PHP security

From Rixort Wiki
Jump to navigation Jump to search

SQL injection

Passwords and credentials

  • Hashing
  • Timing attacks
  • Algorithms
  • Refreshing
  • Brute force attempts
  • Check against common passwords
  • Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc.
  • Exclude common passwords

Cookies

  • Secure flag
  • HTTP flag

Cross site scripting (XSS)

Cross site request forgery (CSRF)

Shared hosting

  • Access to /tmp - session data
  • Access to read/write files as www-data user

File uploads

  • Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
  • File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)

Unsafe functions

  • exec
  • shell
  • eval

Data from URLs

  • No control over these (unless you also run the service)
  • Service provider may be malicious
  • DNS poisoning may transfer you to the wrong site/IP
  • Check that data returned is valid - exactly as you would from a form submission

Document root

  • Only files which are shown to users
  • Everything else keep outside document root
  • Pay particular care with non-PHP extensions, e.g. .inc