ebook img

Security Nuts & Bolts PDF

65 Pages·2016·2.26 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security Nuts & Bolts

SECURITY NUTS TO BOLTS ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/19197 ME, MYSELF & I • PHP Core Developer • Author of Guide to PHP Security • Security Aficionado • CTO @ Gubagoo Inc.
 (we are hiring!) THE CONUNDRUM USABILITY SECURITY YOU C AN HAVE ONE ;-) OPEN WEB APPLIC ATION SECURITY PROJECT A set of best practices and recommendations • around making web applications more secure General database of common vulnerability vectors • A good place to keep yourself up-to-date on • security Not a Bible™ INJECTION xkcd.com WHAT NOT TO DO // $_POST['login'] = "login";
 $pdo->query("SELECT * from users WHERE login={$_POST['login']}
 AND password={$_POST['pwd']}"); 
 // $_POST['login'] = "' OR 1=1; --"; $pdo->query("SELECT * from users WHERE login='{$_POST['login']}' AND password='{$_POST['pwd']}'"); 
 
 
 
 // $_POST['login'] = chr(0xbf) . chr(0x27) . " OR 1=1; --“; // 0xbf27 + addslashes() == 0xbf5c27 == ë½œ + "'" $pdo->query("SELECT * from users WHERE login='" . addslashes($_POST['login']) . "' AND password='".addslashes($_POST['pwd'])."'"); $pdo->query("SELECT * from users WHERE  login='" . $pdo->quote($_POST['login']) . "'  AND password='".$pdo->quote($_POST['pwd'])."'"); http://hakipedia.com/index.php/SQL_Injection PREVENT INJECTION For databases use prepared statements • White list inputs whenever possible • Sanitize inputs (use filter extension) • • Don’t trust and always verify! BROKEN AUTHENTIC ATION & SESSION MANAGEMENT MITIGATION • Enforce strong password policy • Require periodic reset of password Use 2 factor authentication • • Use SSL and secure flag on cookies • Don’t forget about auto-logout Don’t neglect failed-login detection & tracking • SESSION SECURITY Don’t trust new session ids • session_regenerate_id(true)
 session.use_strict_mode (5.5.2+) Use unique session names (not PHPSESSID) • Only use httpOnly cookies • Ensure true randomness for session ids •

Description:
ME, MYSELF & I. • PHP Core Developer. • Author of Guide to PHP. Security. • Security Aficionado. • CTO @ Gubagoo Inc. (we are hiring!)
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.