PHP security

From Rixort Wiki

Revision as of 14:35, 23 March 2021 by Paul (Sọ̀rọ̀ | contribs) (→‎Passwords and credentials)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

SQL injection

Passwords and credentials

Hashing
Timing attacks
Algorithms
Refreshing
Brute force attempts
Check against common passwords
Do not enforce regular password resets - people will use PasswordJanuary, PasswordFebruary etc.
Exclude common passwords

Cookies

Secure flag
HTTP flag

Cross site scripting (XSS)

Cross site request forgery (CSRF)

Shared hosting

Access to /tmp - session data
Access to read/write files as www-data user

File uploads

Denial of service - upload bandwidth, CPU utilisation, disk space utilisation
File types - be careful as some file data can be disguised as other file types (e.g. zip disguised as PNG)

Unsafe functions

exec
shell
eval

Data from URLs

No control over these (unless you also run the service)
Service provider may be malicious
DNS poisoning may transfer you to the wrong site/IP

Document root

Only files which are shown to users
Everything else keep outside document root
Pay particular care with non-PHP extensions, e.g. .inc

Retrieved from ‘https://wiki.rixort.com/index.php?title=PHP_security&oldid=1069’