[unisog] PHP Security

Bradley Ellis Bradley.Ellis at its.monash.edu.au
Wed Nov 23 23:38:30 GMT 2005

Hi Tim,

The OWASP Site is a good starting point for any web application.
http://www.owasp.org. As it covers the topics in a generic sense.

There are a number of specifc php security guides, but I'd work
with owasp for establishing a framework and then deal with the

As for php vulnerabilty scanners:

If you are trying to check the php code - you could try the 
php lint stuff, but I don't think it will go to the level you want.

Unlike C where you can search for gets, and a variety of other
known well problems. PHP problems don't tend to be caused by
the language so much as the logic in what the programmer is doing.

Key difficulties that we've had with programmers / web developers
is getting them to realise:

	An application is more than getting the code to work when you
	get your expecting input.

	That people will abuse your application - eg.
	A 30 character limit on your input field in a form, doesn't 
	mean that you'll get at most 30 characters in your http data stream.
	(Input Validation).

	What is safe to be entered into a web form isn't safe for SQL.
	(SQL Injection // Input/Output Validation).

	What is safe to be entered into a web form isn't safe for re-display
	(XSS bugs // Input/Output Validation).

	What is safe to be entered into a web form isn't safe for the
	command line (Input/Output validation again.)

	Time limiting some processes - eg Authentication - 1 or 2
	per second is reasonable from a single ip address/proxy pair. 1 or 2
	thousand authentications per second from a single ip address/proxy
	isn't reasonable. This can be extended to other key functions.


If you are trying to check the version of php one the webserver,
many of the web servers will display the version in the headers.

Eg. Server: Apache/1.3.xx (Unix) PHP/5.x.x
And something like Nessus would be able to scan for this.

Bradley Ellis
Senior IT Security Officer, Infrastructure Services
Information Technology Services, Monash University - Clayton
Phone:  9905 1383


> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Tim Lane
> Sent: Wednesday, 23 November 2005 4:18 PM
> To: unisog at lists.sans.org
> Subject: [unisog] PHP Security
> Hi,
> just wondering if anyone is aware of recommended guides for 
> PHP security, or good free PHP vulnerability scanners?
> Cheers,
> Tim Lane
> Tim Lane
> Information Security Program Manager
> Information Technology and Telecommunication Services 
> Southern Cross University PO Box 157 Lismore NSW 2480
> *02 6620 3290    7    02 6620 3033    * tlane at scu.edu.au
> * http://www.scu.edu.au <http://www.scu.edu.au>  

More information about the unisog mailing list