Scribd Logo
Upload

Welcome to Scribd!

  • Phpsec Cheatsheet PDF

    Uploaded by

    AB Malek Idris
    29 views1 page

    Original Title

    phpsec_cheatsheet.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views1 page

    Phpsec Cheatsheet PDF

    Uploaded by

    AB Malek Idris

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    REV 2 / 2010-Apr-12

    PHP Application Security Checklist


    BASIC FILE UPLOADS PHP streams are filtered. CSS files.
    Access to files is not Existence or ordering of
    Strong passwords are used. Application verifies file type. restricted by hiding the files. frames.
    Passwords stored safely. User-provided mime type Remote files not included Existence of a JS variable.
    register_globals is disabled. value is ignored. with include(). Detected visit of a URL.
    Magic quotes is disabled. Application analyzes Inclusion of your website
    display_errors is disabled. the content of files to AUTHENTICATION in an inline frame with JS
    Server(s) are physically secure. determine their type. Bad password throttling. disabled does not reveal a
    It is understood that a CAPTCHA is used. threat.
    INPUT perfectly valid file can still SSL used to prevent MITM. Application uses frame

    Input from $_GET, $_POST,


    contain arbritrary data. Passwords are not stored in a bursting code and sends the
    Application checks the file cookie. X-Frame-Options header.
    $_COOKIE, and $_REQUEST size of uploaded files. Passwords are hashed.
    is considered tainted. MAX_FILE_SIZE is not Per-user salts are used. MISCELLANEOUS
    Understood that only some depended upon. crypt() is used with A cryptographically secure
    values in $_SERVER and File uploads cannot sufficient number of PRNG is used for secret
    $_ENV are untainted. overtake available space.
    $_SERVER[PHP_SELF] is Content is checked for
    rounds.
    MD5 is not used.
    randomly-generated IDs
    (activation links, secret IDs,

    escaped where used. malicious content. Users are warned about etc.).
    Input data is validated. Application uses a
    \0 (null) is discarded in input. malware scanner (if req.).
    obvious password recovery Suhosin is installed or you
    Length of input is bounded. Uploaded HTML files are
    questions. are not using rand() or
    Email addresses are validated. displayed securely.
    Account recovery forms do

    mt_rand() for this.
    Application is aware of small, Uploaded files are not moved
    not reveal email existence.
    Pages that send emails are
    Anything that consumes a
    lot of resources should be
    very large, zero, and negative to a web-accessible directory. throttled and limited.
    throttled.
    numbers. Sci. notation too. Extensive path checks are
    Application checks for used when serving files. SESSIONS
    Pages that use 3rd-party
    APIs are throttled.
    invisible, look-alike, and Uploaded files are not served
    Sessions only use cookies. You did not create your own
    combinining characters. with include().
    Unicode control characters Uploaded files are served (session.use_only_cookies)

    encryption algorithm.
    stripped out when required. as an attachment using the On logout, session data is Arguments to external
    Outputted data is sanitized. Content-Disposition header. destroyed.
    programs (i.e. exec()) are
    User-inputted HTML is Application sends the Session is recreated on
    validated.
    Generic internal and external
    santized with HTMLPurifier. authorization level change.
    Sites on the same server use
    X-Content-Type-Options:
    User-inputted CSS is nosniff header.
    redirect pages are secured.
    Precautions taken against
    sanitized using a white-list. Files are not served as different session storage dirs.
    Abusable properties application/octet-stream,
    the source code of your PHP
    pages being shown due to
    (position, margin, etc.) are application/unknown, or 3RD-PARTIES
    misconfiguration.
    handled. plain/text unless necessary. CSRF issues are prevented
    CSS escape sequences are with tokens/keys.
    Configuration and critical files
    are not in a web-accessible
    handled. DATABASE Referrers are not relied
    JavaScript in CSS is
    Data inserted into the upon.
    directory.
    discarded (expressions,
    database is properly escaped Pages that perform SHARED HOSTING
    behaviors, bindings). actions use POST.
    URLs are sanitized and
    or parameterized/prepared
    statements are used. Important pages (logout, Using a secure shared host
    unknown and unwanted
    addslashes() is not used. etc.) are protected. where users cannot access
    protocols are disallowed.
    Your pages are not written
    the files of other users.
    Embedded plugins are
    Application does not have
    more privileges to the in a way (i.e. JSON, JS-like) Aware that fellow shared
    restricted from executing JS. where they can be included hosting users:
    Embedded plugin files (Flash

    database than necessary.
    Remote connections to the and read on a remote website Can, if on the same IP
    movies) are embedded in successfully. address, issue requests
    database are disabled if they
    a manner so that only the
    are unnecessary. Aware that Flash can bypass against your site with
    XMLHttpRequest in IE6.
    intended plugin is loaded. referrer checks to load images
    The application uses a safe SERVING FILES and sound files. Can access your website

    User input is not directly used


    encoding. The following things will not from 127.0.0.1 or ::1.
    An encoding is specified reveal significant information Can host a server on the
    using a HTTP header. in a pathname. same IP address.
    Inputted data is verified to Directory traversal is
    if included remotely:
    Images. Are not remote as far as
    be valid for your selected prevented.
    Null (\0) in paths filtered. Pages that take a longer

    your DB is concerned.
    Session & file upload
    encoding if using an
    unsafe encoding. Application is aware of : time to load.
    directories are not shared.

    SK Find the annotated original at http://sk89q.com/phpsec/


    2010 sk89q. You are free to reproduce this without modification.

    You might also like