Professional Documents
Culture Documents
Phpsecurity - Introduction - RST at Master Padraic - Phpsecurity GitHub
Phpsecurity - Introduction - RST at Master Padraic - Phpsecurity GitHub
Phpsecurity - Introduction - RST at Master Padraic - Phpsecurity GitHub
padraic Remove number prefix on chapters (let index.rst determine order & hel… 48c2b07 on 6 Aug 2012
1 contributor
Introduction
1 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
I'll stick with those two because they capture a lot of what web application
security should prevent. As every target of a serious security breach will
quickly note in their press releases and websites: Security is very important
to them and take it very seriously. Taking this sentiment to heart before
you learn it the hard way is recommended.
Since the goal of web application security is to protect the users, ourselves
and whoever else might rely on the services that application provides, we
need to understand a few basics:
2 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
The answer to the first question is very easy: everyone and everything. Yes,
the entire Universe is out to get you. That kid in the basement with a
souped up PC running BackTrack Linux? He probably already has. The
suspicious looking guy who enjoys breaking knees? He probably hired
someone to do it. That trusted REST API you suck data from every hour? It
was probably hacked months ago to serve up contaminated data. Even I
might be out to get you! So don't believe this guide, assume I'm lying, and
make sure you have a programmer around who can spot my nefarious
instructions. On second thought, maybe they are out to hack you too...
3 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
The answer to the second question is a really long list. You can be attacked
from wherever each component or layer of a web application receives data.
Web applications are all about handling data and shuffling it all over the
place. User requests, databases, APIs, blog feeds, forms, cookies, version
control repositories, PHP's environmental variables, configuration files,
more configuration files, and even the PHP files you are executing could
potentially be contaminated with data designed to breach your security
defenses and do serious damage. Basically, if it wasn't defined explicitly in
the PHP code used in a request, it's probably stuffed with something
naughty. This assumes that a) you wrote the PHP source code, b) it was
properly peer reviewed, and c) you're not being paid by a criminal
organisation.
Using any source of data without checking to ensure that the data received
is completely safe and fit for use will leave you potentially open to attack.
What applies to data received has a matching partner in the data you send
out. If that data is not checked and made completely safe for output, you
will also have serious problems. This principle is popularly summed up in
PHP as "Validate Input; Escape Output".
These are the very obvious sources of data that we have some control
over. Other sources can include client side storage. For example, most
applications identify users by assigning them a unique Session ID which
can be stored in a cookie. If the attacker can grab that cookie value, they
can use it to impersonate the original user. Obviously, while we can
mitigate against some risks of having user data intercepted or tampered
with, we can never guarantee the physical security of the user's PC. We
can't even guarantee that they'll consider "123456" as the dumbest
password since "password". What makes life even more interesting is that
cookies are not the only client side storage medium these days.
4 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
5 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
3. Apply Defense-In-Depth
Defense in depth was borrowed from the military because bad ass people
realised that putting numerous walls, sandbags, vehicles, body armour, and
carefully placed flasks between their vital organs and enemy bullets/blades
was probably a really good idea. You never know which one of these could
individually fail, so having multiple layers of protection ensured that their
safety was not tied up in just one defensive fortification or battle line. Of
course, it's not just about single failures. Imagine being an attacker who
scaled one gigantic medieval wall with a ladder - only to see the defenders
bunched up on yet another damn wall raining down arrows. Hackers get
that feeling too.
6 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
TBD
7 de 8 03/02/2020 14:22
phpsecurity/Introduction.rst at master · padraic/phpsecurity · GitHub https://github.com/padraic/phpsecurity/blob/master/book/lang/en/source/I...
Conclusion
TBD
8 de 8 03/02/2020 14:22