Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Preventing Timing Attacks on String Comparison with a Double HMAC Strategy
Nov 09, 2015 @ 18:07:19

The Paragon Initiative has a post showing you how to prevent timing attacks when comparing strings using a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.

One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).

He points out that while the has_equals approach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functions coming in PHP 7 (ployfill available for this too).

tagged: prevent timing attack double hmac comparison hashequals polyfill

Link: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
Jun 17, 2015 @ 17:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

tagged: prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
Jun 17, 2015 @ 17:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

tagged: prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

Marco Pivetta:
roave/security-advisories: Composer against Security Vulnerabilities
Dec 30, 2014 @ 18:12:40

As Marco Pivetta has mentioned in his latest post to his site, Roave has released a tool for use with Composer that helps prevent vulnerable versions of software from even being installed (based on the data from the security-advisories data from FriendsOfPHP).

Since it's almost christmas, it's also time to release a new project! The Roave Team is pleased to announce the release of roave/security-advisories, a package that keeps known security issues out of your project.

The tool makes use of a "conflict" metapackage, mentioned in the Composer spec, and fails when the software and version is listed in the FriendsOfPHP information. This integration with Composer means that there's no need to run a separate tool for the checks to be made. It's integrated into the workflow and will dynamically fail without the need for you to update anything.

tagged: roave securityadvisories prevent vulnerable software composer install

Link: http://ocramius.github.io/blog/roave-security-advisories-protect-against-composer-packages-with-security-issues/

Anthony Ferrara:
It's All About Time
Dec 01, 2014 @ 16:46:15

In his latest post Anthony Ferrara talks about a tricky subject in PHP - timing attacks. A timing attack has to do with vulnerabilities that can come up because of the differences in time it takes to perform cryptographic operations (like hashing or encrypting).

An interesting pull request has been opened against PHP to make bin2hex() constant time. This has lead to some interesting discussion on the mailing list (which even got me to reply :-X). There has been pretty good coverage over remote timing attacks in PHP, but they talk about string comparison. I'd like to talk about other types of timing attacks.

He starts with a definition of what a remote timing attack is and provides an example of a simple script showing the delay that's key to the attack. His script deals with string location but it gives you an idea of how the attack works and where the danger lies. He points out that even remotely attackers could determine the times to perform operations (down to the nanosecond) and use this to their advantage. He points out that both == and === are vulnerable to this type of attack because of how the comparison happens. He gives two options (one an internal function) to help protect your application and briefly covers a few other types of timing attacks: index lookup, cache-timing and branch-based timing attacks.

tagged: timing attack comparison time example tutorial introduction prevent

Link: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

Mattias Noback:
Backwards compatible bundle releases
Sep 29, 2014 @ 17:31:09

In his latest post Matthias Noback talks about a problem common to Symfony bundles (and, well, software in general) - dealing with backwards compatibility and breaks that could be introduced with new changes.

With a new bundle release you may want to rename services or parameters, make a service private, change some constructor arguments, change the structure of the bundle configuration, etc. Some of these changes may acually be backwards incompatible changes for the users of that bundle. Luckily, the Symfony DependenyInjection component and Config component both provide you with some options to prevent such backwards compatibility (BC) breaks.

He breaks the post up into a few different kinds of backwards compatibility breaks that could happen and code examples of each:

  • Renaming things
  • Changing visibility
  • Changing values

Each topic also includes methods for preventing issues with older users who maybe aren't using the new features. This includes things like sane default values for new settings, renaming services and creating new extensions for working with new properties.

tagged: symfony bundle backwards compatibility changes prevent rename visibility values

Link: http://php-and-symfony.matthiasnoback.nl/2014/09/backwards-compatible-bundle-releases/

Developer Drive Blog:
How to Prevent a SQL Injection Attack
Oct 14, 2011 @ 14:25:12

From the Developer Drive blog there's a recent post with some suggestions on how you can help to prevent SQL injections in your PHP application and make it that much harder for would-be attackers to do what they shouldn't.

Why do SQL injections happen so often? The shortest answer is that SQL injections are so popular because of poor programming. Hackers know about the potential of a successful SQL injection attack and they search for vulnerabilities. Unfortunately, very often they don’t have to search hard – vulnerabilities pop right in their face. [...] The good news is that fortunately, SQL injections are also relatively easy to prevent.

They list nine easy things you can do to help prevent the attacks:

  • Patch your SQL server regularly
  • Limit the use of dynamic queries
  • Escape user input
  • Store database credentials in a separate file
  • Use the principle of least privilege
  • Turn magic quotes off
  • Disable shells
  • Disable any other DB functionality you don’t need
  • Test your code
tagged: sqlinjection security sql prevent tips attack

Link:

DreamInCode.com:
Preventing PHP Mail(...) Header Injections
Apr 22, 2011 @ 16:06:23

On the Dream In Code forums there's a recent post showing you how to prevent mail() header injections when taking user input, like from a form.

PHP's mail() function is a very useful and powerful function, even to the point that it is very easy to exploit. A way hackers exploit this function is a method called email header injection. [...] I'm sure most of you can already tell that's not going to be pretty since we didn't check the user input and so forth. PHP provides us with functions such as filter_var which will validate user input and either return false if the validation fails or return the filtered data.

He includes an example of using this filtering methods to check the user input for malicious information - validating that the "to" address is a valid email (FILTER_VALIDATE_EMAIL) and a sanitize() method that removes things like newlines, carriage returns and a few other characters.

tagged: prevent mail header injection tutorial filtervar sanitize

Link:

CatsWhoCode.com:
Top 10 ways to stop spam in WordPress
Sep 03, 2009 @ 14:11:57

In a recent post to the CatsWhoCode.com site Alex Denning takes a look at ten ways you can help stop those dreaded comment spammers on your WordPress blog.

Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post we’ll look at ten ways to combat spam.

Here's his list of suggestions - some can be combined with others to give you additional protection:

  • Install Akismet
  • reCAPTCHA
  • Ask your readers to do 1+1
  • Stop spam trackbacks
  • Make users login to comment
  • Ban spammers by IP
  • Ban spammers by IP, on a massive scale
  • Deny comment posting to no referrer requests
  • Stop content theives
  • Stop spammers stealing your images
tagged: wordpress spam prevent

Link:

Marco Tabini's Blog:
To except is human; to handle is divine.
Apr 23, 2009 @ 16:17:27

Marco Tabini has taken a different tack on error handling in his latest post. He suggests that developers need to spend a little less time trying to prevent so many errors and a little more time handling the ones that do happen.

When an error occurs, the vast majority of the web-based application code that I see during my reviews performs the software equivalent of running around with its head cut off: the developer spends an inordinate amount of time and resources trying to make the software look like what was essentially a catastrophic failure was nothing more than a small temporary hiccup.

[...] In reality, by the time an error has occurred, there are only two possible outcomes: either you expected the error to occur, in which case you have already written code to handle the failure, or you didn’t, in which case your main focus should be to use the error as a learning opportunity.

Marco suggests alternatives to this usual worry and hysteria - spend more time ensuring that (if something does fail) there won't be any more damage, let the IT team know as soon as you find the issue and testing before you fix (reproduce the error before you dig in to try to fix it).

tagged: test reproduce report timely damage prevent handle error

Link:


Trending Topics: