Cover image for Security Principles for PHP Applications

Security Principles for PHP Applications

Author Eric Mann
Release Date: 2017/12/01
ISBN: 9781940111650
Topic:
0%
25
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

Security is an ongoing process not something to add right before your app launches. In this book, you’ll learn how to write secure PHP applications from first principles. Why wait until your site is attacked or your data is breached? Prevent your exposure by being aware of the ways a malicious user might hijack your web site or API. Discover how to secure your applications against many of the vulnerabilities exploited by attackers.

“Security Principles for PHP Applications” is a comprehensive guide. This book contains examples of vulnerable code side-by-side with solutions to harden it. Organized around the 2017 OWASP Top Ten list, topics cover include:

Injection AttacksAuthentication and Session ManagementSensitive Data ExposureAccess Control and Password HandlingPHP Security SettingsCross-Site ScriptingLogging and MonitoringAPI ProtectionCross-Site Request Forgery…and more.

Table of Contents

  1. Dedication
  2. Application Security From First Principles
    1. The Common Mistake
    2. An Example of Broken Standards Implementation—JOSE
    3. A Security-First Mindset
    4. Accurate Threat Models
    5. Looking Ahead
  3. About This Book
    1. Who This Book Is For
    2. How to Use This Book
    3. Code Examples
  4. OWASP
    1. The OWASP Top Ten
      1. Controversies
    2. The Risk of Lists
  5. ASR1: Injection
    1. How Big of a Deal Is This?
    2. How Would This Look in Production?
      1. SQL Injection
      2. Unsanitized Shell Input
      3. Insecure Uploads
    3. How to Prevent These Vulnerabilities
      1. SQL Injection
      2. Unsanitized Input
      3. Insecure Uploads
    4. Conclusion
  6. ASR2: Broken Authentication and Session Management
    1. Issues Facing Authentication
      1. Session Management
      2. Client-Side Sessions
      3. Insecure Session Cookies
      4. Improper Usage of Primitives
      5. Password Management
      6. Password Hashing
      7. Constant Time Comparisons
      8. Insecure Database Lookups
      9. Logic Mistakes
    2. How Could Each of These Be Fixed?
      1. Client-Side Sessions
      2. Insecure Session Cookies
      3. Improper Usage of Primitives
      4. Password Management
      5. Password Hashing
      6. Constant Time Comparisons
      7. Insecure Database Lookups
      8. Logic Mistakes—WordPress’ Absolute Privacy Plugin
    3. Conclusion
  7. ASR3: Sensitive Data Exposure
    1. What Are Some of the Practical Risks to Sensitive Data?
      1. Insider Threat
      2. External Breach (I.E., Database Backups)
      3. Unnecessary Data Storage
      4. Using Insecure Cryptography
    2. How Can These Risks Be Effectively Mitigated?
      1. Staff Management
      2. Separation of Concerns
      3. Credential Audits
      4. Principal of Least Privilege
      5. Encryption at Rest
      6. Mission-Critical Data
      7. Cryptographic Best Practices
    3. Conclusion
  8. ASR4: XML External Entities (XXE)
    1. How an Application Can Be Exploited
      1. Recursive Entity Expansion
    2. How Do We Prevent Loading External Elements?
    3. How Do We Prevent Expanding Elements?
    4. Conclusion
  9. ASR5: Broken Access Control
    1. How Would This Look in Production?
    2. Has This Ever Happened?
    3. How Would This Code Look If Patched?
      1. Symfony Security Component
      2. Role-Based Access Control in WordPress
    4. Conclusion
    5. What Did United Airlines Do?
  10. ASR6: Security Misconfiguration
    1. How Would This Look in Production?
      1. Web servers (NGINX and Apache)
      2. PHP
      3. MySQL
    2. How Would This Code Look If Patched?
      1. Web servers (NGINX and Apache)
      2. PHP
      3. MySQL
    3. Conclusion
  11. ASR7: Cross-Site Scripting (XSS)
    1. How Would This Look in Production?
      1. Reflected XSS
      2. Stored XSS
      3. Stored XSS: Multi-component Interactions
    2. How Would This Code Look If Patched?
      1. Reflected XSS
      2. Stored XSS
      3. WordPress Trojan Emoji
    3. Conclusion
  12. ASR8: Insecure Deserialization
    1. Object Injection Vulnerabilities
      1. How Is This Exploited?
    2. DoS Vulnerabilities
      1. How Is This Exploited?
    3. Potential Production-Ready Solutions
      1. Serialization Whitelist
      2. JSON Serialization Protection
    4. Conclusion
  13. ASR9: Using Components With Known Vulnerabilities
    1. What Does This Look Like in Code?
    2. Are Libraries the Only Risk?
    3. PHP as a Root Dependency
    4. How Do You Protect Yourself?
      1. What About Private Code?
    5. Auditing the Entire Application Stack
    6. Conclusion
  14. ASR10: Insufficient Logging and Monitoring
    1. Why Logging Matters
    2. What Events Should We Log?
      1. Input Validation Errors
      2. Output Validation Errors
      3. Authentication Events
      4. Authorization (Access Control) Failures
      5. Application Errors
      6. Application Startup/Shutdown
      7. High-risk Operations
    3. What Data Should We Log?
    4. How Should We Log Data?
    5. How Much Logging Is Too Much?
    6. Conclusion
  15. Keeping Ahead of the Trends
    1. A Living Standard
  16. Insufficient Attack Prevention
    1. How Would This Look in Production?
      1. Request Frequency
    2. Request Size
    3. In the Wild: WordPress XML-RPC Vulnerability
    4. What Can I Do About It?
      1. Intrusion Detection System
      2. Web Application Firewall
      3. Other Third-Party Solutions
      4. In the Wild: WordPress XML-RPC Vulnerability
    5. Conclusion
  17. Underprotected APIs
    1. What Are Some of the Potential Vulnerabilities?
      1. Brute Force
      2. In the Wild: WordPress’ Limit Login Attempts
      3. Request Monitoring
      4. Proper Authentication Implementations
      5. Invalid Inputs
      6. Implicit Logout
      7. APIs Versus UIs
    2. How Can These Be Prevented?
      1. Request Throttling
      2. In the Wild: WordPress’ Limit Login Attempts
      3. Encrypted Connections for All Communication
      4. Secured API Access
      5. Input Sanitization
      6. Proper Session Management
      7. In General
  18. Cross-Site Request Forgery (CSRF)
    1. How Would This Look in Production?
    2. How Could This Be Prevented?
      1. GET Requests
      2. POST Requests
      3. Other HTTP Verbs
      4. General Advice
    3. How Do the Various PHP Frameworks Handle CSRF?
      1. Slim CSRF
      2. Symfony
      3. WordPress
      4. Drupal
    4. Conclusion
  19. Unvalidated Redirects and Forwards
    1. How Would This Look in Production?
      1. Dangerous Redirects
      2. Dangerous Forwards
    2. How Would This Code Look If Patched?
      1. Dangerous Redirects
      2. Dangerous Forwards
  20. Peer Code Review
    1. Code Review in Practice
    2. Red Teaming
  21. Further Reading and Resources
    1. Static Code Analysis
    2. PHP_CodeSniffer
    3. Paid Utilities
    4. Security Audits
    5. The PHP Community
    6. Mailing Lists and Feeds
    7. Blogs and Resources
    8. Conferences and Workshops
  22. Responsible Disclosure
    1. How to Disclose
    2. How to Handle Disclosure
  23. Credits
    1. Security Principles for PHP Applications
    2. Disclaimer
3.17.174.239