News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
20 Point List For Preventing Cross-Site Scripting In PHP
April 23, 2013 @ 09:27:02

Pádraic Brady has posted a 20 point list that wants to help you prevent cross-site scripting (XSS) issues in your applications.

Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a list of 20 brief points you should bear in mind when battling Cross-Site Scripting (XSS) in PHP. Minus my usual book length brain fart . Chances are good that ignoring or acting contrary to any one of these will lead to a potential XSS vulnerability. It's not necessarily a complete list - if you think something needs to be added, let everyone know in the comments.

His tips include things like:

  • Never pass data from untrusted origins into output without either escaping or sanitising it.
  • Remember that anything not explicitly defined in source code has an untrusted origin.
  • Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
  • Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
  • Validate all complete URLs if constructed from untrusted data.
  • Remember that HTMLPurifier is the only HTML sanitiser worth using.
  • Ensure that cookies which must only be transmitted over HTTPS are marked Secure.

He points out that XSS is still one of the most "popular" (and easy to exploit) attack methods out there, so keep these tips in mind when writing up your code.

0 comments voice your opinion now!
list tips preventing xss crosssite scripting

Link: http://blog.astrumfutura.com/2013/04/20-point-list-for-preventing-cross-site-scripting-in-php

Gareth Heyes:
Bypassing XSS Auditor
February 20, 2013 @ 11:21:29

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it's getting harder to bypass. Hmmm I don't agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

0 comments voice your opinion now!
bypass xssauditor browser xss protection proofofconcept poc


PHPMaster.com:
8 Practices to Secure Your Web App
February 04, 2013 @ 12:56:40

PHPMaster.com has posted a new article with some high level security tips and reminders for PHP developers when wanting to help prevent issues with their applications. The article provides eight tips, each with a brief description.

When it comes to application security, in addition to securing your hardware and platform, you also need to write your code securely. This article will explain how to keep your application secure and less vulnerable to hacking.

The good practices they recommend include input data validation, protecting against XSS attacks, preventing SQL injections, protecting session data, proper error handling and protecting included files. There's some good reminders here, but it barely scratches the surface of effectively protecting your application. These tips are the "low hanging fruit" for securing your app, so be aware that there's more things to worry about than just these eight.

0 comments voice your opinion now!
secure application tips xss csrf sqlinjection file session error include


Anson Cheung:
Top 6 security attacks in PHP
August 09, 2012 @ 17:03:55

Anson Cheung has posted about some security attacks (six of them) that you need to watch out for when developing your apps.

Be aware of the most common security threats to PHP applications is the important step to secure your PHP scripts may not be immune. Here, the article is going to go over top 6 common security threads in PHP scripts. You may familiar with this, if not, this is a good time for you to read and keep in mind.

The top six on his list are:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Session fixation
  • Session capturing/hijacking
  • Cross-Site Request Forgeries (CSRF)
  • Code Injection

For each item, he includes a bit of explanation as to what the issue is and a common solution as to how to prevent it.

0 comments voice your opinion now!
security attack xss csrf session sqlinjection code


Pádraic Brady's Blog:
Automatic Output Escaping In PHP & The Real Future Of Preventing XSS
June 18, 2012 @ 11:58:22

Pádraic Brady has a new post to his blog about the state of output escaping in PHP and the steps that need to be taken to help prevent and protect applications from the real threat of cross-site scripting.

Automatic escaping has a certain appeal given its goal of removing the need to type escape() all over your templates. Funny thing, though, is that this is basically its one and only advantage. The second claimed goal is to remove a factor of human error (i.e. forgetting to type escape() somewhere), however, this hasn't posed an issue for me in the past where simple analysis of templates can quickly locate such omissions. And no, using automatic escaping does not remove the need to analyse templates for security issues - that's still needed regardless.

He goes on to define what "automatic escaping" is and isn't and how it relates to the context of the information (the same data may not always be filtered the same way in every place). He talks about scope-limited escaping, context-aware escaping and an idea that could help make life easier - a content security policy defining how the client should behave when interpreting HTML.

0 comments voice your opinion now!
escape automatic xss crosssitescripting security content policy


Reddit.com:
Protecting against attack?
May 18, 2012 @ 10:19:35

In this recent post to Reddit.com, the question of application security is asked - the poster wants recommendations on how he should keep his app safe from would-be attackers:

I can code fairly well in PHP these days, but my security isn't so hot. Is there a tutorial or plugin you guys can recommend as to how I should be protecting my php pages/inputs? I want to avoid common attacks like XSS, inputs with NULL or DROP TABLE etc?

Responses on the post include recommendations related to:

  • Using the Chorizo scanner to find common issues in your code
  • Using PDO for database connections (with bound parameters)
  • Not trusting "$_SERVER"
  • Data sanitization

There's also links to a few other resources with more details.

0 comments voice your opinion now!
security attack opinion xss pdo validate filter


PHPMaster.com:
PHP Security Cross-Site Scripting Attacks (XSS)
May 01, 2012 @ 11:59:28

PHPMaster.com has a new tutorial posted today (by George Fekete) about preventing cross-site scripting attacks in your PHP-based applications.

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

0 comments voice your opinion now!
tutorial security xss filter validate data output cheatsheet


Pádraic Brady's Blog:
XSS in PHP (Part 1) How Not to Use Htmlspecialchars
March 13, 2012 @ 12:44:27

Pádraic Brady has written up an exhaustive guide to using htmlspecialchars correctly and securely in your applications (though it's technically how "not to use it"). This is part one of a series looking at preventing cross-site scripting in PHP applications.

While it's no harm poking fun at ourselves, in PHP we do have a serious problem. Cross-Site Scripting (XSS) remains one of the most significant classes of security problems afflicting PHP applications. Despite years of education, community awareness and the development of frameworks which can offer a huge boost in consistent practices - things are not getting any better.

So, I finally figured out what the core problem is: PHP programmers are completely clueless about XSS. It's that simple. Instead of going out and studying the topic, we blindly follow some preferred herd of people offering advice with heartfelt conviction despite the fact that they are probably just as ignorant as the rest of us. Does that sound like the behaviour of something which allegedly evolved into an intelligent species? The result is a mix of ignorance and stagnant knowledge that leaves PHP in an unenviable position beset by wrongheaded zealots.

He introduces the htmlspecialchars function and how it has been generally assumed a good method for presenting XSS attacks. He talks about issues with quotes, problems that IE6 seems to have that no one else does and the all-important third parameter of the function (character set detection) and the optional fourth (decoding HTML entities automatically).

He's created this github repository with the examples from the post.

0 comments voice your opinion now!
xss tutorial htmlspecialchars crosssitescripting security


Brandon Savage's Blog:
An XSS Vulerability In The Making
March 07, 2012 @ 12:02:46

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values - a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn't a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."
0 comments voice your opinion now!
crosssitescripting xss type juggling string conversion internal


DeveloperDrive.com:
What Web Developers Need to Know About Cross-Site Scripting
October 17, 2011 @ 13:39:23

On the DeveloperDrive.com site there's a recent post anyone wondering about cross-site scripting should give a read. They introduce you to the basic concept and two things you can do to help prevent them.

This little fable describes the most common vulnerability found in web sites, the Cross Site Scripting (XSS) attack. According to a report from WhiteHat Security 83 percent of websites they tested have had at least one serious vulnerability and 66 percent of all websites with vulnerabilities are susceptible to XSS attacks making it the most common vulnerability web developers face. To fix this, it takes 67 days on average. Tools like WebScarab and Paros Proxy can be used to scan sites for possible vulnerabilities.

They offer two simple pieces of advice that it's all too easy to forget when developing applications - validate all user input to ensure it's what it should be and escape any untrusted output (even sometimes your own!) before pushing it out to the page.

0 comments voice your opinion now!
crosssitescripting xss introduction validate filter input output advice



Community Events





Don't see your event here?
Let us know!


unittest developer symfony2 list laravel testing release threedevsandamaybe install code interview community opinion series podcast refactor language introduction framework configure

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework