12 skills to create secure web applications

This article does not contain any revelations. First of all, information on typical vulnerabilities and methods of solving them will be useful for beginners. Experienced developers all know this, or should know if they consider themselves as such.

Most of the code examples are not tied to any specific programming language, but for clarity, I will use PHP.

So let's go.
')

1. Protection against SQL injection

Suppose you have a website with a username form. To check for a name in the database, you use the following code:

$query = "SELECT * FROM `Users` WHERE UserName='" . $_POST["Username"]. "'";
mysql_query($query);

$_POST[«Username»] — .

Username

' or '1'='1

, :

SELECT * FROM `Users` WHERE UserName = '' OR '1'='1'

, , .

:

a';DROP TABLE `Users`; SELECT * FROM `userinfo` WHERE 't' = 't

SELECT * FROM `Users` WHERE `UserName` = 'a';DROP TABLE `Users`; SELECT * FROM `userinfo` WHERE 't' = 't'

SQL injection:

, . PHP MySQLi

$stmt = $db->prepare('update people set name = ? where id = ?');
$stmt->bind_param('si',$name,$id);
$stmt->execute();

escaping

PHP mysql_real_escape_string, escape . :

$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s'",
mysql_real_escape_string($_POST["Username"]));
mysql_query($query);

2. ross Site Scripting (XSS)

XSS , - , : , , . XSS - Javascript , , .

? , . . .

:

<form id="myFrom" action="showResults.php" method="post">
<div><textarea name="myText" rows="4" cols="30"></textarea><br />
<input type="submit" value="Submit" name="submit" /></div>
</form>

showResults.php:

echo("You typed this:");
echo($_POST['myText']);

, . :

, javascript . htmlentities() :

echo("You typed this:");
echo(htmlentities($_POST['myText']));

3. HTTPS

. , — HTTPS. - .

4.

-, . , .

public_html/files, mysecretdoc.pdf mysecurewebsite.com/files/mysecretdoc.pdf.

:

c files ,
.htaccess

5.

—

. (MD5+salt), , .

— , - . , .

— (-) RSA . .

— , Facebook, Twitter OpenID. .

6.

, , . , , . , .

, . , , .

PHP: ionCube, ZendGuard, SourceGuardian

: Thicket Obfuscator for PHP

7.

, , , .

. / . , .

MySQL.

delimiter |

CREATE TRIGGER insert_encrypt BEFORE INSERT ON cars
  FOR EACH ROW BEGIN
    SET NEW.Model = AES_ENCRYPT(NEW.Model,"my passphrase");
  END;
|

delimiter |

CREATE TRIGGER update_encrypt BEFORE UPDATE ON cars
  FOR EACH ROW BEGIN
    SET NEW.Model = AES_ENCRYPT(NEW.Model,"my passphrase");
  END;
|

SQL

SELECT
...
AES_DECRYPT(Model,"my passphrase"),
...
FROM carscars

. , . .

:
—
—

8. (PHP, shared server)

, , - .

PHP:

userName|s:5:"admin";accountNumber|s:9:"123456789";

:
—
— . PHP session_set_save_handler

9.

. .

, . PHP :

error_reporting(0);
@ini_set('display_errors', 0);

, , . PHP set_error_handler(). , set_error_handler().

10.

. , SSL MySQL PHP.

11. form spoofing

: example.com/edit_user.php?id=12345. 12345 . .

, GET POST . . , POST .

, . , .

, . - .

<input name="gender" type="radio" value="m" />Male
<input name="gender" type="radio" value="f" />Female

, m f, .

.

<input name="gender" type="text" value="m';DROP TABLE `Users`; ... " />

mysql_real_escape_string(), ( ).

:

substr($_POST['gender'],0,1)

12. Cross-site request forgery (CSRF)

XSS, . , Vasya , :

<img src="http://mysecurebank.com/withdraw?account=petya&amount=1000000&for=vasya" />

Petya,

http://mysecurebank.com/withdraw?account=petya&amount=1000000&for=vasya

, , Petya , , , .

— GET POST ( ). . :

<form id="f" action="http://mysecurebank.com/withdraw" method="post">
        <input name="account" value="petya" />
        <input name="amount" value="1000000" />
        <input name="for" value="vasya" />
    </form>

— . .

?

HTTP . . , . .
, . , (XmlHttpRequest ).
( ). — .

:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html

. . PHP (Yii, CakePHP, CodeIgniter, Zend, Symfony) (PHPRunner) . , , , . — .

Source: https://habr.com/ru/post/114661/

All Articles