PHP Security for Developers

From OWASP
Revision as of 15:43, 21 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

http://www.textzeldronsit.com

Contents

Frontispiece

Authentication

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Forms based authentication
  6. Strong Authentication
  7. Federated Authentication
  8. Positive Authentication
  9. Multiple Key Lookups
  10. Referer Checks
  11. Browser remembers passwords
  12. Default accounts
  13. Choice of usernames
  14. Change passwords
  15. Weak password controls
  16. Reversible password encryption
  17. Automated password resets
  18. Brute Force
  19. Remember Me
  20. Idle Timeouts
  21. Logout
  22. Account Expiry
  23. Self registration
  24. CAPTCHA
  25. Further Reading

Authorization

  1. Objectives
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Best Practices in Action
  6. Principle of least privilege
  7. Centralized authorization routines
  8. Authorization matrix
  9. Controlling access to protected resources
  10. Protecting access to static resources
  11. Reauthorization for high value activities or after idle out
  12. Time based authorization
  13. Be cautious of custom authorization controls
  14. Never implement client-side authorization tokens
  15. Further Reading

Session Management

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Exposed Session Variables
  7. Page and Form Tokens
  8. Weak Session Cryptographic Algorithms
  9. Session Token Entropy
  10. Session Time-out
  11. Regeneration of Session Tokens
  12. Session Forging/Brute-Forcing Detection and/or Lockout
  13. Session Token Capture and Session Hijacking
  14. Session Tokens on Logout
  15. Session Validation Attacks
  16. Further Reading

Data validation

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Definitions
  6. Where to include integrity checks
  7. Where to include validation
  8. Where to include business rule validation
  9. Data Validation Strategies
  10. Prevent parameter tampering
  11. Hidden fields
  12. ASP.NET Viewstate
  13. URL encoding
  14. HTML encoding
  15. Encoded strings
  16. Data Validation and Interpreter Injection
  17. Delimiter and special characters
  18. Further Reading

Interpreter Injection

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. User Agent Injection
  5. HTTP Response Splitting
  6. SQL Injection
  7. ORM Injection
  8. LDAP Injection
  9. XML Injection
  10. Code Injection
  11. Further Reading
  12. SQL-injection
  13. Code Injection
  14. Command injection

Canoncalization, locale and Unicode

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Unicode
  6. http://www.ietf.org/rfc/rfc#
  7. Input Formats
  8. Locale assertion
  9. Double (or n-) encoding
  10. HTTP Request Smuggling
  11. Further Reading

Error Handling, Auditing and Logging

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Error Handling
  7. Detailed error messages
  8. Logging
  9. Noise
  10. Cover Tracks
  11. False Alarms
  12. Destruction
  13. Audit Trails
  14. Further Reading
  15. Error Handling and Logging

File system

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best Practices
  6. Defacement
  7. Path traversal
  8. Insecure permissions
  9. Insecure Indexing
  10. Unmapped files
  11. Temporary files
  12. PHP
  13. Includes and Remote files
  14. File upload
  15. Old, unreferenced files
  16. Second Order Injection
  17. Further Reading
  18. File System

Distributed Computing

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Race conditions
  6. Distributed synchronization
  7. Further Reading

Administrative Interfaces

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best practices
  5. Administrators are not users
  6. Authentication for high value systems
  7. Further Reading

Cryptography

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Cryptographic Functions
  6. Cryptographic Algorithms
  7. Algorithm Selection
  8. Key Storage
  9. Insecure transmission of secrets
  10. Reversible Authentication Tokens
  11. Safe UUID generation
  12. Summary
  13. Further Reading
  14. Cryptography

Configuration

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Default passwords
  6. Secure connection strings
  7. Secure network transmission
  8. Encrypted data
  9. PHP Configuration
  10. Global variables
  11. register_globals
  12. Database security
  13. Further Reading
  14. No backup or old files
  15. Unnecessary features are off by default
  16. Setup log files are clean
  17. No default accounts
  18. Easter eggs
  19. Further Reading

GNU Free Documentation License

  1. PREAMBLE
  2. APPLICABILITY AND DEFINITIONS
  3. VERBATIM COPYING
  4. COPYING IN QUANTITY
  5. MODIFICATIONS
  6. COMBINING DOCUMENTS
  7. COLLECTIONS OF DOCUMENTS
  8. AGGREGATION WITH INDEPENDENT WORKS
  9. TRANSLATION
  10. TERMINATION
  11. FUTURE REVISIONS OF THIS LICENSE

Reference