Research

implementation

  • static assets only
    • this is the simplest form of security because it minimizes the attack surface. without any endpoints to protect, we only have to maintain the integrity of our static assets.
    • this can easily be done with some basic authorization to a third-party managed delivery system.
    • obviously, a static version of the application is only a temporary solution.

Some core ideas:

  • attack surfaces
  • network of trust
  • defense in depth
  • least privilege
  • detection (is almost more important than defense)
  • CIA of data
    • Confidentiality
      • HTTPS keeps user information secret
    • Integrity
      • secure server access and principles of least privilege prevent important data from being manipulated maliciously
    • Availability
      • properly configured networks ensure data is always available, even in the event of malicious attacks such as DoS
  • risk management
  • consistent software updates
    • php
    • mysql
    • apache
      • server signature = off

php config

  • register_globals = off (v<5.4 only)
  • error reporting
    • show no errors (obscurity)
    • different values (php.ini)
  • magic quotes
    • gone in v>5.3
  • safe mode
    • gone in v>5.3
    • confirms matching file owner IDs before accessing files
    • disables or restricts some PHP functions
  • other
  • file configurations
  • shared hosting
    • ini_set
    • single configuration file required at runtime
  • prefer whitelists to blacklists in general

php validating input

  • validating input
    • determine data expectations
      • only allow expected data in submissions
      • set default values
      • filter pass array to be an array of only expected parameters for a given operation
    • consider application and database requirements
    • which data, what format, which values
  • common validations
    • exists (length)
    • type
    • format
    • abc
    • within a set a values
    • uniqueness
  • regex
    • use \A and \Z, not ^ and $ b/c they allow for line returns
  • type checking
    • is_numeric
    • isset
  • enumerations
    • in_array
    • !in_array

php sanitization

  • use type casting, not type juggling
  • sanitize SQL, HTML, JavaScript, JSON, XML, etc.
  • encoding characters
    • replace harmful characters with harmless equivalents
  • escaping characters
    • add escape characters before harmful characters
  • do not write custom sanitization methods
  • do not remove or correct invalid data, just reject requests
  • https://i.imgur.com/pCN2PQP.png
  • filter_var($string, $filter_id)
  • use labels for variables to identify condition of data
    • dirty, raw, tainted, unsafe
    • clean, filtered, sanitized, safe

keeping php code private

  • public directory
    • accessible by the web server
    • presentation code
    • calls to functions in private libraries
  • lib directory
    • not accessible by the web server
    • accessible by your code via the file system
  • keep an index.php file in every directory to prevent server from displaying directory contents
  • web server config
    • apache: DocumentRoot
  • smart logging
    • errors
    • sensitive actions
    • possible attacks

notes

  • captcha

resources

Next Page