Web application security

BASIC INFORMATION:

Web application Security is a process and adopting a sound approach to security during the development makes it possible to make more robust code.

A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability. The best security is often unobtrusive enough to suit the requirements without the user being prevented from accomplishing their work, or over-burdening the code author with excessive complexity.^[1]

How Secure is PHP?... It is as secure as any other major server-side language. With the current PHP frameworks and tools, it is now easier than ever to achieve exellent security level.

Some articles about PHP web application security:

HTML vulnerabilities

Reverse Tabnabbing is an attack where a page linked from the target page is able to replace that page with, for example, a phishing site

SQL Injection vulnerabilities

A SQL injection attack consists of insertion of a SQL query via the input data from the client to the application. A successful SQL injection exploit can execute malicious SQL in the database and in some cases issue commands to the operating system. ^[1]

Good Articles about SQL injection:

Cross-site request forgery protection

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. ^[2]

Framework introduces a CRSFToken class for CRSF token generation. This class requires running PHP session in order for it to work.

Tokens are created by calling CRSFToken::generateToken().
Tokens can be verified by:

CRSFToken::verifyInputToken() for user defined type of request data
CRSFToken::verifyGetToken() for GET data
CRSFToken::verifyPostToken() for POST data

Placing the secret in a hidden input doesn't inherently make it secure. The key's composition and encoding would do that. The value of the hidden input is that it keeps the secret associated with the data and automatically includes it when the form is sent to the server. You need to use well-designed secrets to actually secure your website. ^[3]

Google reCAPTCHA v2 & v3

Google offers reCAPTCHA (v3 and v2) and reCAPTCHA Enterprise to help protect sites from fraudulent activities, spam, and abuse. ^[1]

A CAPTCHA is a type of challenge–response test used in computing to determine whether the user is human in order to deter bot attacks and spam. ^[2]

reCAPTCHA v2works through user-initiated validation
reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with the site. It is non-intrusive and operates behind the scenes, ensuring a distraction-free experience for users^[3].

Managing user Passwords with Password

PasswordInterface defines a verifiable password. It is implemented in an instantiable class Password.

Input validation

Form Input validation

External links

Wikipedia.org - Cross-site scripting
URL: https://en.wikipedia.org/wiki/Cross-site_scripting
retrieved: June 21st, 2022
Wikipedia.org - Cross-site request forgery
URL: https://en.wikipedia.org/wiki/Cross-site_request_forgery
retrieved: June 21st, 2022
sitepoint.com - Sitepoint - PHP Security Blunders
URL: https://www.sitepoint.com/php-security-blunders/
retrieved: March 2nd, 2023
pcwdld.com - SQL Cheat Sheet – Oracle SQL & PostgrSQL
URL: https://www.pcwdld.com/sql-cheat-sheet
retrieved: March 2nd, 2023

SPHPlayground API

Web application security

HTML vulnerabilities

SQL Injection vulnerabilities

Cross-site request forgery protection

An Example of CRSF Token used in a HTML form

Execution result as HTML5 output

Google reCAPTCHA v2 & v3

Managing user Passwords with Password

PHP Example Code

Execution result as TEXT output

Input validation

This site uses cookies