PUBLIC MARKS from mbertier with tags security & bestpractices

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

Passwords can be made both highly secure and user-friendly.

I've talked about CSRF before, but this time I wanted to show some of the underlying basics of it and explain why it isn't a new trick or something special. It is part of browsers and the way HTTP works, also to remove any argument that POST should be safer then GET. I know this is Internet basics, it still can be refreshing to read it over from time to time.

This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

In this article, we will show you how CSRF and XSS work and how to defend against them. To dispel the myths about these attacks, I will assume the role of a hacker and show how the supposedly harmless injection of tiny bits of HTML can perform amazing things, from stealing the user's identity to a completely transparent rewrite of site content.

Securing plain text passwords in MySQL is NEVER a good idea. As a DBA you should take great care in protecting the users' information. Fortunately MySQL provides you with several options to protect passwords.

BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting (XSS) issues in real-time.

The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Inside is a check list of settings that are intended to harden the default PHP installation.

La configuration par défaut est suffisante pour se protéger des attaques par brute force et c'est d'ailleurs la force de Fail2ban.

It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Not all file permissions problems on Apache have such simple, and effective, solutions. But this one is very effective, and very simple to set up.

Resources about beb applications security