After reading most of the OWASP Guide and a complete review of the code of the abstract user interface, quite some improvements can be made to phpPeanuts. To start with the most important problem: The automatic user interface is probably vurnerable for cross site scripting. With respect to leaks from request variables this will be solved in phpPeanuts 2.1.rc1, which also adds:
- validation of all request variables including cookies and server variables,
- some improvement of the CSRF protection,
- explicit specification of character sets,
- limitation of AJAX requests to the host the page originates from,
- can be extended by application developer for the use of UTF-8 character set,
- id's are now included in string conversion (safer for numeric ids and gives application developers control over string-ids).
- string-conversion no longer propagates erroneous values.
Henk
2012-10-24 18:27:22
From a security viewpoint there is also quite a lot of positive about phpPeanuts:
- MVC architecture,
- allows to write less code in applications resulting in a smaller attack surface,
- small attack surface because of relatively small code base of the framework itself,
- centralized authorization scheme: all request handlers delegating to generic functions on a single security object that delegates to a single authhentication object,
- delivery procedure includes partly automated check for the use security-sensitive php commands,
- does not allow clients to call functions by name,
- CSRF protection follows Synchronizer Token Pattern,
- Ajax calls go through the same include and authorization controls, only invoking primary request handling/output methods,
- parts in AJAX requests are addressed by seperate external ids.
Henk
2012-10-24 18:30:51
Version 2.1.0 adds:
- Applications are now protected against cross frame scripting by Header XframeOptions.
Version 2.2.0 includes the following improvements:
- improving CSRF protection and extending it to all requests after login,
- parameterize all SQL queries,
- validate pnt parameters and throw PntValidationException for unexpected values.
- log out user on PntValidationException
(edited dd 30-10-2013)
Henk
2012-10-24 18:34:28
The following may be improved in a later version:
- layout using strict (X)HTML rendering,
- layout following W3C WAI guidelines (accessability for handicapped),
- do not use of pop-ups, (Pop-ups are a common technique used by scammer),
- support for usage of UTF-8 character set
- external references for pntType, pntHandler etc. to isolate internal references and (depending on config setting) to hide implementation details
- input validation for search values,
- Make every page first check the DOM model and try to reject access attempts that contain any additional frames.
Henk
2012-10-24 18:35:40
The following is not best practice according to OWASP but will probably not be changed:
- the AJAX framework uses html rendering methods (Guidelines 4 in www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet),
- Database access is not performed through parameterized stored procedures (or similar) (www.owasp.org/index.php/Guide_to_Authorization).
Add a Reply
Loading form, please wait
The website will not send you an e-mail when a reply is added to this topic
- validation of all request variables including cookies and server variables,
- some improvement of the CSRF protection,
- explicit specification of character sets,
- limitation of AJAX requests to the host the page originates from,
- can be extended by application developer for the use of UTF-8 character set,
- id's are now included in string conversion (safer for numeric ids and gives application developers control over string-ids).
- string-conversion no longer propagates erroneous values.
- MVC architecture,
- allows to write less code in applications resulting in a smaller attack surface,
- small attack surface because of relatively small code base of the framework itself,
- centralized authorization scheme: all request handlers delegating to generic functions on a single security object that delegates to a single authhentication object,
- delivery procedure includes partly automated check for the use security-sensitive php commands,
- does not allow clients to call functions by name,
- CSRF protection follows Synchronizer Token Pattern,
- Ajax calls go through the same include and authorization controls, only invoking primary request handling/output methods,
- parts in AJAX requests are addressed by seperate external ids.
- Applications are now protected against cross frame scripting by Header XframeOptions.
Version 2.2.0 includes the following improvements:
- improving CSRF protection and extending it to all requests after login,
- parameterize all SQL queries,
- validate pnt parameters and throw PntValidationException for unexpected values.
- log out user on PntValidationException
(edited dd 30-10-2013)
- layout using strict (X)HTML rendering,
- layout following W3C WAI guidelines (accessability for handicapped),
- do not use of pop-ups, (Pop-ups are a common technique used by scammer),
- support for usage of UTF-8 character set
- external references for pntType, pntHandler etc. to isolate internal references and (depending on config setting) to hide implementation details
- input validation for search values,
- Make every page first check the DOM model and try to reject access attempts that contain any additional frames.
- the AJAX framework uses html rendering methods (Guidelines 4 in www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet),
- Database access is not performed through parameterized stored procedures (or similar) (www.owasp.org/index.php/Guide_to_Authorization).