OWASP - User contributions [en]

Tainted String Library

2013-08-31T10:55:47Z

Rahul Chaudhary:

<h4>Introduction:</h4>
In any programming language, handling strings is definitely one of the most daunting and challenging work as they pose some very serious threats in any program. Even in PHP, there are many forms of strings that have the capacity to fully crack the application. What we need in these scenarios is to check each string for contaminated values and we also need a way to flag strings to indicate that these strings are "Tainted".
<BR><BR>

<h4>Need for this library:</h4>
The only mode of the prevalent injection attacks are strings and thus they are very dangerous. Attackers craft many dangerous strings that can destroy the whole system. Thus, the program and applications need to work with safe strings. For this, we have developed this library that can flag a warning to the users when a dangerous string is used. With this library in use, all the strings that the developers thinks can cause problems - such as input fields, they can mark these strings as "tainted" and future use of these strings will generate an error if these strings are used anywhere in program without first decontaminating them.
<BR><BR>

<h4>PHPSEC Tainted String Implementation:</h4>
To "taint" a string, we created a "Tainted" class which is an abstract class that defines functions to contaminate and decontaminate a string. In other words they create or remove flags from strings to show them that they are "tainted" or not. Another class that derives the "Tainted" class is called "TaintedString" class and is responsible to actually taint/un-taint a string.
<BR><BR>
<b>Tainted class</b> contains the following functions:
<ol>
<li><b>Is: </b>This function tells if the string is marked as "tainted" or not. If the string is indeed marked as "tainted" then that means that other classes that uses this value will have to be careful before using it.</li>
<li><b>contaminate: </b>This function marks the string as "tainted". I.e. if the user passes a string to this function, then this function will mark this string as "tainted" and future use of this string will generate warnings and developers will have to be careful in using this function.</li>
<li><b>decontaminate: </b>This function does the exact opposite of the "contaminte()" function. It removes the field that marks this particular string as "tainted". It means that once the string becomes un-tainted then it can be used without worries and is safe for all purpose.</li>
</ol>
<b>TaintedString class</b> contains the following functions:
<ol>
<li><b>__construct: </b>Being the constructor of this class, the job of this function is to store the string upon which this whole class is called upon. It takes the user given string and simply stores it for future use.</li>
<li><b>__toString: </b>This function overrides the "toString()" method in PHP. With the use of this function, the use of a tainted string will trigger an error that would warn the use of this string.</li>
</ol>
<BR>

<h4>Other Helpful Links:</h4>

Tainted String Library

2013-08-31T09:43:35Z

Rahul Chaudhary: Created page with "<h4>Introduction:</h4> In any programming language, handling strings is definately the most daunting and challenging work as they pose some very serios threats to any program...."

<h4>Introduction:</h4>
In any programming language, handling strings is definately the most daunting and challenging work as they pose some very serios threats to any program. Even in PHP, there are many forms of strings that have the capacity to fully crack the application. What we need in these scenarios is to check each string for contaminated values and we also need a way to flag strings to indicate that these strings are "Tainted".

Projects/OWASP PHP Security Project/Roadmap

2013-08-31T08:38:53Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> [[Phpsec/Secure Database Library|Secure Database Library]]</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> [[Error Handler Library]]</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> [[Phpsec/HTTP Request Handling Library|HTTP Request Handling Library]]</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Log Related Libraries:'''
<ul>
<li> [[Logs Library]]</li>
</ul>
<BR>
'''Scanner Related Libraries:'''
<ul>
<li> [[Static Scanner Library]]</li>
</ul>
<BR>
'''Sensitive Data Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
<li> [[Tainted String Library]]</li>
<li> [[Secure Output Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Projects/OWASP PHP Security Project/Roadmap

2013-08-31T08:38:16Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> [[Phpsec/Secure Database Library|Secure Database Library]]</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> [[Error Handler Library]]</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> [[Phpsec/HTTP Request Handling Library|HTTP Request Handling Library]]</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Log Related Libraries:'''
<ul>
<li> [[Logs Library]]</li>
</ul>
<BR>
'''Scanner Related Libraries:'''
<ul>
<li> [[Static Scanner Library]]</li>
<li> [[Tainted String Library]]</li>
<li> [[Secure Output Library]]</li>
</ul>
<BR>
'''Sensitive Data Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Error Handler Library

2013-08-31T08:25:58Z

Rahul Chaudhary:

<h4>Introduction:</h4>

Unlike other languages like Java, in PHP "Exceptions" are handled in a different way than "Errors". In PHP, any anomaly in the logic such as "Divide by zero" are considered as errors and things such as "Trying to access a private property" is considered as "Exceptions". "Exceptions" are thrown in PHP like any other language, but "Errors" are not thrown and they need to be converted to "Exceptions" and thrown accordingly by the programmer. This introduces many confusion among developers as they are accustomed to treat everything as an "Exception" and expect them to be thrown automatically.
<BR><BR>

<h4>Need for this Library:</h4>
PHP has a mechanism that allows the developers to set functions that they can register in case any error is generated. This function, once registered, is called whenever an error is generated and then it will be converted to an "Exception" and then will be thrown. In this library we take this task to register the function and to convert them to an "Exception" from the developers and do it ourselves so that they do not have to worry about this. This library first registers the function that converts "Errors" to "Exceptions" so that PHP can call this function and handle it properly in case any "Error" is generated. This function also has the job to convert the PHP "Error" to "Exception". The name of the exception that is produced after the conversion is <b>"ErrorException"</b>.
<BR><BR>

<h4>PHPSEC Error Handling Implementation:</h4>
As per PHP requirements, we first need to define functions to register the function and then to shutdown the function. Then we need to define other methods such as method to convert the error to exceptions. Below is the list of all the function and their uses:
<ul>
<li><b>enable: </b>This method sets the phpsec error handler as error handler. What we mean is that once the developers calls this function, the PHP's own error handler passes the authority to handle PHP errors to this function. This function checks if the function is already registered or not and if not registered, this method registers our error handler using PHP's "set_error_handler" function. Similarly it also checks if the shutdown function is registered or not and if not registered, it registers our own shutdown function using "register_shutdown_function". In addition to all the above mentioned task, it also saves the PHP's current error reporting state for in case the user wants to turn off our error reporting mechanism, they can go back to their own PHP's error reporting mechanism.</li>
<li><b>disable: </b>This function does the exact opposite of the "Enable" function. It first checks if the methods have been register or not and if registered, then it un-register them and reverts back to PHP's old error mechanism using "error_reporting()" and "restore_error_handler()" method.</li>
<li><b>isActive: </b>This function checks the if our error mechanism is currently active or not.</li>
<li><b>_shutdown: </b>This is registered as a shutdown function to catch fatal errors. It means that if PHP encounters some fatal errors that is causing the whole application to fail, then it calls this shutdown function before failing, thus giving the application a last chance to correct the fatal error and to save the application or to handle the error gracefully. Our implementation of this function only considers <b>"E_ERROR", "E_CORE_ERROR", "E_PARSE", "E_COMPILE_ERROR" and "E_USER_ERROR"</b> as fatal and simply warns the user of this error before failing the application.</li>
<li><b>_errorToException: </b>This function converts the PHP's error to "Exceptions". The exception that is generated is called <b>"ErrorException"</b>.</li>
<li><b>dump: </b>It dumps an exception in readable format</li>
</ul>
<BR>

<h4>Other Helpful Links:</h4>

Error Handler Library

2013-08-31T08:01:07Z

Rahul Chaudhary: Created page with "<h4>Introduction:</h4> Unlike other languages like Java, in PHP "Exceptions" are handled in a different way than "Errors". In PHP, any anomaly in the logic such as "Divide by..."

Projects/OWASP PHP Security Project/Roadmap

2013-08-31T07:44:12Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> [[Phpsec/Secure Database Library|Secure Database Library]]</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> [[Error Handler Library]]</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> [[Phpsec/HTTP Request Handling Library|HTTP Request Handling Library]]</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

HTTP Response Handling Library

2013-07-26T07:30:38Z

Rahul Chaudhary:

<h4>Introduction</h4>
Secure PHP Static HTTP Response Handling Library is to control the downloadable contents in the library. With control we mean the download speed with which the files are served to the users. Developers can use this library to set a speed limit on the files. This library also contains functions to resume download which is supported in most of the browsers and assists download managers.
<BR>
<h4>Functions in this library</h4>
Lists of functions in this library and their uses are as follows:
<ul>
<li>
<b>MIME: </b>This function is used to find out the extension of files and to determine their types from their extensions.
</li>
<li>
<b>isModifiedSince: </b>This function is used to calculate if the file has changed since the user last visited that page. If the file has been changed since the last visit, then true is returned indicating the browser to re-download the file.
</li>
<li>
<b>calculateHTTPRange: </b>This function is used to calculate which parts of file have been downloaded and which parts have NOT been downloaded. With this knowledge, the browsers and the download managers can be instructed to download only the remaining parts.
</li>
<li>
<b>download: </b>This function is used to download a file. This function is the central function that uses all of the above functions and many others to impose limits on the file download speed and to serve only those parts of file which needs to be downloaded. This function also rewrites the HTTP headers for indicating the browsers about the details of the content it is serving.
</li>
<li>
<b>serveData: </b>This function is used to serve some data to the client. This is different from serving a file. There is no limit nor restrictions on the download of this chunk of data. This chunk of data is served as a whole and not in parts.
</li>
</ul>
<BR>
<h4>Other Helpful Links</h4>

HTTP Response Handling Library

2013-07-26T06:55:36Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> Secure PHP Static HTTP Response Handling Library is to control the downloadable contents in the library. With control we mean the download speed with whi..."

Projects/OWASP PHP Security Project/Roadmap

2013-07-26T06:44:28Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> [[HTTP Response Handling Library]]</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Secure Application Configuration and State Library

2013-07-26T04:25:11Z

Rahul Chaudhary:

<h4>Introduction</h4>
<b>new \PDO ("mysql:dbname='pdo_mysql';host='localhost';", "root", "myPassword");</b>
<BR>
In any application there are several lines, as the one given above, that contains some data that are extremely sensitive and not to be seen. Nevertheless, they have to be in files and codes for the application to work properly (In the above case, to create a successful connection to the DB). These confidential data if compromised, has the potential to end the life-time of the application. The attackers can use the password for anything ranging from passive monitoring to actively deleting all the data. That's enough to bring a company down. For this reason, these sensitive data needs to be protected. The function of this library is to protect these data from being stolen.
<BR>
<h4>What is sensitive ?</h4>
A sensitive piece of data is any data that if known publicly, can aid in unauthorized access or kind of malfunction in the system. The range of this data can be from "passwords" to "configuration files". Data such as version no, file locations etc can be harmful. Thus, they can also be treated as sensitive. Overall, the term is very vague and its meaning cannot be made clearer until a context is provided. Thus, the developers can assume any data to be sensitive which they feel no one else must know.
<BR>
<h4>Requirements</h4>
For this library to work, there is one and only one requirement - that '''the files must be writable'''. We also understand that in main server this is not true for most of the time. In those cases, the developers must encrypt the values by hand and the decryption will be performed by the function. If however, the files are writable, this function will work and will encrypt the sensitive values in replace them in the file.
<BR>
<h4>PHPSEC Secure Application Configuration and State Library Implementation</h4>
This work-flow of this library is pretty simple, but yet powerful. When the file is run for the first time in the server, it will contain sensitive data. However all those places which are sensitive, will be using this function "confidentialString()". So, in the first run, this function, wherever found, will replace that sensitive value with its corresponding encrypted value. Since second run, wherever this value is needed, the encrypted value will again pass through this function, get decrypted and used. Please note that the value in the file is not getting replaced again with the decrypted value, but is used as a variable which gets destroyed once the program execution stops.
<BR>
For encryption we are using PHP's "mcrypt()" function. Default cipher used is "MCRYPT_RIJNDAEL_256" in "cbc" mode. However, these parts are configurable. The developers are free to choose their own schemes. As described earlier, this function needs the files to be writable. If not, this function throws a "FileNotWritable" exception. If that is the case, then the developers will need to place the encrypted value of the confidential strings manually everywhere.
<BR><BR>
<h4>Other Helpful Links</h4>

Secure Application Configuration and State Library

2013-07-25T14:12:35Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> new \PDO ("mysql:dbname='pdo_mysql';host='localhost';", "root", "myPassword"); <BR> In any application there are several lines, as the one given above, t..."

<h4>Introduction</h4>
new \PDO ("mysql:dbname='pdo_mysql';host='localhost';", "root", "myPassword");
<BR>
In any application there are several lines, as the one given above, that contains some data that are extremely sensitive and not to be seen. Nevertheless, they have to be in files and codes for the application to work properly (In the above case, to create a successful connection to the DB). These confidential data if compromised, has the potential to end the life-time of the application. The attackers can use the password for anything ranging from passive monitoring to actively deleting all the data. That's enough to bring a company down. For this reason, these sensitive data needs to be protected. The function of this library is to protect these data from being stolen.
<BR>
<h4>What is sensitive ?</h4>
A sensitive piece of data is any data that if known publicly, can aid in unauthorized access or kind of malfunction in the system. The range of this data can be from "passwords" to "configuration files". Data such as version no, file locations etc can be harmful. Thus, they can also be treated as sensitive. Overall, the term is very vague and its meaning cannot be made clearer until a context is provided. Thus, the developers can assume any data to be sensitive which they feel no one else must know.
<BR>
<h4>

Projects/OWASP PHP Security Project/Roadmap

2013-07-25T13:56:08Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> [[Secure Application Configuration and State Library]]</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Time and Randomness Management Library

2013-07-25T13:49:59Z

Rahul Chaudhary:

<h4>Introduction</h4>
<ul>
<li>
<b>Time: </b>This library is a wrapper library for PHPs own "time()" function. With the use of this library, our aim was to isolate our system with the "system clock" which is used by the PHP's "time()" function. A separate wrapper for time lets us move time forward (future) or backwards (past) without changing the actual system time. This central library can be reset-ed to a different time and that time would be reflected in all of the application, without having to change any other component in the system or application.
</li>
<li>
<b>Random: </b>This library is the central library to generate random numbers and strings for the whole application. Using this library we can generate cryptographically random strings of any length. This function also produces random integers.
</li>
</ul>
<BR>
<h4>Need for Time and Randomness Library</h4>
<p>
<b>Time: </b>With time, developers often feel the need to change the system time - maybe for testing purpose or for different time-zones. Whatever is the case, developers find a hard time using normal PHP's "time()" function. To change time to some other time, they have to change system time, which is not only insecure, but will also affect many functions inside the host operating systems which heavily depend on time, such as Cron jobs and time-triggered events. This also is not recommended on main servers as this can corrupt other authentication servers such as "Kerberos". Also it may give an attacker a window to launch some attacks to time-dependent functions. Thus, for all the reasons stated above, we strongly felt the need to generate a wrapper for time, so that change of time within an application can be isolated and controlled. With this we mean that change in time in one application must not affect any other application or system outside the scope of the application. To keep consistency between our application and PHP, we created our "time()" function with the same name as PHP's "time()" function. Thus within our library, calling "time()" function automatically calls PHPSEC's time() function rather than PHP's time() function.
</p>
<p>
<b>Random: </b>Similarly the need of randomness is crucial in an application. With random strings being so important in a secure application and because not having a separate function in PHP's library for generating a cryptographically secure random string of desired length, we decided to create a separate central library that can provide random strings of desired length. With this library the developers can create secure strings of desired length and can also generate a random integer within a desired range. To keep consistency between our application and PHP, we created our "rand()" function with the same name as PHP's "rand()" function. Thus within our library, calling "rand()" function automatically calls PHPSEC's rand() function rather than PHP's rand() function.
</p>
<BR>
<h4>PHPSEC Time and Randomness Library Implementation</h4>
Time and Randomness libraries are core libraries. Unlike other libraries, core libraries are used by mostly all of the other libraries for various functions. With time and randomness being core, we can use their time() and rand() function wherever they are needed in the application. These libraries do not depend on any other component of the application and are truly stand-alone libraries. Their implementation details are as follows:
<BR><BR>
<b>Time: </b>Time library contains one function inside "phpsec" namespace - "time()". This library takes two arguments - the first argument is "mode" and the next argument is "desired time". By default "mode" is "CURR" and "desired time" is "0". Types of mode that are possible in our time() function are:
<ul>
<li><b>CURR: </b>Used to request current time as specified. i.e. if the developer has set time to March 7, Sun, 1971, then this mode will return the current time that has passed since that time was kept.</li>
<li><b>SET: </b>Used to set time to a desired time. The second argument here takes the desired time in unix timestamp format.</li>
<li><b>RESET: </b>Used to reset time to the original system time.</li>
<li><b>MOV: </b>Used to move time backward. The second argument here takes the time difference that is to be moved. e.g. 3600 will move the clock backward 3600 seconds.</li>
<li><b>SYS: </b>Used to request system time. This mode will return the correct system time irrespective of the fact that the clock is moved forward or backward. Note the this does not changes the user-defined time. This just returns the correct system time.</li>
</ul>
<BR>
<b>Random: </b>Random library contains two functions inside "phpsec" namespace - "rand()" and "randstr()". The former method is used to get random integer between a specified range and the latter function is used to get a random string of specified length. The "rand()" function takes two parameters - "min (Defaults to 0)" and "max (Defaults to null)". The other function "randstr()" takes only one parameter - the length of the string desired (defaults to 32). To generate a random string, we use the openssl function (openssl_random_pseudo_bytes). If that function is somehow not present, we use (posix_getpid()) and (memory_get_usage()) to generate the random string.
<BR><BR>
<h4>Other Helpful Links</h4>

Time and Randomness Management Library

2013-07-25T12:55:33Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> <ul> <li> <b>Time: </b>This library is a wrapper library for PHPs own "time()" function. With the use of this library, our aim was to isolate our system ..."

Projects/OWASP PHP Security Project/Roadmap

2013-07-25T10:21:08Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> [[Time and Randomness Management Library]]</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Advanced Password Management Library

2013-07-18T23:35:43Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> Advanced Password Management Library works on top of "Basic Password Management Library". It provides additional functionality to help developers mit..."

<h4>Introduction</h4>
Advanced Password Management Library works on top of "[[Basic Password Management Library]]". It provides additional functionality to help developers mitigate the risks of password theft and misuse. Though advised to use this library in conjunction with "[[Basic Password Management Library]]", this library is a stand-alone library. It can also be imported directly in existing projects and its functions can be used directly. This library provides few, but advanced functions to catch misuse of passwords and to assist advanced authentication mechanisms. These terms are described below in detail.
<BR>
<h4>PHPSEC Advanced Password Management Implementation</h4>
This following type of functions are provided in this library:
<BR>
<b>Brute Force Detection: </b>This function has the capability to detect if a brute-search is in progress. It monitors the time difference between two login attempts and calculates if the login attempt was made by a human or a bot.
<BR>
<b>Temporary Password: </b>Function to generate a temporary password. Developers can use this function in various cases. For e.g. in case if a user forgets his/her password, developer can device functions to generate a temporary password using this function to be sent to the user's email to reset their password. Additionally, this function can be used for two-factor authentications where for sensitive transactions, a separate temporary password is needed to be sent to user in their email/other device/mobile phones, etc. Possibilities are endless.
<BR><BR>
<h4>Other Helpful Links</h4>
<ul>
<li> [[Password Storage Cheat Sheet]]</li>
<li> [[Forgot Password Cheat Sheet]]</li>
</ul>

Projects/OWASP PHP Security Project/Roadmap

2013-07-18T23:12:21Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> [[Advanced Password Management Library]]</li>
</ul>
<BR>

Basic Password Management Library

2013-07-18T23:12:00Z

Rahul Chaudhary:

<h4>Introduction</h4>
If web-application is a dungeon, then passwords are the dragons guarding entrance to the application. They are the single entities that keeps a user safe. There are so many things that could go wrong with passwords. There are also many challenges that needs to be addressed to make passwords safe from prying eyes. Right from generation of password to storing of passwords, everything has to be perfect, otherwise attackers would be able to crack it. No wonder hackers target password cracking as a high target - the payoff is too rich. With passwords cracked there are no or very few mechanisms in place to stop you from accessing the account. This library of ours provides developers some functions that helps them create a strong password, verify them, and store them in a correct manner. In this library, you can also find a rich variety of functions that helps identify patterns in your password that are exploited most by the attackers.
<BR>
<h4>Where things go wrong ?</h4>
To demonstrate how passwords are exploited and to differentiate between a strong and a weak password, here are few points :
<ul>
<li> Many users follow a common pattern in their passwords such as their birth-dates, their phone number, their nick-names etc. This common behavior is not so random as it seems to the user and attackers use this behavior to crack their passwords by trying combination of their personal data.</li>
<li> With advanced computing power and massive parallel processing, passwords of shorter length can easily be guessed using brute search. Weak passwords can be cracked now only in few hours.</li>
<li> Passwords must be stored in system using "Hashing". Storing plain passwords in your database is unethical, wrong and extremely dangerous. Therefore, passwords must be hashed before storing them. Also the hashing algorithm used must be cryptographically secure and must produce a long random string, otherwise they can be cracked.</li>
<li> Recent events have proved that plain hashing of passwords is not enough. That can be easily cracked. Techniques such as "rainbow tables" and "Pre-compiled Passwords" makes cracking of plain hashed passwords very easy. Therefore it is necessary to first "salt" the plain password and then use hashing algorithms on them. Salting a password means to mix a random value to all the passwords so that their hashes can be changed. Salts are not sensitive data. They are just simple random values used to change the hash of a password so that pre-compiled tables cannot be used for cracking. To be more secure, it is advised to use dynamic salts in conjunction to a static salts i.e. the passwords must be mixed with a static string that all other passwords are salted with and also a dynamic string unique to that password only. This way the attackers won't be able to crack passwords even if they know the static salt beforehand.</li>
<li> To secure a password, it is necessary for them to at-least contain some degree of randomness. A password secure if it is random. A non-random password will get cracked irrespective of their length.</li>
</ul>
<BR>
<h4>PHPSEC Basic Password Management Implementation</h4>
This library contains many functions to detect specific patterns in a string, calculates randomness in a string, password hashing and salting etc. These functions helps developer to calculate strength in a string or they can use our provided functions. Here is a list of common types of functions that you could find in this library:
<BR>
<b>Password Hashing: </b>Function to properly mix static and dynamic salt to a password and then to calculate its hash.
<BR>
<b>Password Verification: </b>Function to calculate the hash of the new string and to compare it with the hash of the old password to check if the new string and the user's password are same.
<BR>
<b>Password Entropy: </b>Function to calculate "randomness" in a string. Using this function, developers can quantify "randomness" in a string.
<BR>
<b>Pattern Recognition in Strings: </b>Set of functions that are capable to recognizing specific patterns in a string. Patterns such as as "phone no", "dates", "alphabetic characters such as abcde", "keyboard characters such as qwerty" etc.
<BR>
<b>Password Strength: </b>Function to check the strength of a string on scale 0 to 1. This function uses above methods to calculate score of a password.
<BR>
<b>Password Generation: </b>Function to generate a password of specified strength. Strength can be between 0 and 1.
<BR>
<b>Misc Functions: </b>Other functions that provides common functions necessary for this library to work.
<BR><BR>
<h4>Other Helpful Links</h4>
<ul>
<li> [[Password Storage Cheat Sheet]]</li>
<li> [[Forgot Password Cheat Sheet]]</li>
</ul>

Session Management Library

2013-07-18T22:52:08Z

Rahul Chaudhary:

<h4>Introduction</h4>
<p>
A session management library is used to manage multiple sessions. Sessions are used in web-application to store some user data. Since HTTP connections are connection-less, the application needs a way to associate all transactions to its user to make the application dynamic in nature. For e.g. take the scenario of an online marketing website selling some goods. This application has many customs and they do a lot of transaction. Since the HTTP connection is connection-less, the application cannot differentiate between each connection and cannot know what the user did previously. Hence sessions are used on top of the HTTP protocol to remember data about clients. In sessions, during the client-server handshake process, the server allocates an unique ID to the client. Usually client stores this ID in its cookies. After the first connection, the client can produce this ID to the server so that the server can pull records from the application about this user. This way the servers associate transactions with users in an application.
</p>

<p>
        With many users (each user can have multiple sessions and they might be using multiple devices to access the application) the task of keeping track of sessions, storing and retrieving data, expiring sessions, etc. become a challenging task. This is where "Session Management Library" steps in. Its sole purpose is to look and manage sessions in an application so that security risks can be mitigated from the abusive and careless use of sessions.
</p>
<BR>
<h4>Problems with Sessions</h4>
<p>
There is no denying that sessions give applications huge amount of power. But with great power comes great responsibility. Hence its important to keep the sessions safe. Failing to do so creates security holes in the application so severe that security of the whole application can be compromised. There are many reasons to keep the sessions safe:
<ul>
<li> Sessions represents a user identity. If these gets leaked, then an attacker can pose as a legitimate client and can ask server for user data.</li>
<li> Several attacks such as "Session Hijacking" and "Session Fixation" persists.</li>
<li> Sessions often are stored in cookies, and cookies can be stolen via several methods. Hence all cookie related attacks automatically affects sessions.</li>
<li> Stolen sessions are very hard to detect by the system, because stolen sessions acts as normal sessions and there is no anomaly whatsoever. There are methods such as "User-behavior detection", but they are not very much effective until a strong anomaly is detected.</li>
</ul>
</p>
<BR>
<h4>PHPSEC Session Management Implementation</h4>
In this library we have tried to eradicate all of the possible vulnerabilities inside sessions. To ease the process of session management, we have provided several simple functions which makes the task easy and more efficient to handle. These functions internally use a number of methods to handle session vulnerabilities. Each of those methods are over-viewed here in each paragraph.
<BR><BR>
<p>
<b>Databases over cookies: </b>The first issue that I would like to address is the use of cookies and its harmful effects. The server stores all the session data inside path defined under "session.save_path". But the session IDs are stored in client's browser, inside cookies. Its the client's responsibility to send this cookie to the server each time. Now every time the client sends this sensitive piece of information, there is a chance that this might be hijacked using some means. e.g. passive attacks, because in HTTP connections, nothing is encrypted. Therefore we decided to control this situation using databases to store session IDs instead of cookies. Also the session data is stored in databases instead in files and folders. This way the user does not have to send their IDs each time. The application itself can access session data using the user's username. The application can also create several sessions for user in the database and link them with user's username.
</p>
<p>
<b>Session Timeouts: </b>We have provided functions to delete a session after a certain period of time. This introduces a time-frame to attackers because after that time-frame, the stolen session ID will be destroyed. There are two ways to delete a session. First is <b>Session Inactivity Timeout</b>, where the session gets deleted if a user was not active for a certain period of time. Second is <b>Session Expiry Timeout</b>, where the session gets deleted once its maximum lifetime has reached.
</p>
<p>
<b>Session Length and Randomness: </b>With modern day computing power and advancement in parallel processing, its trivial to break a short string via brute-search. However a long string cannot guarantee your safety if its not random. Hence, we need long and cryptographically secure random strings to be able to defend against these kinds of attacks. In our library, we generate strings of length >= 32 which are also cryptographically random, thus making our session IDs safe from those attacks.
</p>
<p>
<b>Session Refresh: </b>Sessions can be refreshed in a number of events - such as user activity before time expires. Therefore we have provided functions to refresh a session. This makes the sessions as good as new by updating its "creation date" and "User Last Activity" time.
</p>
<p>
<b>Session Rolling: </b>Sessions are distributed to users as soon as they visit the application. However there are events within the application which can change the privilege level of the user. E.g. An anonymous user logs in. This event definitely changes the privilege level of the user. Now the user has access to more sensitive data before they were logged in. Most of the time, the session IDs are used to access data within the application which is logical because a session ID represents a user. Thus if sessions are not replaced at the time of these sensitive events, then an unprivileged session would be able to access data that it was not supposed to. So, this function "session rolling" is to be called whenever events like this happens. This function deletes the old session and copies that session's data to a new session. This ensures that the session IDs change every time a privilege promotion/demotion happens.
</p>
<p>
<b>Session Management: </b>With all the useful functions that makes our session implementation safe, we also have created other important functions to manage all the sessions. Some of these functions are to "delete a session", "delete all sessions related to a user", "get all sessions for a user from the DB", "GET/STORE session data from the DB" etc. With all these functions, the task of session management reduces only to a few lines for the developers.
</p>
<BR>
<h4>Other Helpful Links</h4>
<ul>
<li> [[Session Management Cheat Sheet]]</li>
</ul>

Basic Password Management Library

2013-07-18T10:46:03Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> If web-application is a dungeon, then passwords are the dragons guarding entrance to the application. There are the single entities that keeps a user saf..."

<h4>Introduction</h4>
If web-application is a dungeon, then passwords are the dragons guarding entrance to the application. There are the single entities that keeps a user safe. There are so many things that could go wrong with passwords. There are also many challenges that needs to be addressed to make passwords safe from prying eyes.

Projects/OWASP PHP Security Project/Roadmap

2013-07-18T10:42:03Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> [[Basic Password Management Library]]</li>
<li> Advanced Password Management Library.</li>
</ul>
<BR>

User Management Library

2013-07-18T10:41:00Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> As the name implies, User Management Library is a collection of functions aiming to manage users in a system. This library works on top of the "[[User Li..."

<h4>Introduction</h4>
As the name implies, User Management Library is a collection of functions aiming to manage users in a system. This library works on top of the "[[User Library]]" that we have defined in our framework. The basic difference between the two library is that the "[[User Library]]" is used to handle individual users. On the other hand, "User Management" is all about managing all those users. This library provides some basic functions such as "login" and "logout" that simplifies the functions in "[[User Library]]". On top of that, there are other functions that helps the developer to manage all the users in the database such "getting all users in the database" and "enumerating all the devices that the user is logged in from". So it can be said that this library is a wrapper library for "User Library" and in addition provides more functions to manage them.
<BR>
<h4>Extending User Management Library</h4>
We have not provided and do not intend to provide all the functions that can be used with this library. We understand that there might be functions specific to the application that might be needed by the developers. Hence this library can be extended using the PHP's "extends" keyword. The extended class can contain the specific functions needed by the developers.
<BR>
<h4>PHPSEC User Management Implementation</h4>
We have created this library in the most simplest sense we could, providing the developers functions that are secure and simple to use. Simple functions make this library more open and transparent. Some common functions in this library are:
<b> User Exists: </b>Function to check if a user exists or not in the system.
<BR>
<b> Create User: </b>Simplified function to create a user.
<BR>
<b> Delete User: </b>Simplified function to delete a user.
<BR>
<b> Log-In Status: </b>Function to check if a user is logged in or not.
<BR>
<b> Devices Logged In: </b>Function to count the number of devices that the user is logged in from.
<BR>
<b> Log In: </b>Function for user to log-in in the system.
<BR>
<b> Log Out: </b>Function for user to log-out from the system.
<BR>
<b> Force Log In: </b>Simplified function to force log-in a user.
<BR>
<b> Log Out from all devices: </b>Function to log-out from all the devices at once.
<BR>
<b> Misc Functions: </b>Other functions that provides common functions necessary for this library to work.
<BR><BR>
<h4>Other Helpful Links</h4>

User Library

2013-07-18T10:39:24Z

Rahul Chaudhary:

<h4>Introduction</h4>
A User Library is for individual users in a system. This library aims to provide functions that could ease the process of creation, maintenance and termination of users easily and safely. Users are the key component in any web application. Thus storing their identity in the system is of utmost important. The users make a base for all other components to work on them. A weakness in user system or improper use of its data may lead to data theft or permanent loss of data. In this library, we have created a basic user system that provides most necessary data about users to be stored such as userID, password, account creation time, etc. and secure functions to manipulate these data and to keep them safe such as "create user", "verification", "password reset" etc. With the help of this library, developers can create their own user database with a few lines without worrying about the underlying implementation.
<BR>
<h4>Extending User Library</h4>
As already said, the user library in itself is very plain and simple, with the minimum amount of functionality necessary to create a separate library of its own. The functions and data that is stored in the DB, is very limited. Thus, we have created the library keeping in mind that it needs to be extended. The developers wanting more functionality or more data storage needs such as storing names and age of a user, can extend this library and can create their desired functions on top of this.
To extend this library, one can just use the PHP's "extends" keyword, and then can use the DB to store and retrieve data. In their newly created child class, they can add more functions as they see fit. The whole purpose of this library is not to arm developers with all the functions they MIGHT need, but our aim is to provide them with the basic functionality so that they can move on from these tasks to more demanding business.
<BR>
<h4>PHPSEC User Library Implementation</h4>
We have created this user library in the most simplest sense we could, providing the developers functions that are secure and simple to use. Simple functions make this library more open and transparent. Some common functions in this library are:
<BR>
<b> Create a new User: </b>This function is used to create a new user.
<BR>
<b> Get Existing User: </b>This function is used to request object of an existing user from the system.
<BR>
<b> Force Login: </b>Function to validate a user without their credentials.
<BR>
<b> Verify Password: </b>Function to verify a user given string as his password.
<BR>
<b> Reset Password: </b>Function to reset a user's password to some new password.
<BR>
<b> Delete Password: </b>Function to delete a user from a system.
<BR>
<b> Remember Me: </b>Function to imitate the behavior of "remember me" function which allows the users to skip entering their credentials each time they visit the application.
<BR>
<b> Misc Functions: </b>Other functions that provides common functions to user such as "get Account Creation Time" etc and functions necessary for this library to work.
<BR><BR>
<h4>Other Helpful Links</h4>

Projects/OWASP PHP Security Project/Roadmap

2013-07-18T09:43:39Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> [[User Management Library]]</li>
<li> Basic Password Management Library.</li>
<li> Advanced Password Management Library.</li>
</ul>
<BR>

User Library

2013-07-18T09:43:09Z

Rahul Chaudhary:

<h4>Introduction</h4>
A User Library is for individual users in a system. This library aims to provide functions that could ease the process of creation, maintenance and termination of users easily and safely. Users are the key component in any web application. Thus storing their identity in the system is of utmost important. The users make a base for all other components to work on them. A weakness in user system or improper use of its data may lead to data theft or permanent loss of data. In this library, we have created a basic user system that provides most necessary data about users to be stored such as userID, password, account creation time, etc. and secure functions to manipulate these data and to keep them safe such as "create user", "verification", "password reset" etc. With the help of this library, developers can create their own user database with a few lines without worrying about the underlying implementation.
<BR>
<h4>Extending User Library</h4>
As already said, the user library in itself is very plain and simple, with the minimum amount of functionality necessary to create a separate library of its own. The functions and data that is stored in the DB, is very limited. Thus, we have created the library keeping in mind that it needs to be extended. The developers wanting more functionality or more data storage needs such as storing names and age of a user, can extend this library and can create their desired functions on top of this.
To extend this library, one can just use the PHP's "extends" keyword, and then can use the DB to store and retrieve data. In their newly created child class, they can add more functions as they see fit. The whole purpose of this library is not to arm developers with all the functions they MIGHT need, but our aim is to provide them with the basic functionality so that they can move on from these tasks to more demanding business.
<BR>
<h4>PHPSEC User Library Implementation</h4>
We have created this user library in the most simplest sense we could, providing the developers functions that are secure and simple to use. Simple functions make this library more open and transparent. Some common functions in this library are:
<BR>
<b> Create a new User: </b>This function is used to create a new user.
<BR>
<b> Get Existing User: </b>This function is used to request object of an existing user from the system.
<BR>
<b> Force Login: </b>Function to validate a user without their credentials.
<BR>
<b> Verify Password: </b>Function to verify a user given string as his password.
<BR>
<b> Reset Password: </b>Function to reset a user's password to some new password.
<BR>
<b> Delete Password: </b>Function to delete a user from a system.
<BR>
<b> Remember Me: </b>Function to imitate the behavior of "remember me" function which allows the users to skip entering their credentials each time they visit the application.
<BR>
<b> Misc Functions: </b>Other functions that provided common functions to user such as "get Account Creation Time" etc and functions necessary for this library to work.
<BR><BR>
<h4>Other Helpful Links</h4>

Session Management Library

2013-07-18T09:42:54Z

Rahul Chaudhary:

User Library

2013-07-18T06:40:54Z

Rahul Chaudhary: Created page with "<h4>Introduction</h4> A User Library is for individual users in a system."

<h4>Introduction</h4>
A User Library is for individual users in a system.

Projects/OWASP PHP Security Project/Roadmap

2013-07-18T06:38:40Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> [[User Library]]</li>
<li> User Management Library.</li>
<li> Basic Password Management Library.</li>
<li> Advanced Password Management Library.</li>
</ul>
<BR>

Session Management Library

2013-07-18T06:36:58Z

Rahul Chaudhary:

<h4>Introduction</h4>
<p>
A session management library is used to manage multiple sessions. Sessions are used in web-application to store some user data. Since HTTP connections are connection-less, the application needs a way to associate all transactions to its user to make the application dynamic in nature. For e.g. take the scenario of an online marketing website selling some goods. This application has many customs and they do a lot of transaction. Since the HTTP connection is connection-less, the application cannot differentiate between each connection and cannot know what the user did previously. Hence sessions are used on top of the HTTP protocol to remember data about clients. In sessions, during the client-server handshake process, the server allocates an unique ID to the client. Usually client stores this ID in its cookies. After the first connection, the client can produce this ID to the server so that the server can pull records from the application about this user. This way the servers associate transactions with users in an application.
</p>

<p>
        With many users (each user can have multiple sessions and they might be using multiple devices to access the application) the task of keeping track of sessions, storing and retrieving data, expiring sessions, etc. become a challenging task. This is where "Session Management Library" steps in. Its sole purpose is to look and manage sessions in an application so that security risks can be mitigated from the abusive and careless use of sessions.
</p>
<BR>
<h4>Problems with Sessions</h4>
<p>
There is no denying that sessions give applications huge amount of power. But with great power comes great responsibility. Hence its important to keep the sessions safe. Failing to do so creates security holes in the application so severe that security of the whole application can be compromised. There are many reasons to keep the sessions safe:
<ul>
<li> Sessions represents a user identity. If these gets leaked, then an attacker can pose as a legitimate client and can ask server for user data.</li>
<li> Several attacks such as "Session Hijacking" and "Session Fixation" persists.</li>
<li> Sessions often are stored in cookies, and cookies can be stolen via several methods. Hence all cookie related attacks automatically affects sessions.</li>
<li> Stolen sessions are very hard to detect by the system, because stolen sessions acts as normal sessions and there is no anomaly whatsoever. There are methods such as "User-behavior detection", but they are not very much effective until a strong anomaly is detected.</li>
</ul>
</p>
<BR>
<h4>PHPSEC Session Management Implementation</h4>
In this library we have tried to eradicate all of the possible vulnerabilities inside sessions. To ease the process of session management, we have provided several simple functions which makes the task easy and more efficient to handle. These functions internally use a number of methods to handle session vulnerabilities. Each of those methods are over-viewed here in each paragraph.
<BR><BR>
<p>
<b>Databases over cookies: </b>The first issue that I would like to address is the use of cookies and its harmful effects. The server stores all the session data inside path defined under "session.save_path". But the session IDs are stored in client's browser, inside cookies. Its the client's responsibility to send this cookie to the server each time. Now every time the client sends this sensitive piece of information, there is a chance that this might be hijacked using some means. e.g. passive attacks, because in HTTP connections, nothing is encrypted. Therefore we decided to control this situation using databases to store session IDs instead of cookies. Also the session data is stored in databases instead in files and folders. This way the user does not have to send their IDs each time. The application itself can access session data using the user's username. The application can also create several sessions for user in the database and link them with user's username.
</p>
<p>
<b>Session Timeouts: </b>We have provided functions to delete a session after a certain period of time. This introduces a time-frame to attackers because after that time-frame, the stolen session ID will be destroyed. There are two ways to delete a session. First is <b>Session Inactivity Timeout</b>, where the session gets deleted if a user was not active for a certain period of time. Second is <b>Session Expiry Timeout</b>, where the session gets deleted once its maximum lifetime has reached.
</p>
<p>
<b>Session Length and Randomness: </b>With modern day computing power and advancement in parallel processing, its trivial to break a short string via brute-search. However a long string cannot guarantee your safety if its not random. Hence, we need long and cryptographically secure random strings to be able to defend against these kinds of attacks. In our library, we generate strings of length >= 32 which are also cryptographically random, thus making our session IDs safe from those attacks.
</p>
<p>
<b>Session Refresh: </b>Sessions can be refreshed in a number of events - such as user activity before time expires. Therefore we have provided functions to refresh a session. This makes the sessions as good as new by updating its "creation date" and "User Last Activity" time.
</p>
<p>
<b>Session Rolling: </b>Sessions are distributed to users as soon as they visit the application. However there are events within the application which can change the privilege level of the user. E.g. An anonymous user logs in. This event definitely changes the privilege level of the user. Now the user has access to more sensitive data before they were logged in. Most of the time, the session IDs are used to access data within the application which is logical because a session ID represents a user. Thus if sessions are not replaced at the time of these sensitive events, then an unprivileged session would be able to access data that it was not supposed to. So, this function "session rolling" is to be called whenever events like this happens. This function deletes the old session and copies that session's data to a new session. This ensures that the session IDs change every time a privilege promotion/demotion happens.
</p>
<p>
<b>Session Management: </b>With all the useful functions that makes our session implementation safe, we also have created other important functions to manage all the sessions. Some of these functions are to "delete a session", "delete all sessions related to a user", "get all sessions for a user from the DB", "GET/STORE session data from the DB" etc. With all these functions, the task of session management reduces only to a few lines for the developers.
</p>
<BR>
<h4>Other Helpful Links:</h4>
<ul>
<li> https://www.owasp.org/index.php/Session_Management_Cheat_Sheet</li>
</ul>

Session Management Library

2013-07-18T06:34:39Z

Rahul Chaudhary:

== Session Management Library ==

<h4>Introduction</h4>
<p>
A session management library is used to manage multiple sessions. Sessions are used in web-application to store some user data. Since HTTP connections are connection-less, the application needs a way to associate all transactions to its user to make the application dynamic in nature. For e.g. take the scenario of an online marketing website selling some goods. This application has many customs and they do a lot of transaction. Since the HTTP connection is connection-less, the application cannot differentiate between each connection and cannot know what the user did previously. Hence sessions are used on top of the HTTP protocol to remember data about clients. In sessions, during the client-server handshake process, the server allocates an unique ID to the client. Usually client stores this ID in its cookies. After the first connection, the client can produce this ID to the server so that the server can pull records from the application about this user. This way the servers associate transactions with users in an application.
</p>

<p>
        With many users (each user can have multiple sessions and they might be using multiple devices to access the application) the task of keeping track of sessions, storing and retrieving data, expiring sessions, etc. become a challenging task. This is where "Session Management Library" steps in. Its sole purpose is to look and manage sessions in an application so that security risks can be mitigated from the abusive and careless use of sessions.
</p>
<BR>
<h4>Problems with Sessions</h4>
<p>
There is no denying that sessions give applications huge amount of power. But with great power comes great responsibility. Hence its important to keep the sessions safe. Failing to do so creates security holes in the application so severe that security of the whole application can be compromised. There are many reasons to keep the sessions safe:
<ul>
<li> Sessions represents a user identity. If these gets leaked, then an attacker can pose as a legitimate client and can ask server for user data.</li>
<li> Several attacks such as "Session Hijacking" and "Session Fixation" persists.</li>
<li> Sessions often are stored in cookies, and cookies can be stolen via several methods. Hence all cookie related attacks automatically affects sessions.</li>
<li> Stolen sessions are very hard to detect by the system, because stolen sessions acts as normal sessions and there is no anomaly whatsoever. There are methods such as "User-behavior detection", but they are not very much effective until a strong anomaly is detected.</li>
</ul>
</p>
<BR>
<h4>PHPSEC Session Management Implementation</h4>
In this library we have tried to eradicate all of the possible vulnerabilities inside sessions. To ease the process of session management, we have provided several simple functions which makes the task easy and more efficient to handle. These functions internally use a number of methods to handle session vulnerabilities. Each of those methods are over-viewed here in each paragraph.
<BR><BR>
<p>
<b>Databases over cookies: </b>The first issue that I would like to address is the use of cookies and its harmful effects. The server stores all the session data inside path defined under "session.save_path". But the session IDs are stored in client's browser, inside cookies. Its the client's responsibility to send this cookie to the server each time. Now every time the client sends this sensitive piece of information, there is a chance that this might be hijacked using some means. e.g. passive attacks, because in HTTP connections, nothing is encrypted. Therefore we decided to control this situation using databases to store session IDs instead of cookies. Also the session data is stored in databases instead in files and folders. This way the user does not have to send their IDs each time. The application itself can access session data using the user's username. The application can also create several sessions for user in the database and link them with user's username.
</p>
<p>
<b>Session Timeouts: </b>We have provided functions to delete a session after a certain period of time. This introduces a time-frame to attackers because after that time-frame, the stolen session ID will be destroyed. There are two ways to delete a session. First is <b>Session Inactivity Timeout</b>, where the session gets deleted if a user was not active for a certain period of time. Second is <b>Session Expiry Timeout</b>, where the session gets deleted once its maximum lifetime has reached.
</p>
<p>
<b>Session Length and Randomness: </b>With modern day computing power and advancement in parallel processing, its trivial to break a short string via brute-search. However a long string cannot guarantee your safety if its not random. Hence, we need long and cryptographically secure random strings to be able to defend against these kinds of attacks. In our library, we generate strings of length >= 32 which are also cryptographically random, thus making our session IDs safe from those attacks.
</p>
<p>
<b>Session Refresh: </b>Sessions can be refreshed in a number of events - such as user activity before time expires. Therefore we have provided functions to refresh a session. This makes the sessions as good as new by updating its "creation date" and "User Last Activity" time.
</p>
<p>
<b>Session Rolling: </b>Sessions are distributed to users as soon as they visit the application. However there are events within the application which can change the privilege level of the user. E.g. An anonymous user logs in. This event definitely changes the privilege level of the user. Now the user has access to more sensitive data before they were logged in. Most of the time, the session IDs are used to access data within the application which is logical because a session ID represents a user. Thus if sessions are not replaced at the time of these sensitive events, then an unprivileged session would be able to access data that it was not supposed to. So, this function "session rolling" is to be called whenever events like this happens. This function deletes the old session and copies that session's data to a new session. This ensures that the session IDs change every time a privilege promotion/demotion happens.
</p>
<p>
<b>Session Management: </b>With all the useful functions that makes our session implementation safe, we also have created other important functions to manage all the sessions. Some of these functions are to "delete a session", "delete all sessions related to a user", "get all sessions for a user from the DB", "GET/STORE session data from the DB" etc. With all these functions, the task of session management reduces only to a few lines for the developers.
</p>
<BR>
<h4>Other Helpful Links:</h4>
<ul>
<li> https://www.owasp.org/index.php/Session_Management_Cheat_Sheet</li>
</ul>

Session Management Library

2013-07-17T09:20:59Z

Rahul Chaudhary: Created page with " == Session Management Library == <h4>Introduction</h4> <p> A session management library is used to manage multiple sessions. Sessions are used in web-application to store s..."

Projects/OWASP PHP Security Project/Roadmap

2013-07-17T09:19:30Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> [[Session Management Library]]</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> User Library.</li>
<li> User Management Library.</li>
<li> Basic Password Management Library.</li>
<li> Advanced Password Management Library.</li>
</ul>
<BR>

Your new address

2013-07-17T09:07:08Z

Rahul Chaudhary: Rahul Chaudhary moved page Your new address to Phpsec session management: This page belongs under docs in "phpsec" project.

#REDIRECT [[Phpsec session management]]

Template:!

2013-07-16T00:03:43Z

Rahul Chaudhary:

----

Template:!

2013-07-16T00:02:14Z

Rahul Chaudhary: Blanked the page

Template:!

2013-07-16T00:01:33Z

Rahul Chaudhary:

|
Hello...what is this page ?

Projects/OWASP PHP Security Project/Roadmap

2013-07-15T23:56:55Z

Rahul Chaudhary:

OWASP PHP Security project’s objective is to secure PHP libraries, and provide a full featured framework of standalone libraries for secure web applications in PHP, releasing them both as separate decoupled libraries and as a whole secure web application framework; where sample configuration and usage can be observed. Many aspects of this project are already handled, and are either added or being added to OWASP.
<BR><BR>

== At present following libraries are supported (In alphabetical order): ==

'''Access Control Related Libraries:'''
<ul>
<li> RBAC Library.</li>
</ul>
<BR>
'''Database Related Libraries:'''
<ul>
<li> Secure Database Library.</li>
</ul>
<BR>
'''Exception and Error Control Related Libraries:'''
<ul>
<li> Error Handler Library.</li>
</ul>
<BR>
'''HTTP Protocol Related Libraries:'''
<ul>
<li> HTTP Request Handling Library.</li>
<li> HTTP Response Handling Library.</li>
</ul>
<BR>
'''Sensitive Date Protection Related Libraries:'''
<ul>
<li> Secure Application Configuration and State Library.</li>
</ul>
<BR>
'''Session Related Libraries:'''
<ul>
<li> Session Management Library.</li>
</ul>
<BR>
'''Time and Randomness Related Libraries:'''
<ul>
<li> Time and Randomness Management Library.</li>
</ul>
<BR>
'''User Related Libraries:'''
<ul>
<li> User Library.</li>
<li> User Management Library.</li>
<li> Basic Password Management Library.</li>
<li> Advanced Password Management Library.</li>
</ul>
<BR>