C1.2 How to Determine If You Are at Risk

Web scanning tools can help find these vulnerabilities, particularly if they are known bugs. However, to find all potential vulnerabilities requires a source code review. This should be done by the developers prior to release.

Inspect your web application framework's configuration and harden appropriately.

System administrators should consider scanning web servers periodically with vulnerability scanners, particularly if they run a large diverse range of user supplied scripts, such as a hosting farm. It is impractical for system administrators to perform detailed penetration tests.

C1.3 How to Protect against Web Application Vulnerabilities

From the PHP system administration and hosting perspective:

• Upgrade to PHP 5.2 as it eliminates many latent PHP security issues and allows for safer API, such as PDO


• Always test and deploy patches and new versions of PHP as they are released


• Frequent web scanning is recommended in environments where a large number of PHP applications are in use


• Consider using the following PHP configuration:
  
  
  
  • register_globals (should be off, will break insecure apps)
  
  
  • allow_url_fopen (should be off, will break apps that rely on this feature, but protect against a very active exploit vector)
  
  
  • magic_quotes_gpc (should be off, will break older insecure apps)
  
  
  • open_basedir (should be enabled and correctly configured)
  
  
  • Consider using least privilege execution features like PHPsuexec or suPHP
  
  
  • Consider using Suhosin to control the execution environment of PHP scripts
  
  
  
  


• Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks


• As a last resort, consider banning applications which have a track record of active exploitation, and slow response times to fix known security issues.

From the developer perspective:

• If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.


• To avoid the coding issues above:
  
  
  
  • Develop with the latest PHP release and a hardened configuration (see above)
  
  
  • Validate all input appropriately
  
  
  • Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks
  
  
  • Migrate your data layer to PDO - do not use the old style mysql_*() functions as they are known faulty
  
  
  • Do not use user-supplied input with file functions to avoid remote file inclusion attacks
  
  
  
  


• Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding


• Test your apps using the OWASP Testing Guide with tools like WebScarab, Firefox's Web Developer Toolbar, Greasemonkey and the XSS Assistant

C1.4 References

OWASP - Open Web Application Security Project
http://www.owasp.org


OWASP Testing Guide
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents


OWASP Guide - a compendium of secure coding
http://www.owasp.org/index.php/Category:OWASP_Guide_Project


OWASP Top 10 - Top 10 web application security weaknesses
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


Suhosin, a Hardened PHP project to control the execution environment of PHP applications
http://www.hardened-php.net/suhosin/


PHP Security Features
http://php.net/features.safe-mode