doc words with
doc words like
After reading most of the OWASP Guide and a complete review of the code of the abstract user interface, quite some improvements can be made to phpPeanuts. To start with the most important problem: The automatic user interface is probably vurnerable for cross site scripting. With respect to leaks from request variables this will be solved in phpPeanuts 2.1.rc1, which also adds:
- validation of all request variables including cookies and server variables,
- some improvement of the CSRF protection,
- explicit specification of character sets,
- limitation of AJAX requests to the host the page originates from,
- can be extended by application developer for the use of UTF-8 character set,
- id's are now included in string conversion (safer for numeric ids and gives application developers control over string-ids).
- string-conversion no longer propagates erroneous values.
From a security viewpoint there is also quite a lot of positive about phpPeanuts:
- MVC architecture,
- allows to write less code in applications resulting in a smaller attack surface,
- small attack surface because of relatively small code base of the framework itself,
- centralized authorization scheme: all request handlers delegating to generic functions on a single security object that delegates to a single authhentication object,
- delivery procedure includes partly automated check for the use security-sensitive php commands,
- does not allow clients to call functions by name,
- CSRF protection follows Synchronizer Token Pattern,
- Ajax calls go through the same include and authorization controls, only invoking primary request handling/output methods,
- parts in AJAX requests are addressed by seperate external ids.
Version 2.1.0 adds:
- Applications are now protected against cross frame scripting by Header XframeOptions.
Version 2.2.0 includes the following improvements:
- improving CSRF protection and extending it to all requests after login,
- parameterize all SQL queries,
- validate pnt parameters and throw PntValidationException for unexpected values.
- log out user on PntValidationException
(edited dd 30-10-2013)
The following may be improved in a later version:
- layout using strict (X)HTML rendering,
- layout following W3C WAI guidelines (accessability for handicapped),
- do not use of pop-ups, (Pop-ups are a common technique used by scammer),
- support for usage of UTF-8 character set
- external references for pntType, pntHandler etc. to isolate internal references and (depending on config setting) to hide implementation details
- input validation for search values,
- Make every page first check the DOM model and try to reject access attempts that contain any additional frames.
The following is not best practice according to OWASP but will probably not be changed:
- the AJAX framework uses html rendering methods (Guidelines 4 in www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet),
- Database access is not performed through parameterized stored procedures (or similar) (www.owasp.org/index.php/Guide_to_Authorization).
Add a Reply
Loading form, please wait
The website will not send you an e-mail when a reply is added to this topic
Back to Topics List