Best Practices
 +
#Defacement
 +
#Path traversal
 +
#Insecure permissions
 +
#Insecure Indexing
 +
#Unmapped files
 +
#Temporary files
 +
#PHP
 +
#Includes and Remote files
 +
#File upload
 +
#Old, unreferenced files
 +
#Second Order Injection
 +
#Further Reading
 +
#File System
 +
=[[PHP Project Distributed Computing|Distributed Computing]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Best Practices
 +
#Race conditions
 +
#Distributed synchronization
 +
#Further Reading
 +
=[[PHP Project Administrative Interfaces|Administrative Interfaces]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Best practices
 +
#Administrators are not users
 +
#Authentication for high value systems
 +
#Further Reading
 +
=[[PHP Project Cryptography|Cryptography]]=
 +
#Objective
 +
#Platforms Affected
 +
#Relevant COBIT Topics
 +
#Description
 +
#Cryptographic Functions
 +
#Cryptographic Algorithms
 +
#Algorithm Selection
 +
#Key Storage
 +
#Insecure transmission of secrets
 +
#Reversible Authentication Tokens
 +
#Safe UUID generation
 +
#Summary
 +
#Further Reading
 +
#Cryptography
 +
=[[PHP Project Configuration|Configuration]]=
 +
#Objective
 +
#Platforms Affected
 +
#Relevant COBIT Topics
 +
#Best Practices
 +
#Default passwords
 +
#Secure connection strings
 +
#Secure network transmission
 +
#Encrypted data
 +
#PHP Configuration
 +
#Global variables
 +
#register_globals
 +
#Database security
 +
#Further Reading
 +
#No backup or old files
 +
#Unnecessary features are off by default
 +
#Setup log files are clean
 +
#No default accounts
 +
#Easter eggs
 +
#Further Reading
 +
=[[GNU Free Documentation License]]=
 +
#PREAMBLE
 +
#APPLICABILITY AND DEFINITIONS
 +
#VERBATIM COPYING
 +
#COPYING IN QUANTITY
 +
#MODIFICATIONS
 +
#COMBINING DOCUMENTS
 +
#COLLECTIONS OF DOCUMENTS
 +
#AGGREGATION WITH INDEPENDENT WORKS
 +
#TRANSLATION
 +
#TERMINATION
 +
#FUTURE REVISIONS OF THIS LICENSE
 +
=Reference=
 +
[[Category:OWASP PHP Project]]

Latest revision as of 18:37, 21 May 2009

Contents

Frontispiece

Authentication

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Forms based authentication
  6. Strong Authentication
  7. Federated Authentication
  8. Positive Authentication
  9. Multiple Key Lookups
  10. Referer Checks
  11. Browser remembers passwords
  12. Default accounts
  13. Choice of usernames
  14. Change passwords
  15. Weak password controls
  16. Reversible password encryption
  17. Automated password resets
  18. Brute Force
  19. Remember Me
  20. Idle Timeouts
  21. Logout
  22. Account Expiry
  23. Self registration
  24. CAPTCHA
  25. Further Reading

Authorization

  1. Objectives
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Best Practices in Action
  6. Principle of least privilege
  7. Centralized authorization routines
  8. Authorization matrix
  9. Controlling access to protected resources
  10. Protecting access to static resources
  11. Reauthorization for high value activities or after idle out
  12. Time based authorization
  13. Be cautious of custom authorization controls
  14. Never implement client-side authorization tokens
  15. Further Reading

Session Management

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Exposed Session Variables
  7. Page and Form Tokens
  8. Weak Session Cryptographic Algorithms
  9. Session Token Entropy
  10. Session Time-out
  11. Regeneration of Session Tokens
  12. Session Forging/Brute-Forcing Detection and/or Lockout
  13. Session Token Capture and Session Hijacking
  14. Session Tokens on Logout
  15. Session Validation Attacks
  16. Further Reading

Data validation

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Definitions
  6. Where to include integrity checks
  7. Where to include validation
  8. Where to include business rule validation
  9. Data Validation Strategies
  10. Prevent parameter tampering
  11. Hidden fields
  12. ASP.NET Viewstate
  13. URL encoding
  14. HTML encoding
  15. Encoded strings
  16. Data Validation and Interpreter Injection
  17. Delimiter and special characters
  18. Further Reading

Interpreter Injection

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. User Agent Injection
  5. HTTP Response Splitting
  6. SQL Injection
  7. ORM Injection
  8. LDAP Injection
  9. XML Injection
  10. Code Injection
  11. Further Reading
  12. SQL-injection
  13. Code Injection
  14. Command injection

Canoncalization, locale and Unicode

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Unicode
  6. http://www.ietf.org/rfc/rfc#
  7. Input Formats
  8. Locale assertion
  9. Double (or n-) encoding
  10. HTTP Request Smuggling
  11. Further Reading

Error Handling, Auditing and Logging

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Error Handling
  7. Detailed error messages
  8. Logging
  9. Noise
  10. Cover Tracks
  11. False Alarms
  12. Destruction
  13. Audit Trails
  14. Further Reading
  15. Error Handling and Logging

File system

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best Practices
  6. Defacement
  7. Path traversal
  8. Insecure permissions
  9. Insecure Indexing
  10. Unmapped files
  11. Temporary files
  12. PHP
  13. Includes and Remote files
  14. File upload
  15. Old, unreferenced files
  16. Second Order Injection
  17. Further Reading
  18. File System

Distributed Computing

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Race conditions
  6. Distributed synchronization
  7. Further Reading

Administrative Interfaces

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best practices
  5. Administrators are not users
  6. Authentication for high value systems
  7. Further Reading

Cryptography

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Cryptographic Functions
  6. Cryptographic Algorithms
  7. Algorithm Selection
  8. Key Storage
  9. Insecure transmission of secrets
  10. Reversible Authentication Tokens
  11. Safe UUID generation
  12. Summary
  13. Further Reading
  14. Cryptography

Configuration

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Default passwords
  6. Secure connection strings
  7. Secure network transmission
  8. Encrypted data
  9. PHP Configuration
  10. Global variables
  11. register_globals
  12. Database security
  13. Further Reading
  14. No backup or old files
  15. Unnecessary features are off by default
  16. Setup log files are clean
  17. No default accounts
  18. Easter eggs
  19. Further Reading

GNU Free Documentation License

  1. PREAMBLE
  2. APPLICABILITY AND DEFINITIONS
  3. VERBATIM COPYING
  4. COPYING IN QUANTITY
  5. MODIFICATIONS
  6. COMBINING DOCUMENTS
  7. COLLECTIONS OF DOCUMENTS
  8. AGGREGATION WITH INDEPENDENT WORKS
  9. TRANSLATION
  10. TERMINATION
  11. FUTURE REVISIONS OF THIS LICENSE

Reference