Page 1 of 1

list

Posted: Fri Jun 02, 2006 6:57 am
by sourcebay
hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!

Posted: Fri Jun 02, 2006 7:05 am
by Syranide
Well, I can sum up some of knowledge.

Upload-attacks, uploading PHP-files (extremely dangerous) and accessing them in the upload-folder.
SQL-injection, unquoted/slashed queries with GET-data is fed to the database allowing them to do pretty nasty stuff.

These are the 2 basic most dangerous and commonly overlooked ones. There are many more "subclasses" and specifik targets such as simply trying all files looking for possible leaking in URL-arguments etc.

EDIT: oh, one commonly overlooked thing (very stupid too) is the 0=="X" (also "0"=="00") statement... which evaluate to true, since the integer is not converted to a string, but the string converted to an integer resulting in it being 0==0. This is commonly not a security issue, but it could be and this is generally unknown (but still very stupid).

Re: list

Posted: Fri Jun 02, 2006 7:10 am
by aerodromoi
sourcebay wrote:hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!
One more specific point of interest: Header injections (contact forms)
In a nutshell: Never trust user input!

aerodromoi

Posted: Fri Jun 02, 2006 7:15 am
by s.dot
xss

Posted: Fri Jun 02, 2006 7:32 am
by Maugrim_The_Reaper
viewtopic.php?t=29269

Have a look at these sources...

Posted: Fri Jun 02, 2006 7:35 am
by sourcebay
thanks a lot!
I'm improving to secure php code.
Security is a big problem for web applications in my opinion, but only a few developers spends time to make the code better.
thanks for advices.

Re: list

Posted: Fri Jun 02, 2006 8:12 am
by Llaik
sourcebay wrote:hi guys,
i would have, is it's possible, a list of the usual types of attacks to php applications, can you help me to find it?
thanks a lot!
List of some + links to full descriptions: http://llaik.rivil.com/?p=82