Posts
Setting Cookie Secure Flag – PHP
/0 Comments/in kb /by AppSec LabsMethod #1 By using ini_set function
Add the following code on the page
ini_set("session.cookie_secure", 1);
Method #2 By using session_set_cookie_params function
Add the following code on the page:
session_set_cookie_params(0, NULL, NULL, TRUE, NULL);
Method #3 By using setcookie function
Add the following code when creating cookie:
setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
References
https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php
Setting the HttpOnly Flag – PHP
/0 Comments/in kb /by AppSec LabsPHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).
For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter:
session.cookie_httponly = True
Method#1 By using ini_set function before using setcookie function.
Add the following code on the page:
ini_set("session.cookie_httponly", 1); setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
Method#2 By using session_set_cookie_params function before using setcookie function
Add the following code on the page:
session_set_cookie_params(0, NULL, NULL, NULL, TRUE); setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
Method#3 By using setcookie function
Add the following code while creating cookie (not necessarily a session cookie):
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);
References
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php
http://php.net/manual/en/session.configuration.php#ini.session.cookie-ht…
Prevention of Web Page Caching – PHP
/0 Comments/in kb /by AppSec LabsMethod
Add the following codes into the page, in order to prevent the page being cached
header('Cache-Control: no-cache, no-store, must-revalidate'); header('Pragma: no-cache'); header('Expires: 0');
Reference
http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Man…(OWASP-AT-007)
SQLi – PHP Secure Coding
/0 Comments/in kb /by AppSec LabsMethod #1
Escaping special characters in a string for use in an SQL statement
<?php $name = mysql_real_escape_string( $_POST[‘name’] ); $pwd = mysql_real_escape_string( $_POST[‘pwd’] ); $str_sql = "SELECT * from `tbl_users` WHERE " . "usr_name=’" . $name . "’ AND " . "usr_pwd=’" . $pwd . "’"; $result = mysql_query( $str_sql ) or die ( mysql_error() ); ?>
Method #2
Using prepared statements and parameterized queries:
Case #1
While connecting to database
<?php $pdo = new PDO('mysql:dbname=db;host=127.0.0.1;charset=utf8', 'username', 'password'); $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); ?>
Case #2
While retrieving data
<?php $stmt = $pdo->prepare('SELECT * FROM tables WHERE name = :name'); $stmt->execute(array(':name' => $name)); foreach ($stmt as $row) { echo $row[0]; } ?>
Case #3
While inserting
<?php $preparedStatement = $pdo->prepare('INSERT INTO table (column) VALUES (:column)'); $preparedStatement->execute(array(':column' => $unsafeValue)); ?>
This technique can also be applied in case of update and delete.
References
http://php.net/manual/en/security.database.sql-injection.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/book.pdo.php
Anti CSRF Token – PHP
/0 Comments/in kb /by AppSec Labs
1. Add a unique token to the hidden field of user form on submit and store it on the session. Add the following codes to achieve this.
<?php $token = md5(uniqid(rand(), TRUE)); $_SESSION[“token_$token”] = time(); ?> <form action="login.php" method="post"> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <p> Username: <input type="text" name="username" /><br /> Password: <input type="text" name="password" /><br /> <input type="submit" value="Login" /> </p> </form>
2. Before processing, validate the token on serverside.
<?php if (isset($_SESSION['token_' . $_POST['token']]) { // prevent use the token twice unset($_SESSION['token_' . $_POST['token']]); /* Valid Token */ } ?>
3. The validity of token can also be limited
<?php $token_age = time() - $_SESSION['token_time']; if ($token_age <= 600) { /* Less than ten minutes has passed. */ } ?>
XSS – PHP Secure Coding
/in kb /by AppSec LabsCase #1
HTML escape before inserting untrusted data into HTML element content.
<?php $str=$_POST["data"]; $str_safe=htmlspecialchars($str, ENT_QUOTES); ?> <h1><?php echo $str_safe; ?></h1>
Case #2
JavaScript escape before inserting untrusted data into JavaScript data values.
<?php $str=$_POST["data"]; $safe=strip_tags($str); ?> <script>alert("<?php echo $safe; ?>");</script>
References
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.htmlentities.php
http://in3.php.net/strip_tags
Categories
Archive
- December 2020
- September 2020
- June 2020
- March 2020
- July 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- September 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- January 2016
- December 2015
- August 2015
- June 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- January 2014
- December 2013
- November 2013
- December 2012
- September 2012
- February 2012
- October 2011
- September 2011
- August 2011