PHP security: Difference between revisions

From Rixort Wiki
Jump to navigation Jump to search
Created page with "== SQL injection == == Password storage == * Hashing * Timing attacks * Algorithms * Refreshing == Cookies == * Secure flag * HTTP flag == Cross site scripting (XSS) ==..."
 
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
== SQL injection ==
== SQL injection ==


== Password storage ==
* Use bound parameters - not mysqli_real_escape_string
 
== Passwords and credentials ==


* Hashing
* Hashing
Line 7: Line 9:
* Algorithms
* Algorithms
* Refreshing
* Refreshing
* Brute force attempts
* Check against common passwords
* Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc.
* Exclude common passwords
== Authentication ==
* Create a simple method that can be called on each page behind authentication, or use middleware
* Two factor authentication should be optional for all users, mandatory for those with elevated privileges
== Authorisation ==
* Every page behind authentication potentially needs an authorisation check


== Cookies ==
== Cookies ==
Line 26: Line 41:
* Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
* Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
* File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)
* File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)
* Set sensible maximum per-file sizes and per-request sizes - do not rely on MAX_FILE_SIZE


== Unsafe functions ==
== Unsafe functions ==
Line 38: Line 54:
* Service provider may be malicious
* Service provider may be malicious
* DNS poisoning may transfer you to the wrong site/IP
* DNS poisoning may transfer you to the wrong site/IP
* Check that data returned is valid - exactly as you would from a form submission


== Document root ==
== Document root ==

Latest revision as of 15:41, 23 March 2021

SQL injection

  • Use bound parameters - not mysqli_real_escape_string

Passwords and credentials

  • Hashing
  • Timing attacks
  • Algorithms
  • Refreshing
  • Brute force attempts
  • Check against common passwords
  • Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc.
  • Exclude common passwords

Authentication

  • Create a simple method that can be called on each page behind authentication, or use middleware
  • Two factor authentication should be optional for all users, mandatory for those with elevated privileges

Authorisation

  • Every page behind authentication potentially needs an authorisation check

Cookies

  • Secure flag
  • HTTP flag

Cross site scripting (XSS)

Cross site request forgery (CSRF)

Shared hosting

  • Access to /tmp - session data
  • Access to read/write files as www-data user

File uploads

  • Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
  • File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)
  • Set sensible maximum per-file sizes and per-request sizes - do not rely on MAX_FILE_SIZE

Unsafe functions

  • exec
  • shell
  • eval

Data from URLs

  • No control over these (unless you also run the service)
  • Service provider may be malicious
  • DNS poisoning may transfer you to the wrong site/IP
  • Check that data returned is valid - exactly as you would from a form submission

Document root

  • Only files which are shown to users
  • Everything else keep outside document root
  • Pay particular care with non-PHP extensions, e.g. .inc