Securing PHP: The Usual Suspects
This book is 40% complete
Last updated on 2014-07-08
About the Book
You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?
Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:
- Cross-site scripting, what it is and how to prevent it
- Poor authentication and authorization practices
- Preventing several types of injection
- Auditing potentially vulnerable components
- Protecting your users' sensitive data
This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.
The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.
Outline:
Injection
- SQL injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 injection
Broken Authentication & Session Management
- Securing Sessions
- Reinventing the wheel
- Using SSL
- Use (and enforce) strong passwords
- Password Storage
- Permissioning Levels
- Forgot Username/Password
- Defining lockouts
Cross-site Scripting (XSS)
- What it is
- Why it's dangerous
- Prevention
Insecure Object References
Security Misconfiguration
- Your PHP.ini
- Third-party software updates
- Don't forget the platform
Sensitive Data Exposure
- Custom Error handling
- Custom Exception handling
Missing Function Level Access Control
- Discovery
- URL enumeration
- Data filtering
- Verify on client, verify on server
- Related
Using Components with Known Vulnerabilities
Unvalidated Redirects & Forwards
Appendix A: Input Validation & Filtering
- Filtering & Validation Overview
- Built-in Methods
- Libraries
Table of Contents
- Thank you!
- Introduction
-
Injection
- SQL Injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 Injection
-
Broken Authentication & Session Managemnt
- Securing Sessions
- Reinventing the Wheel
- Using SSL
- Use (and Enforce) Strong Passwords
- Password Storage
- Permissioning Levels
- Define Lockouts
-
Cross-Site Scripting (XSS)
- Types of Cross-Site Scripting Vulnerabilities
- Why it’s Dangerous
- It’s all about context
- Other Prevention
-
Insecure Direct Object References
- Being Direct
- In APIs (and Pages)
- Accessing data not allowed by your current user level
- Horizontal Authorization
-
Security Misconfiguration
- PHP.ini - General Settings
- PHP.ini - Session Settings
- Third-Party Software Updates
- Don’t Forget the Environment
About the Author
Chris has been involved in the PHP community for over a decade. His contributions include curating the PHP news site PHPDeveloper.org, writing articles for his PHP-focused security site Websec.io and speaking at web technology conferences all around the world. He's also written for several major PHP publications and is a co-organizer for both the Dallas PHP user group and the Lone Star PHP Conference. He currently works as an application security developer for Pardot, a division of Salesforce.
You can find him online at http://blog.phpdeveloper.org
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms...
