REV 2 / 2010-Apr-12

PHP Application Security Checklist

Applicationverifiesfiletype. Strongpasswordsareused. User-providedmimetype Passwordsstoredsafely. withinclude(). valueisignored. register_globalsisdisabled. Applicationanalyzes Magicquotesisdisabled. AUTHENTICATION thecontentoffilesto display_errorsisdisabled. determinetheirtype. Server(s)arephysicallysecure. Badpasswordthrottling. Itisunderstoodthata CAPTCHAisused. perfectlyvalidfilecanstill SSLusedtopreventMITM. INPUT containarbritrarydata. Passwordsarenotstoredina Inputfrom$_GET,$_POST, Applicationchecksthefile cookie. $_COOKIE,and$_REQUEST sizeofuploadedfiles. Passwordsarehashed. isconsideredtainted. MAX_FILE_SIZEisnot Per-usersaltsareused. Understoodthatonlysome dependedupon. crypt()isusedwith valuesin$_SERVERand Fileuploadscannot sufficientnumberof $_ENVareuntainted. overtakeavailablespace. rounds. $_SERVER[PHP_SELF]is Contentischeckedfor MD5isnotused. escapedwhereused. maliciouscontent. Usersarewarnedabout Inputdataisvalidated. Applicationusesa obviouspasswordrecovery \0(null)isdiscardedininput. malwarescanner(ifreq.). questions. Lengthofinputisbounded. UploadedHTMLfilesare Accountrecoveryformsdo Emailaddressesarevalidated. displayedsecurely. Applicationisawareofsmall, Uploadedfilesarenotmoved notrevealemailexistence. Pagesthatsendemailsare verylarge,zero,andnegative toaweb-accessibledirectory. throttled. numbers.Sci.notationtoo. Extensivepathchecksare Applicationchecksfor usedwhenservingfiles. SESSIONS invisible,look-alike,and Uploadedfilesarenotserved Sessionsonlyusecookies. combininingcharacters. withinclude(). (session.use_only_cookies) Unicodecontrolcharacters Uploadedfilesareserved Onlogout,sessiondatais strippedoutwhenrequired. asanattachmentusingthe destroyed. Outputteddataissanitized. Content-Dispositionheader. Sessionisrecreatedon User-inputtedHTMLis Applicationsendsthe authorizationlevelchange. santizedwithHTMLPurifier. X-Content-Type-Options: Sitesonthesameserveruse User-inputtedCSSis nosniffheader. differentsessionstoragedirs. sanitizedusingawhite-list. Filesarenotservedas Abusableproperties application/octet-stream,
(position,margin,etc.)are handled. CSSescapesequencesare handled. JavaScriptinCSSis discarded(expressions, behaviors,bindings). URLsaresanitizedand unknownandunwanted protocolsaredisallowed. Embeddedpluginsare restrictedfromexecutingJS. Embeddedpluginfiles(Flash movies)areembeddedin amannersothatonlythe intendedpluginisloaded. Theapplicationusesasafe encoding. Anencodingisspecified usingaHTTPheader. Inputteddataisverifiedto bevalidforyourselected encodingifusingan unsafeencoding.

BASIC

FILEUPLOADS

PHPstreamsarefiltered. Accesstofilesisnot restrictedbyhidingthefiles. Remotefilesnotincluded

Inclusionofyourwebsite

CSSfiles. Existenceororderingof frames. ExistenceofaJSvariable. DetectedvisitofaURL.

inaninlineframewithJS disableddoesnotreveala threat. Applicationusesframe burstingcodeandsendsthe X-Frame-Optionsheader.

Acryptographicallysecure

MISCELLANEOUS

application/unknown,or plain/textunlessnecessary.

Datainsertedintothe

DATABASE

databaseisproperlyescaped orparameterized/prepared statementsareused. addslashes()isnotused. Applicationdoesnothave moreprivilegestothe databasethannecessary. Remoteconnectionstothe databasearedisabledifthey areunnecessary.

CSRFissuesareprevented withtokens/keys. Referrersarenotrelied upon. Pagesthatperform actionsusePOST. Importantpages(logout, etc.)areprotected. Yourpagesarenotwritten

3RD-PARTIES

PRNGisusedforsecret randomly-generatedIDs (activationlinks,secretIDs, etc.). Suhosinisinstalledoryou arenotusingrand()or mt_rand()forthis. Anythingthatconsumesa lotofresourcesshouldbe throttledandlimited. Pagesthatuse3rd-party APIsarethrottled. Youdidnotcreateyourown encryptionalgorithm. Argumentstoexternal programs(i.e.exec())are validated. Genericinternalandexternal redirectpagesaresecured. Precautionstakenagainst thesourcecodeofyourPHP pagesbeingshowndueto misconfiguration. Configurationandcriticalfiles arenotinaweb-accessible directory.

SHAREDHOSTING

Usingasecuresharedhost

Userinputisnotdirectlyused inapathname. Directorytraversalis prevented. Null(\0)inpathsfiltered. Applicationisawareof:

SERVINGFILES

inaway(i.e.JSON,JS-like) wheretheycanbeincluded andreadonaremotewebsite successfully. AwarethatFlashcanbypass referrercheckstoloadimages andsoundfiles. Thefollowingthingswillnot revealsignificantinformation ifincludedremotely: Images. Pagesthattakealonger timetoload.

whereuserscannotaccess thefilesofotherusers. Awarethatfellowshared hostingusers: Can,ifonthesameIP address,issuerequests againstyoursitewith XMLHttpRequestinIE6. Canaccessyourwebsite from127.0.0.1or::1. Canhostaserveronthe sameIPaddress. Arenotremoteasfaras yourDBisconcerned. Session&fileupload directoriesarenotshared.

SK Findtheannotatedoriginalathttp://sk89q.com/phpsec/ 2010sk89q.Youarefreetoreproducethiswithoutmodification.