PHP security: Difference between revisions
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== SQL injection == | == SQL injection == | ||
* Use bound parameters - not mysqli_real_escape_string | |||
== Passwords and credentials == | == Passwords and credentials == | ||
Line 8: | Line 10: | ||
* Refreshing | * Refreshing | ||
* Brute force attempts | * Brute force attempts | ||
* Check against common passwords | |||
* Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc. | |||
* Exclude common passwords | |||
== Authentication == | |||
* Create a simple method that can be called on each page behind authentication, or use middleware | |||
* Two factor authentication should be optional for all users, mandatory for those with elevated privileges | |||
== Authorisation == | |||
* Every page behind authentication potentially needs an authorisation check | |||
== Cookies == | == Cookies == | ||
Line 27: | Line 41: | ||
* Denial of service - upload bandwidth, CPU utilisation, disk space utilisation | * Denial of service - upload bandwidth, CPU utilisation, disk space utilisation | ||
* File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG) | * File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG) | ||
* Set sensible maximum per-file sizes and per-request sizes - do not rely on MAX_FILE_SIZE | |||
== Unsafe functions == | == Unsafe functions == | ||
Line 39: | Line 54: | ||
* Service provider may be malicious | * Service provider may be malicious | ||
* DNS poisoning may transfer you to the wrong site/IP | * DNS poisoning may transfer you to the wrong site/IP | ||
* Check that data returned is valid - exactly as you would from a form submission | |||
== Document root == | == Document root == |
Latest revision as of 15:41, 23 March 2021
SQL injection
- Use bound parameters - not mysqli_real_escape_string
Passwords and credentials
- Hashing
- Timing attacks
- Algorithms
- Refreshing
- Brute force attempts
- Check against common passwords
- Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc.
- Exclude common passwords
Authentication
- Create a simple method that can be called on each page behind authentication, or use middleware
- Two factor authentication should be optional for all users, mandatory for those with elevated privileges
Authorisation
- Every page behind authentication potentially needs an authorisation check
Cookies
- Secure flag
- HTTP flag
Cross site scripting (XSS)
Cross site request forgery (CSRF)
- Access to /tmp - session data
- Access to read/write files as www-data user
File uploads
- Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
- File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)
- Set sensible maximum per-file sizes and per-request sizes - do not rely on MAX_FILE_SIZE
Unsafe functions
- exec
- shell
- eval
Data from URLs
- No control over these (unless you also run the service)
- Service provider may be malicious
- DNS poisoning may transfer you to the wrong site/IP
- Check that data returned is valid - exactly as you would from a form submission
Document root
- Only files which are shown to users
- Everything else keep outside document root
- Pay particular care with non-PHP extensions, e.g. .inc