How to protect your PHP website against common attacks in common frameworks such as Codeigniter/CAKEPHP/SYMFONY/ZEND

Question

Hi I am looking for advice regarding protection and testing against attacks on your php website.

I have found some advice myself by searching around and I hope the more experienced developers have more suggestions and can fill in the blanks. please help out if you can so we can make safer and better websites.

First some common attacks against websites:

1. Server side: port scanning (1.1)

2. websites: Cross-site scripting, (2.1) Injection attacks, (2.2) Cross-site request forgery, (2.3) Broken authentication and session management, (2.4) Insecure cryptographic storage, (2.5) Insecure Communications, (2.6) information Leakage (2.7)

How to test:

• 1.1 port scanning software (firefox has addons but they cannot scan low number ports?)
• 2.1 xss mefor firefox
• 2.2 inject me for firefox
• 2.3 xss me?
• 2.4 access me access me
• 2.5 ?
• 2.6 ?
• 2.7 ?

how to fix in php (and preferably codeigniter,cakephp/symfony/zend):

• 1.1 close your ports? (except for 80 and 465?)

• 2.1

$config['global_xss_filtering'] = TRUE; (codeigniter)

• 2.2 use activerecord (escaping queries) (codeigniter)
• 2.3 ?
• 2.4 ?
• 2.5 ?
• 2.6 ?
• 2.7 ?

please help out if you can

thx

Answer 1

Unfortunately security is much more than a list of tests. Before I continue on technical details you should first understand that the largest security issue is between keyboard and chair. So:

• Large random passwords, keep them secret
• Keep systems up-to-date
• Code with comments, structure, reviews and tests

For the server (assuming you use a linux/unix/bsd environment):

• Have a firewall, and a Intrusion Detection System
• Do close all unnecessary ports to the public, and if you need a port for yourself (like for ssh) add a firewall exception rule for it.
• Keep your operating system up-to-date, don't run personal stuff on it, don't go running experiments on it, don't run unstable
• Don't go with a shared hosting party
• Is your server located at a safe and secure spot?

You can test your application with all kind of security tools (like Nikto, Paros/Burp proxy, nmap, ...) but in fact since you wrote the application you can do a much better security test yourself.

• Using a framework with functions to escape variables in the layout layer of your application does prevent most XSS vulnerabilites, but be aware that escaping does not solve everything.
• Use session header to prevent XSS httponly (does not work in all browsers yet)
• Prevent SQL injection by using an layer that does filtering jobs for you
• Use autoloaders to prevent LFI and RFI
• Do not install other webapplications in your web directory and do not have testfiles hanging around
• Use captcha's to prevent bruteforcing to log-ins

There are also a lot more attacking vectors; probably to much for a regular developer to be aware of. Your application is secure by writing it secure and not by doing all sorts of tests. Use tests as a confirmation, in short: code secure.