This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:PHP"

From OWASP
Jump to: navigation, search
(css)
(minor batch updates)
 
(8 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
== About ==
 
== About ==
  
The OWASP PHP Technology Knowledge Base is the clearing house for all information related to building secure web applications and services based on PHP technologies. The focus of the project is on guidance for developers and application architects on using PHP and PHP frameworks. Moreover, we aim to provide security related guidance for system administrators managing PHP based applications and tools.
+
There are 1.8 billion websites on the internet today. Nearly 80% are powered by the PHP programming language. Freedom, privacy, security, and protection from totalitarianism are not possible if PHP is insecure. This project seeks to be the clearing house for the best ways of protecting PHP websites, apps, and the data they have. Thank you for reading.
 +
  
Community content is key to security information. The project depends on content from developers throughout the PHP ecosystem.
+
== What Does PHP Security Mean? ==
  
==Purpose==
+
* CONFIG: Is my configuration secure? E.g. am I using the latest version of PHP? How does my PHP.ini file look?
 +
* CODEBASE: Is my codebase secure? Am I protecting against SQL injection? Am I protecting against stored XSS attacks?
 +
* ARCHITECTURE: is the app designed with security in-mind? Do I have good documentation on securing the app? Do I have brute force protection or MFA as available options?
 +
* INFRASTRUCTURE: is my deployment environment secure? E.g. Have I hardened the web server the application runs on?
 +
* DEVELOPMENT: Is my development infrastructure secure? E.g. Do I have 2FA on my Github account along with all other developers?
  
* Provide deep, rich guidance for PHP developers in using the security features of PHP and of PHP frameworks.
+
== What Can You Learn Here? ==
* Address security in relation to PHP and derived technologies.
+
* What is the fastest way to secure my legacy PHP application?
* Guide system administrators in managing PHP related components and applications.
+
* What options do I need in my php.ini file for security?
* Create guidance for use of OWASP components that are designed for use with PHP.
+
* What is the proper way to sanitize data in 2019 with PHP?
* Focus on information about working with and on OWASP tools built using PHP or other PHP technologies.
+
* How can I check my dependencies for vulnerabilities?
* Provide a stream of security related information, like vulnerabilities and security patches, related to the PHP universe.
+
* How do you secure the web server running the PHP code?
* Build an ecosystem allowing to all actors interested to discuss, share and learn.
+
* How does one secure phpmyadmin, MySQL, and Postgres databases?
 +
* How can you harden your WordPress or Drupal site?
 +
  
== Licensing ==
 
 
OWASP PHP Technology Knowledge Base is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
  
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
Line 37: Line 41:
 
== Meta ==
 
== Meta ==
  
Last Update: 12/2018
+
Last Updated: 01/2019
  
 
<br/>
 
<br/>
Line 43: Line 47:
 
== Other Resources ==
 
== Other Resources ==
  
[http://lists.owasp.org/mailman/listinfo/php-project Mailing List]
+
[https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software Ultimate 2018 PHP Security Guide]
 +
<br/>
 +
[https://lists.owasp.org/mailman/listinfo/php-project Mailing List]
 +
<br/>
  
<br/>
 
  
 
== Related Projects ==
 
== Related Projects ==
Line 59: Line 65:
  
 
|}
 
|}
 +
  
 
=PHP Security Overview=
 
=PHP Security Overview=
  
It is not easy to produce a PHP application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to PHP applications just like other environments.  
+
It is not easy to produce a PHP application without security vulnerabilities. Most application security [[:Category:Vulnerability|vulnerabilities]] apply to PHP applications just like other environments.
  
The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure PHP applications. We cover the following topics or pick a topic from the [[OWASP PHP Table of Contents]]
+
The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure PHP applications
 +
 
 +
; [[PHP Security for Developers]]
 +
: * This section covers dangerous calls and common vulnerabilities associated with them, such as system() exec(), eval() and so on. This section will also cover standard security mechanisms available in the standard language, such as cryptography, logging, encryption, and error handling. Securing elements of an application, such as controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more.
 +
: * CONFIG
 +
: * CODEBASE
  
; [[PHP Security for Architects]]
+
; [[PHP Security for DevSecOps]]
: Provides information about the design and architectural considerations for a PHP web application. Common architectures such as MVC, Ajax, Web Services and PEAR / Zend Frameworks are discussed.
+
: * How to secure a PHP application when running on the major cloud providers. How to secure a PHP application if all you've got is an unmanaged Linux server. Harden web server, harden database, and various network defenses such as WAFs, GeoIP, and DNSBL.
 +
: * How to secure the development environment. Do you have control over the Source code repository? Are commits signed? How do you know which Docker Images to trust? Do you scan containers for vulnerabilities?
 +
: * INFRASTRUCTURE
 +
: * DEVELOPMENT
  
; [[PHP Security for Developers]]
+
; [[PHP Security for Software Architects]]
: This section covers dangerous calls and common vulnerabilities associated with them, such as system() exec(), eval() and so on. This section will also cover standard security mechanisms available in the standard language, such as cryptography, logging, encryption, and error handling. Securing elements of an application, such as controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more.  
+
: * Provides information about the design and architectural considerations for a PHP web application. Which frameworks to use, which frameworks are dead, and using the various FIGs.
 +
: * ARCHITECTURE
  
; [[PHP Security for Deployers]]
 
: These articles cover topics specifically related to the PHP hosting environment. We discuss minimizing the attack surface, configuring error handlers, and performing hardening of PHP.
 
  
 
= Pages =
 
= Pages =
  
== Tool Chain ==
+
== Resources ==
 +
 
 +
[https://github.com/guardrailsio/awesome-php-security Awesome PHP Security]
 +
 
 +
[https://github.com/paragonie/awesome-appsec Awesome AppSec]
  
<TBD>
+
[https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software Best 3rd Party PHP Security Guide]
 +
 
 +
[https://github.com/danehrlich1/very-secure-php-ini Secure php.ini Configuration]
  
 
<br/>
 
<br/>
Line 87: Line 107:
 
== Libraries ==
 
== Libraries ==
  
<TBD>
+
[https://github.com/google/recaptcha Google PHP recaptcha]
 +
<br/>
 +
 
 +
[https://github.com/paragonie/anti-csrf Paragonie Anti-CSRF Library]
 +
<br/>
 +
 
 +
[https://github.com/paragonie/password_lock Enhanced BCrypt Encryption]
 +
<br/>
 +
 
 +
[https://github.com/paragonie/gpg-mailer PHP GnuPG Emailer]
 +
<br/>
 +
 
 +
[https://github.com/paragonie/csp-builder PHP CSP Builder]
  
 
<br/>
 
<br/>
Line 97: Line 129:
 
[[OWASP PHP Top 5]]
 
[[OWASP PHP Top 5]]
  
[https://github.com/danehrlich1/very-secure-php-ini Secure php.ini Configuration]
 
  
[[PHP_Configuration_Cheat_Sheet]]
+
<br/>
 +
 
 +
<br/>
 +
 
 +
== Legacy Pages ==
 +
 
 +
The pages below are from 2005-2014 when this project was maintained by a different team. These pages have been kept so that no links are broken, and because there might be certain situations, particularly with extremely legacy apps, where their use might be appropriate. THere is great advice below, but be careful, there is also outdated advice as well.
 +
 
 +
[https://www.owasp.org/index.php/PHP_Security_for_Architects PHP Security for Architects]
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/PHP_Security_for_Developers PHP Security for Developers]
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/PHP_Security_for_Deployers PHP Security for Deployers]
 +
<br/>
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet PHP Configuration Cheat Sheet]
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/PHP_CSRF_Guard PHP CSRF Guard]
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/Log_Injection Log Injection]
 +
<br/>
 +
<br/>
 +
 
 +
[https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project OWASP PHP Security Project]
 +
<br/>
  
 +
[https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project/Roadmap OWASP PHP Security Project Roadmap]
 +
<br/>
 
<br/>
 
<br/>
  
 +
[https://www.owasp.org/index.php/Projects/OWASP_RBAC_Project OWASP RBAC Project]
 
<br/>
 
<br/>
  
= Get involved =
+
[https://www.owasp.org/index.php/Projects/OWASP_VaultDB_Project OWASP VaultDB Project]
 +
<br/>
  
To get involved join the mailing list: [http://lists.owasp.org/mailman/listinfo/owasp-php OWASP PHP Mailing List]
+
[https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]
 +
<br/>
  
Please visit the [[Tutorial]] and remember to add the tag: <nowiki>[[Category:PHP]]</nowiki> at the end of articles so that they're properly categorised.
+
[https://www.owasp.org/index.php/WebGoatPHP OWASP WebGoatPHP]
 +
<br/>
 +
<br/>
  
<TBD>
 
  
 
= Related Resources =
 
= Related Resources =
Line 117: Line 183:
 
{| style="padding:0; margin:0; margin-top:10px; text-align:left; width:100%;" |-
 
{| style="padding:0; margin:0; margin-top:10px; text-align:left; width:100%;" |-
 
| valign="top" style="border-right: 1px dotted gray; padding-right:25px; width:30%; float:left;" |
 
| valign="top" style="border-right: 1px dotted gray; padding-right:25px; width:30%; float:left;" |
 +
 +
 +
= Get involved =
 +
 +
To get involved join the mailing list: [https://lists.owasp.org/mailman/listinfo/owasp-php OWASP PHP Mailing List]
 +
  
 
== Mailing List ==
 
== Mailing List ==
Line 141: Line 213:
 
== PHP Projects Mailing Lists ==
 
== PHP Projects Mailing Lists ==
  
http://lists.owasp.org/pipermail/owasp_php_security_project/
+
https://lists.owasp.org/pipermail/owasp_php_security_project/
  
http://lists.owasp.org/pipermail/owasp_phprbac/
+
https://lists.owasp.org/pipermail/owasp_phprbac/
  
 
<br>
 
<br>
Line 189: Line 261:
  
 
__NOTOC__
 
__NOTOC__
<headertabs />  
+
<headertabs />
  
 
<br/>
 
<br/>

Latest revision as of 03:27, 18 January 2019

About

There are 1.8 billion websites on the internet today. Nearly 80% are powered by the PHP programming language. Freedom, privacy, security, and protection from totalitarianism are not possible if PHP is insecure. This project seeks to be the clearing house for the best ways of protecting PHP websites, apps, and the data they have. Thank you for reading. ​

What Does PHP Security Mean?

  • CONFIG: Is my configuration secure? E.g. am I using the latest version of PHP? How does my PHP.ini file look?
  • CODEBASE: Is my codebase secure? Am I protecting against SQL injection? Am I protecting against stored XSS attacks?
  • ARCHITECTURE: is the app designed with security in-mind? Do I have good documentation on securing the app? Do I have brute force protection or MFA as available options?
  • INFRASTRUCTURE: is my deployment environment secure? E.g. Have I hardened the web server the application runs on?
  • DEVELOPMENT: Is my development infrastructure secure? E.g. Do I have 2FA on my Github account along with all other developers?

What Can You Learn Here?

  • What is the fastest way to secure my legacy PHP application?
  • What options do I need in my php.ini file for security?
  • What is the proper way to sanitize data in 2019 with PHP?
  • How can I check my dependencies for vulnerabilities?
  • How do you secure the web server running the PHP code?
  • How does one secure phpmyadmin, MySQL, and Postgres databases?
  • How can you harden your WordPress or Drupal site?


Team

Lead: Dan Ehrlich

Please email [email protected] if you would like to help out.


Meta

Last Updated: 01/2019


Other Resources

Ultimate 2018 PHP Security Guide
Mailing List


Related Projects


It is not easy to produce a PHP application without security vulnerabilities. Most application security vulnerabilities apply to PHP applications just like other environments.

The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure PHP applications

PHP Security for Developers
* This section covers dangerous calls and common vulnerabilities associated with them, such as system() exec(), eval() and so on. This section will also cover standard security mechanisms available in the standard language, such as cryptography, logging, encryption, and error handling. Securing elements of an application, such as controllers, business logic, and persistence layers will be covered. We'll discuss handling request parameters, encoding, injection, and more.
* CONFIG
* CODEBASE
PHP Security for DevSecOps
* How to secure a PHP application when running on the major cloud providers. How to secure a PHP application if all you've got is an unmanaged Linux server. Harden web server, harden database, and various network defenses such as WAFs, GeoIP, and DNSBL.
* How to secure the development environment. Do you have control over the Source code repository? Are commits signed? How do you know which Docker Images to trust? Do you scan containers for vulnerabilities?
* INFRASTRUCTURE
* DEVELOPMENT
PHP Security for Software Architects
* Provides information about the design and architectural considerations for a PHP web application. Which frameworks to use, which frameworks are dead, and using the various FIGs.
* ARCHITECTURE


Resources

Awesome PHP Security

Awesome AppSec

Best 3rd Party PHP Security Guide

Secure php.ini Configuration



Libraries

Google PHP recaptcha

Paragonie Anti-CSRF Library

Enhanced BCrypt Encryption

PHP GnuPG Emailer

PHP CSP Builder



Documents

OWASP PHP Top 5




Legacy Pages

The pages below are from 2005-2014 when this project was maintained by a different team. These pages have been kept so that no links are broken, and because there might be certain situations, particularly with extremely legacy apps, where their use might be appropriate. THere is great advice below, but be careful, there is also outdated advice as well.

PHP Security for Architects

PHP Security for Developers

PHP Security for Deployers

PHP Configuration Cheat Sheet

PHP CSRF Guard

Log Injection

OWASP PHP Security Project

OWASP PHP Security Project Roadmap

OWASP RBAC Project

OWASP VaultDB Project

OWASP PHPRBAC Project

OWASP WebGoatPHP


The previous version of this PHP Project home page is archived here: OWASP_PHP_Project_Archive_(03.2015)