News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
Asset Access Restriction Methods - Block Unwanted Visitors
September 05, 2014 @ 10:11:45

In a new tutorial from the SitePoint PHP blog today Jeroen Meeus looks at a way to protect parts of your application from being used and abused. He shows you how to protect various parts of you site, including images and actual pages, with the help of either your web server or bits of code.

When building an awesome web app or website, we sometimes want people to be able to embed parts of our web app/website into their own. That could be an iframe holding a 'like' button, a simple image that they want to reuse or even our entire app embedded in an iframe. But how do we control who has access, who is allowed to use up our bandwidth and query our service? We define the problem as controlling access to assets. By assets we mean: anything that can be queried from our site.

He talks about the problem of "lifting" content and how to fall back to a "deny all, allow some" mentality. He starts with examples of Apache configurations that use mod_rewrite to only allow requests that come from the current domain (trusted) and the "files" directive coupled with Deny/Allow. He also includes an nginx example, showing the same request handling. The code examples show how to use PHP and Javascript to prevent access the same way.

0 comments voice your opinion now!
asset protection method webserver configuration code tutorial

Link: http://www.sitepoint.com/asset-access-restriction-methods-block-unwanted-visitors/

DreamInCode.com:
Securing Login Forms From Brute-Force Attacks Using Queues
August 22, 2013 @ 10:22:48

On the Dreamincode.com forum there's an interesting approach mentioned for security login forms from brute-force attacks using a queueing system rather than the usual real-time requests.

Login forms in online systems are often easy targets for brute-force attacks; attacks designed to go through all possible values (or at least all probable values) for a password to "guess" a correct one. Securing your forms from such attacks is important, but it can be tricky to do in an effective manner without adversely affecting the user experience of your normal user. The method I am suggesting in this article is that of queuing login attempts in an effort to limit how many attempts an attacker can execute per second. [...] So, how do we implement this in PHP?

He suggests using a MySQL-based queueing system (but it could easily be replaced with one of the *MQ types) that tracks users versus login attempts. He's put together a library that handles the storage and login attempt management. He takes some time to explain the functionality of the class and how to put it to use.

0 comments voice your opinion now!
queue login protection tutorials bruteforce

Link: http://www.dreamincode.net/forums/topic/326807-securing-login-forms-from-brute-force-attacks-using-queues/

Elijah Horton:
Sandboxing Untrusted Code With PHPSandbox
April 29, 2013 @ 11:56:37

Elijah Horton has a recent post to his site sharing a tool he's developed to sandbox and validate PHP code of user-contributed code.

Few quotes related to the PHP language are as pithy and resoundingly accurate as the phrase: "Eval is evil." The reasons are myriad: the eval() function basically gives whatever code is passed to it unlimited control of the parser, and this freedom makes eval() both a temptation for developers, who may need to dynamically control PHP at runtime, and a panacea for hackers who are ever-searching for more servers to add to their botnets. So, how does one make use of the extreme power available through runtime evaulation of PHP, without exposing one's server to near-certain rooting? Through a sandbox.

His tool - PHPSandbox, uses the PHP-Parser library to deconstruct the PHP code its given and look for issues. He gives an example of a call to mail and how it would catch the issue. He shows how to install it via Composer, how to configure it with whitelisted methods/functions. It also includes a way to overwrite function calls with a bit safer alternative.

0 comments voice your opinion now!
sandbox protection contributed code validation function

Link: http://www.fieryprophet.com/blog/detail/sandboxing-untrusted-code-with-phpsandbox

Gareth Heyes:
Bypassing XSS Auditor
February 20, 2013 @ 11:21:29

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it's getting harder to bypass. Hmmm I don't agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

0 comments voice your opinion now!
bypass xssauditor browser xss protection proofofconcept poc


Script-Tutorials.com:
Protection and Methodologies of Security Vulnerabilities in Web Development
August 17, 2011 @ 11:16:07

On the Script Tutorials blog today there's a good summary post reminding you of some of the common security issues that your web application can face, mostly due to improper validation and filtering.

Our new article focuses on security in web. Many beginners (and not only) web programmers sometimes can make mistakes when developing its web applications. Our article is intended to eliminate potential gaps in knowledge web developers. It is quite possible that you already know something, but I'll be incredibly happy if you learn anything new. Today we learn about most popular exploits (with samples).

Security issues that made their list include:

  • SQL injections
  • Cross-site scripting/Cross-site Request Forgeries
  • Remote & local file inclusion
  • Displaying errors on production
  • Including .svn (or any version control meta) files in the production release
1 comment voice your opinion now!
security vulnerability protection example


Jason Stiles' Blog:
How To Protect Your Site From XSS With PHP
June 13, 2011 @ 09:40:42

In a recent post to his blog Jason Stiles takes a look at some of the things you can do with PHP to help protect your site from XSS (cross-site scripting attacks) with some basic filtering.

Cross-Site Scripting (XSS) is a type of attack where a hacker attempts to inject client-side scripting into a webpage that others are able to view. The attack could be as simple as an annoying alert window or as sophisticated as stealing a logged in user's credentials (commonly saved in browser cookies). [...] Since these types of user input can immediately be displayed to other user's, the attack could be spread pretty quickly and even without your knowledge.

He provides a basic function to get you started filtering the input from your users - a "xss_protect" method that takes in the data, whether to strip HTML tags or not and an optional set of allowed tags if you do. He also asks for opinions and better methods in his comments:

No solution is going to be perfect, but at least now you have a head start! If you have ways of improving this function, let myself and everyone else know in the comments.
0 comments voice your opinion now!
xss crosssitescripting protection striptags example


Web Development Blog:
E-mail links, protective solutions against SPAM
February 17, 2010 @ 08:28:55

In a recent post to the Web Development Blog they talks a look at some methods you can use on your site to help reduce the amount of spam sent to email addresses by protecting them from scripts that might harvest them right from the page.

There are lots of spam bots checking the Internet for email addresses on regular websites, forums, blog and mailing lists. Once caught by some spam bot your mailbox is in need of a strong spam filter or sometimes it might be better to use a new e-mail address. In this article we show you different ways, how you're able to show your e-mail address to human visitors and hide it for spam bots.

They give four solutions, some a bit more practical than others - using an image instead of the text-only version of the address, hiding the @ symbol, hiding it with PHP (converting it to ASCII) and using Javascript to handle it similarly.

0 comments voice your opinion now!
email spam suggestion protection tutorial


Juozas Kaziukenas' Blog:
HTML filtering and XSS protection
March 23, 2009 @ 10:21:49

Juozas Kaziukenas has an example of how to keep you and your application's data safe from prying eyes by filtering input with the HTML_Purifier package.

It's really hard to decide what data is acceptable, especially when user has permission to insert HTML content through form. [...] However, problem can be solved, and quite easily. Almost a year ago I was reading some random blog when I find out about HTML Purifier. Basically, it's library which can filter and fix any HTML.

He gives an example - running a web scraping tool against a site with malformed HTML. By running it through the HTML_Purifier package first, the errors were corrected and the "more correct" HTML source could be parsed easily. The package also helps to protect from XSS attacks via a whole set of filters included by default.

0 comments voice your opinion now!
html filtering xss protection htmlpurifier package


Stefan Esser's Blog:
Suhosin 0.9.21 - XSS Protection
November 30, 2007 @ 11:17:00

Stefan Esser has posted about the release of the latest version of the Suhosin security patch for PHP - version 0.9.21.

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put to much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

He details these two features and gives examples of what they protect from. You can find out more about the Suhosin patch on its website.

0 comments voice your opinion now!
xss protection suhosin server strip encode xss protection suhosin server strip encode


PHP Security Blog:
Suhosin 0.9.15 comes with Transparent phpinfo() Protection
November 29, 2006 @ 10:43:00

According to this new post on the PHP Security Blog, there's a new META tag the Suhosin extension includes in the output of a phpinfo page to help resolve some of the issues with Google (and buddies) storing the contents of the page, giving a potential attacker information they could exploit.

[The] extra META TAG to the HTML output of phpinfo() that forbids indexing and archiving by robots. For fairness reasons following the embedded links is still allowed to robots, because a lot of projects [...] to get at least a few backlinks for their work, that might result in a better search engine positioning.

The patch can be downloaded from their site.

0 comments voice your opinion now!
suhosin extension transparent phpinfo protection suhosin extension transparent phpinfo protection



Community Events





Don't see your event here?
Let us know!


community voicesoftheelephpant release tool library composer language symfony introduction security framework conference version laravel podcast opinion interview artisanfiles list series

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework