Discussion:
Do you know of a guide on how to idiot proof php for use on the public web?
(too old to reply)
r***@mynetblog.com
2017-03-01 18:17:54 UTC
Permalink
Do you know of a guide on how to idiot proof php for use on the public web?

I have great concerns about people XSS'ing my site or other serious stuff. My problem is that I assume everything is going to get attacked and am afraid to put any php where people can access it.

A very long time ago I had this CGI page to allow people to enter a URL they wanted to see and when they submitted the form it would display the link on a result page. I know this is very bad to do this type of thing now because of XSS vulnerabilities. However, I don't know about all the other hacks people use to exploit php.

I just recently found out about the proxy variable where people set a "proxy" variable in their request header that when sent to a CGI script turns into http_proxy environment variable. So, I blocked that. (I think.)

Attackers are actively scanning my site for vulnerabilities so I am fearful of putting anything on my site that they can attack because I know they will exploit any hole they find.

I only know how to write simple and short php scripts and some very basic SQL queries.
J.O. Aho
2017-03-01 20:21:24 UTC
Permalink
Post by r***@mynetblog.com
Do you know of a guide on how to idiot proof php for use on the public web?
I have great concerns about people XSS'ing my site or other serious stuff.
My problem is that I assume everything is going to get attacked and am afraid
to put any php where people can access it.
The best source is owasp.org you, there is a page with more php specific
stuff (not completed): https://www.owasp.org/index.php/Category:PHP

Here is another site looking at the owasp top 10 and giving you some php
related information: http://www.sklar.com/page/article/owasp-top-ten
Post by r***@mynetblog.com
I just recently found out about the proxy variable where people set a "proxy"
variable in their request header that when sent to a CGI script turns into http_proxy
environment variable. So, I blocked that. (I think.)
Always disable those things you don't use, both in the php.ini and in
the server configuration, if you are administrator of the server.
Post by r***@mynetblog.com
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting
anything on my site that they can attack because I know they will exploit any hole they find.
Just remember to validate data before you use it, say for example you
are expecting a numeric value be posted, then use

if(is_numeric($_POST['postedvaraible'])) {
//only now assign this value to a variable
$variableiwilluselaterinmycode = $_POST['postedvaraible'];
}

Look at the page at sklar.com for some good advices, don't forget to
read the documentation at php.net and there are many good comments to
read too on those pages.
--
//Aho
mynetblog.com
2017-03-07 08:37:22 UTC
Permalink
Post by J.O. Aho
Post by r***@mynetblog.com
Do you know of a guide on how to idiot proof php for use on the public web?
I have great concerns about people XSS'ing my site or other serious stuff.
My problem is that I assume everything is going to get attacked and am afraid
to put any php where people can access it.
The best source is owasp.org you, there is a page with more php specific
stuff (not completed): https://www.owasp.org/index.php/Category:PHP
Here is another site looking at the owasp top 10 and giving you some php
related information: http://www.sklar.com/page/article/owasp-top-ten
Post by r***@mynetblog.com
I just recently found out about the proxy variable where people set a "proxy"
variable in their request header that when sent to a CGI script turns into http_proxy
environment variable. So, I blocked that. (I think.)
Always disable those things you don't use, both in the php.ini and in
the server configuration, if you are administrator of the server.
Post by r***@mynetblog.com
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting
anything on my site that they can attack because I know they will exploit any hole they find.
Just remember to validate data before you use it, say for example you
are expecting a numeric value be posted, then use
if(is_numeric($_POST['postedvaraible'])) {
//only now assign this value to a variable
$variableiwilluselaterinmycode = $_POST['postedvaraible'];
}
Look at the page at sklar.com for some good advices, don't forget to
read the documentation at php.net and there are many good comments to
read too on those pages.
--
//Aho
Thanks for the reply.

Since I wrote that, I managed to find these resources but they are not specific to PHP, but still good to review.


Common Exploits and How to Prevent Them
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=473603


2011 CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25/


Secure Coding section from CERT
https://www.cert.org/secure-coding/index.cfm

Loading...