| Despite
the programmer's best effort, vulnerabilities almost always exist in
applications. If not, attackers find a new one all the time. So, it is
only right for a programmer to ensure that they avoid vulnerabilities as
much as possible. There are flaws that the Open World Application
Security Project thought were amongst the top vulnerabilities in
applications. |
|
1. Unvalidated Parameters: When you’re using values from superglobal arrays, you should ensure that you have validated them against unexpected input. If you expect a certain kind of value then ensure that you have put in the require conforms in place to ensure that value. So, for a Zip Code, you can put in conforms that ensure that the value entered will be a 5 digit value, a 5-digit value with a hyphen and four more digits or something that fits the format followed for Zip Codes in a particular country.
if (preg_match('/^\d{5}(-\d{4})?$/',$_GET['zip'])) {
$zip = $_GET['zip'];
} else {
die('Invalid ZIP Code format.');
}
For data that has been sent to a client before and will be received in a cookie, ensure that there has been no tampering. You can do this by sending a hash of the data that you expect along with a secret word. So, you rehash the data when you get it and ensure that the new hash and old hash match each other.
// sending cookie
$secret_word = 'gargamel';
$id = 123745323;
$hash = md5($secret_word.$id);
setcookie('id',$id.'-'.$hash);
// receiving and verifying cookie
list($cookie_id,$cookie_hash) = explode('-',$_COOKIE['id']);
if (md5($secret_word.$cookie_id) == $cookie_hash) {
$id = $cookie_id;
} else {
die('Invalid cookie.');
}
2. Access Control Broken: Many people trying to come up with their own access control solution. It is better to use the PEAR modules. You can use Auth and Auth_HTTP, which perform cookie-based and browser-based authentication respectively.
3. Session Management and Broken Account: In order to ensure secure standardised session management, you should use the functions that are built-in to PHP already. In doing so, you have to ensure that the session contents aren’t stored in a vulnerable location on your server.
For example, if you store them in c world-readable format in /tmp, they will be accessible to anyone logging into the server. You need to ensure that the files are stored in a secure location, where only trusted users can enter. Moreover, to protect from network sniffers, you should ensure that all your session IDs and session specific traffic should be sent over SSL.
4. Cross-Site Scripting (XSS) Flaws: Information that is coming from outside your program should never be displayed. Untrusted data should be filtered and you can use any of PHP’s many tools on this. A few examples are htmlspecialchars(), strtr() and strip_tags().
In order to protect against attackers trying to hide in Unicode encoding, use utf8_decode(). This converts the ISO-8859-1 characters given in a string encoded with Unicode UTF-8 into the ASCII single-bye characters.
5. Buffer Overflows: Allocating memory at runtime is not possible in PHP like it is in C Programming. So, you won’t have buffer overflows because of the same. That said, you do have to worry about buffer overflows within PHP itself and within its extensions. You should take a subscription to the php-announce mailing list in order to keep yourself up to date with all the newst releases and patches that will help you with this.
6. Error Handling: Raw error messages, if visible, can give advanced users an idea of how your system works and what software is being used. These include error message from your databased, PHP and external programs. It gives an attacked a better chance at penetrating your security protocols. So, your error messages shouldn’t contain system information. For this you need to direct PHP to put your error messages into the server’s error log and not to display them to users.
log_errors = On
display_errors = Off
7. Insecure Use of Cryptography: Instead of trying to device your own encryption scheme, use the mcrypt extension. This extension has a lot of popular extension scheme, which you can use. Moreover, if you’re storing your encryption keys, then be careful about where you store them. Not storing the keys would be the best idea, but if you are, store them in as secure a location as you can.
8. Remote Administration Flaws: Remote administration tools should be run over SSL connections whenever possible. This is done to avoid passwords and content from being sniffed. When you’re using such software, make sure that the default administrative username, password and if possible then even the URL has been changed. You could also run the tool from a different web server different from the public web server that it administrates.
No comments:
Post a Comment