Email the Author

About the Book

You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?

Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:

• Cross-site scripting, what it is and how to prevent it
• Poor authentication and authorization practices
• Preventing several types of injection
• Auditing potentially vulnerable components
• Protecting your users' sensitive data

This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.

The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.

Outline:

Injection

•     SQL injection
•     Path injection
•     Code injection
•     Command injection
•     XML injection
•     HTML5 injection

Broken Authentication & Session Management

•     Securing Sessions
•     Reinventing the wheel
•     Using SSL
•     Use (and enforce) strong passwords
•     Password Storage
•     Permissioning Levels
•     Forgot Username/Password
•     Defining lockouts

Cross-site Scripting (XSS)

•     What it is
•     Why it's dangerous
•     Prevention

Insecure Object References

Security Misconfiguration

•     Your PHP.ini
•     Third-party software updates
•     Don't forget the platform

Sensitive Data Exposure

•     Custom Error handling
•     Custom Exception handling

Missing Function Level Access Control

•     Discovery
•     URL enumeration
•     Data filtering
•     Verify on client, verify on server
•     Related

Using Components with Known Vulnerabilities

Unvalidated Redirects & Forwards

Appendix A: Input Validation & Filtering

•     Filtering & Validation Overview
•     Built-in Methods
•     Libraries

About the Author

Chris Cornutt

@enygma

Chris has been involved in the PHP community for over a decade. His contributions include curating the PHP news site PHPDeveloper.org, writing articles for his PHP-focused security site Websec.io and speaking at web technology conferences all around the world. He's also written for several major PHP publications and is a co-organizer for both the Dallas PHP user group and the Lone Star PHP Conference. He currently works as an application security developer for Pardot, a division of Salesforce.

You can find him online at http://blog.phpdeveloper.org