I've focused my night on better grapsing authentication security and believe I have made good progress. To date I have simply relied on SHA1 hashing and prepared statements - not much, right... So I knew it was time to pick up some new skills.

What I came across was very new, BlowFish, which I have never heard of, and salting, which I have heard of but not deeply looked into before. I was amazed about how simple they were to grasp! I'm now using a salt, using blowfish and then encrypting the whole lot with PHPs crypt() function. Woo!

What I would like to know is - what else can be done, whether basic or very very advanced, to further secure a web application, other than transport layer such as SSL certificates.

I've considered the adoption of checking for perculiar characters within fields to increase the difficulty for attackers but with the use of prepared statements I believe this is no longer a problem?

What does someone do next to increase security? Is there something that can be done to secure sessions? Do sessions need securing beyond their core security built into PHP? I've become really interested in security now and would love to hear your suggestions. In the mean time I will be googling PHP web app security :P

Michael

Recommended Answers

All 9 Replies

I have come across securing/filtering AJAX calls... and I am making AJAX calls in my application - thoughts? http://stackoverflow.com/questions/7953714/php-help-secure-filter-ajax-calls Could I have a seasoned programmers opinion regarding the answer in that article?

In fact I've just read about sanatising which should obviously be my next step. I gather that sanatising is simply the checking of variable values to ensure they are what's expected by using functions such as settype() and isnumeric()? If so, then I haven't sanatised a single database input :L

Member Avatar for diafol

I've always found ajax calls to be inherently open. Any javascript can be laid bare, regardless of coders' attempts to obfuscate and minify.
IMO, it's just like using a form - you see the destination/action file in the html view and from the form itself, you can see which parameters are passed, so you can usually create post requests quite easily without actually having to create a physical form.
So I don't try to worry too much about the client-side - just ensure that your server-side code is air-tight.

Cheers diafol, I gather thats done by sanatising?

Member Avatar for diafol

Sanitising, validating data types and checking the session for permissions. Place your include files above the docroot too. You can also prevent direct access to files with htaccess. E.g. if a file is to be included in another but shouldn't be accessed directly via the browser.

Also have a blank index.html file in your directories to help prevent directory listing. May be overkill.

I have a series of index files in directories that contain a header redirection to the site index :P

And as for session permissions..?

It is all well and good to concentrate on "coding" type security preventions, but, what are you doing in terms of server-side? I.e. "Hackers" or people who want to generally cause a havoc to your website might not generally go down the route of XSS or trying to find vunerabilities inside your code.

What if, for example they managed to get onto your server? Since, all your files, and mysql databases are stored on your server - They don't even need to look for vunerabilities within your code.

What if, they managed to DDoS/DoS your site? Corrupt your database files etc.. I wouldn't just look at coding techniques in terms of security - Make sure your server is 100% secure.

:)

This topic has been already marked as solved but I would like to add useful information that deserves to be added, and this is OWASP top 10 list of vulnerabilities of web apps and guides on how to minimize them. It might be a slightly more complex reading but it is worth it if you do a serious web development.

Marking as solved was a miss click, sorry! As for server security that's not my concern. I would like to ask anyone to attempt a DDoS, they'll fail miserably - I've got a dedi in the London Docklands Datacentre as I've worked there before and I'm close friends with most of the team :) I'm in the rack right next to Her Majesties Revenue and Customs! haha As the topic is titled, my focus is application security, but thanks for the suggestion.

Broj1 - great post, quite an interesting list :)

Member Avatar for diafol

Yep, OWASP - essential reading.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.