wiki:WebSec

Programmation web et sécurité (PHP)

Ce document est en cours de réalisation. This document is a work in progress.

TODO

  • Application layout (docroot/lib separation, include mess fix, file attributes)
  • Charset: generalities about charsets (ISO8859-1, UTF8, CP1252, glyph/loc-aware functions)
  • Charset: usage (HTTP header, XML header, HTML meta, DB, others, PHP strings, mbstring module)
  • Sanity: valid XHTML or die
  • Input: URL (RFC, encoding/decoding, PHP and JS)
  • Input: HTTP headers
  • Input: form fields (encoding, quoting, register_globals, use $_REQUEST)
  • Input: file upload (creation masks, +optim)
  • Output: quoting
  • Sessions: (+optim)
  • App logic: what goes in session, what goes in I/O
  • Auth: methods, users separation (consider mono-user, ?)
  • Database: privileges, quoting, charset
  • External programs
  • Policy: know/disclose your vulnerabilites (Apache, PHP, libs, your app)
  • Abuse: disk filling (upload, logs, etc), DB filling, CPU overloading, bandwidth hogging (+time limit, +memory limit)
  • Watch: logs, probes, traces
  • Know: attacks creation and detection (XSS, SQL injection, stack smash, spamming, ?)

Audit tool (self-audit PHP ?):

  • checks php.ini values
  • checks file layout and attributes
  • check versions against last vulns
  • try to check obvious mis-quoting

Recommended reading (by order of specialization):

References:

  • ...
Last modified 11 years ago Last modified on Nov 8, 2006, 12:02:27 AM