php - Website security - help me suck less -

-


php - Website security - help me suck less -

i'm bit behind times when comes website security. know basics - validate incoming data, escape info beingness saved db, utilize salt passwords, etc. sense there's lot i'm missing can bite me in butt. true slow migration .net. i'm not sure how replicate know in php in .net. so, below things i've been thinking i'm sure need help with.

problem: securing sessions php: utilize session_regenerate_id() whenever user important. .net: no thought how replicate here. general: else missing?

problem: xss php: utilize htmlentities() convert potentially unsafe code can rendered (mostly) harmlessly. .net: believe in mvc, using <%: %> tags in view same thing. general: there more can block javascript? denying html entirely? how 1 secure textarea?

problem: remote execution php: utilize regex find , remove eval() function calls. .net: unsurprisingly, no idea. general: again, there more should for?

problem: directory traversal (probably related above) i'm not sure how worried should this. nor sure how block it.

suggestions, links articles (with code examples), etc. welcome, , appreciated.

session_regenerate_id

i don't think there equivalent. sessions short lived, if attacker session in time, should happen after alter access level.

something additional sessions aren't meant authenticate user in asp.net. when using custom authentication utilize forms authentication.

above said, subject man in middle attack. case lots of sites, cookie hijacking problem around.

when doing special, require user come in password 1 time again / should done on https. if need series of special operations, can 1 time on requests/cookies need sent on https. in context, emit modified forms authentication cookie, allows access special operations , has require https on.

i believe in mvc, using <%: %> tags in view same thing.

yes, that's kind of equivalent <%= html.htmlencode(somestring) %> / prevent double encoding (should that).

use regex find , remove eval() function calls.

in .net don't have such shorthand broad access. if not explicitly doing out of ordinary, ok.

directory traversal (probably related above)

use mappath , similar. prevents going outside of site folder. said, avoid receiving paths altogether, can still give unintended access special files within asp.net folder. in fact, part of happened microsoft handler in padding oracle vulnerability out there - more on my blog

you can add together csrf list.

use anti forgery token: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

padding oracle attack:

apply work arounds & patch out.

learn mention here: asp.net padding oracle: how relates getting web.config, forging authentication cookies , reading other sensitive data. understanding that's in there important, specially if utilize of features i.e. don't want 1 putting sensitive info in view state :)

php .net security

Comments

Post a Comment

Popular posts from this blog

java - How to set log4j.defaultInitOverride property to false in jboss server 6 -

-
java - How to set log4j.defaultInitOverride property to false in jboss server 6 - how set log4j property false in jboss. not using log4j in application still property has set true. the reason, why trying set property false is, suspecting property overrides java.util.logging.logger configuration provided application. might because of this, log file not getting generated. boot.log infomation below: 02:46:10,495 debug [serverinfo] log4j.defaultinitoverride: true 02:46:10,496 debug [serverinfo] org.jboss.deployers.spi.deployer.matchers.nameignoremechanism: org.jboss.deployers.spi.deployer.helpers.dummynameignoremechanism 02:46:10,496 debug [serverinfo] org.jboss.logging.logger.pluginclass: org.jboss.logging.logmanager.loggerpluginimpl i have found in boot.log in jboss. in 1 of blog, developers told me that, log4j.defaultinitoverride property should set false avoid override of java.util.logging.logger. comment same if wrong. java logging jboss log4j
Read more

c - GStreamer 1.0 1.4.5 RTSP Example Server sends 503 Service unavailable -

-
c - GStreamer 1.0 1.4.5 RTSP Example Server sends 503 Service unavailable - i'm trying create rtsp server based on gstreamer 1.0 1.4.5 plugin. source code of illustration taken here. with_tls , with_auth flags not enabled. i'm compiling using visual studio 2013 community edition. project building , running successfully. when i'm trying play video using vlc on address rtsp://127.0.0.1:8554/test says can't open mrl. recorded traffic (using rawcap) of communication between compiled server , vlc player following: request: options rtsp://127.0.0.1:8554/test rtsp/1.0 cseq: 2 user-agent: libvlc/2.2.0 (live555 streaming media v2014.07.25) response: rtsp/1.0 200 ok cseq: 2 public: options, describe, get_parameter, pause, play, setup, set_parameter, teardown server: gstreamer rtsp server date: thu, 09 apr 2015 03:35:30 gmt request: describe rtsp://127.0.0.1:8554/test rtsp/1.0 cseq: 3 user-agent: libvlc/2.2.0 (live555 streaming media v2014.07.25) accept: applicat...
Read more

Using ajax with sonata admin list view pagination -

-
Using ajax with sonata admin list view pagination - i'm using sonata admin in project. in list view sonata refresh page when clik sec list pagination. that's default behavior of sonata.is there way utilize ajax phone call list view pagination !!! same question when using sortable list view. thanks. this possible, have overwrite of basic functionality of sonata admin bundle. tested symfony 2.6.6 sonata admin-bundle dev-master (4f23e1a30e49681bf8ebdbbae549848784be7699) 1. edit bundles services.yml you have implement own crudcontroller , new list template. tell in services.yml sonata.admin.youradmin: class: your\bundle\admin\youradmin tags: - { name: sonata.admin, manager_type: orm, group: "groupname", label: "grouplabel" } arguments: - ~ - your\bundle\entity\entityclass - yourbundle:yournewcrud # <- add together crud class here calls: ...
Read more