list

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sourcebay
Forum Newbie
Posts: 5
Joined: Wed May 31, 2006 4:21 am
Location: turin, italy

list

Post by sourcebay »

hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

Well, I can sum up some of knowledge.

Upload-attacks, uploading PHP-files (extremely dangerous) and accessing them in the upload-folder.
SQL-injection, unquoted/slashed queries with GET-data is fed to the database allowing them to do pretty nasty stuff.

These are the 2 basic most dangerous and commonly overlooked ones. There are many more "subclasses" and specifik targets such as simply trying all files looking for possible leaking in URL-arguments etc.

EDIT: oh, one commonly overlooked thing (very stupid too) is the 0=="X" (also "0"=="00") statement... which evaluate to true, since the integer is not converted to a string, but the string converted to an integer resulting in it being 0==0. This is commonly not a security issue, but it could be and this is generally unknown (but still very stupid).
Last edited by Syranide on Fri Jun 02, 2006 7:17 am, edited 1 time in total.
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: list

Post by aerodromoi »

sourcebay wrote:hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!
One more specific point of interest: Header injections (contact forms)
In a nutshell: Never trust user input!

aerodromoi
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

xss
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

viewtopic.php?t=29269

Have a look at these sources...
sourcebay
Forum Newbie
Posts: 5
Joined: Wed May 31, 2006 4:21 am
Location: turin, italy

Post by sourcebay »

thanks a lot!
I'm improving to secure php code.
Security is a big problem for web applications in my opinion, but only a few developers spends time to make the code better.
thanks for advices.
Llaik
Forum Newbie
Posts: 3
Joined: Fri May 26, 2006 9:38 am

Re: list

Post by Llaik »

sourcebay wrote:hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!
List of some + links to full descriptions: http://llaik.rivil.com/?p=82
Post Reply