| |
| |
About the Authors | |
| |
| |
About the Technical Reviewer | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
The Importance of Security | |
| |
| |
| |
Why Is Secure Programming a Concern? | |
| |
| |
What Is Computer Security? | |
| |
| |
Why Absolute Computer Security Is Impossible | |
| |
| |
What Kinds of Attacks Are Web Applications Vulnerable To? | |
| |
| |
Summary | |
| |
| |
| |
Maintaining a Secure Environment | |
| |
| |
| |
Dealing with Shared Hosts | |
| |
| |
What Are the Dangers of Shared Hosting? | |
| |
| |
An Inventory of Effects | |
| |
| |
Minimizing System-level Problems | |
| |
| |
A Reasonable Standard of Protection for Multiuser Hosts | |
| |
| |
Virtual Machines: A Safer Alternative to Traditional Virtual Hosting | |
| |
| |
Shared Hosts from a System Administrator's Point of View | |
| |
| |
Summary | |
| |
| |
| |
Maintaining Separate Development and Production Environments | |
| |
| |
Why Separate Development and Production Servers? | |
| |
| |
Effective Production Server Security | |
| |
| |
Summary | |
| |
| |
| |
Keeping Software Up to Date | |
| |
| |
Installing Programs | |
| |
| |
Updating Software | |
| |
| |
Summary | |
| |
| |
| |
Using Encryption I: Theory | |
| |
| |
Encryption vs. Hashing | |
| |
| |
Recommended Encryption Algorithms | |
| |
| |
Recommended Hash Functions | |
| |
| |
Related Algorithms | |
| |
| |
Random Numbers | |
| |
| |
Blocks, Modes, and Initialization Vectors | |
| |
| |
US Government Restrictions on Exporting Encryption Algorithms | |
| |
| |
Summary | |
| |
| |
| |
Using Encryption II: Practice | |
| |
| |
Protecting Passwords | |
| |
| |
Protecting Sensitive Data | |
| |
| |
Verifying Important or At-risk Data | |
| |
| |
Summary | |
| |
| |
| |
Securing Network Connections I: SSL | |
| |
| |
Definitions | |
| |
| |
The SSL Protocols | |
| |
| |
Providing SSL on Your Servers | |
| |
| |
Connecting to SSL Servers Using PHP | |
| |
| |
Summary | |
| |
| |
| |
Securing Network Connections II: SSH | |
| |
| |
Definitions | |
| |
| |
Using OpenSSH for Secure Shell | |
| |
| |
The Value of Secure Connections | |
| |
| |
Summary | |
| |
| |
| |
Controlling Access I: Authentication | |
| |
| |
Authentication | |
| |
| |
HTTP Authentication | |
| |
| |
Two-factor Authentication | |
| |
| |
Single Sign-On Authentication | |
| |
| |
Summary | |
| |
| |
| |
Controlling Access II: Permissions and Restrictions | |
| |
| |
Unix Filesystem Permissions | |
| |
| |
Protecting the System from Itself | |
| |
| |
Protecting Databases | |
| |
| |
PHP Safe Mode | |
| |
| |
Summary | |
| |
| |
| |
Practicing Secure PHP Programming | |
| |
| |
| |
Validating User Input | |
| |
| |
What to Look For | |
| |
| |
Strategies for Validating User Input in PHP | |
| |
| |
Testing Input Validation | |
| |
| |
Summary | |
| |
| |
| |
Preventing SQL Injection | |
| |
| |
What SQL Injection Is | |
| |
| |
How SQL Injection Works | |
| |
| |
PHP and MySQL Injection | |
| |
| |
Preventing SQL Injection | |
| |
| |
Test Your Protection Against Injection | |
| |
| |
Summary | |
| |
| |
| |
Preventing Cross-Site Scripting | |
| |
| |
How XSS Works | |
| |
| |
A Sampler of XSS Techniques | |
| |
| |
Preventing XSS | |
| |
| |
Test for Protection Against XSS Abuse | |
| |
| |
Summary | |
| |
| |
| |
Preventing Remote Execution | |
| |
| |
How Remote Execution Works | |
| |
| |
The Dangers of Remote Execution | |
| |
| |
Strategies for Preventing Remote Execution | |
| |
| |
Testing for Remote Execution Vulnerabilities | |
| |
| |
Summary | |
| |
| |
| |
Enforcing Security for Temporary Files | |
| |
| |
The Functions of Temporary Files | |
| |
| |
Characteristics of Temporary Files | |
| |
| |
Preventing Temporary File Abuse | |
| |
| |
Test Your Protection Against Hijacking | |
| |
| |
Summary | |
| |
| |
| |
Preventing Session Hijacking | |
| |
| |
How Persistent Sessions Work | |
| |
| |
Abuse of Sessions | |
| |
| |
Preventing Session Abuse | |
| |
| |
Test for Protection Against Session Abuse | |
| |
| |
Summary | |
| |
| |
| |
Practicing Secure Operations | |
| |
| |
| |
Allowing Only Human Users | |
| |
| |
Background | |
| |
| |
Kinds of Captchas | |
| |
| |
Creating an Effective Captcha Test Using PHP | |
| |
| |
Attacks on Captcha Challenges | |
| |
| |
Potential Problems in Using Captchas | |
| |
| |
Summary | |
| |
| |
| |
Verifying Your Users' Identities | |
| |
| |
Identity Verification | |
| |
| |
Who Are the Abusers? | |
| |
| |
Using a Working Email Address for Identity Verification | |
| |
| |
When a Working Mailbox Isn't Enough | |
| |
| |
Summary | |
| |
| |
| |
Using Roles to Authorize Actions | |
| |
| |
Application Access Control Strategies | |
| |
| |
Roles-based Access Control | |
| |
| |
Authorization Based on Roles | |
| |
| |
Making RBAC Work | |
| |
| |
Summary | |
| |
| |
| |
Adding Accountability to Track Your Users | |
| |
| |
A Review of System-level Accountability | |
| |
| |
Basic Application Logging | |
| |
| |
Specialized Application Logging | |
| |
| |
Generating Usage Reports | |
| |
| |
Summary | |
| |
| |
| |
Preventing Data Loss | |
| |
| |
Preventing Accidental Corruption | |
| |
| |
Avoiding Record Deletion | |
| |
| |
Versioning | |
| |
| |
Creating a Versioned Database Filestore | |
| |
| |
Summary | |
| |
| |
| |
Safely Executing System Commands | |
| |
| |
Dangerous Operations | |
| |
| |
Making Dangerous Operations Safe | |
| |
| |
Implementation Strategies | |
| |
| |
Summary | |
| |
| |
| |
Handling Remote Procedure Calls Safely | |
| |
| |
RPC and Web Services | |
| |
| |
Keeping a Web Services Interface Secure | |
| |
| |
Making Subrequests Safely | |
| |
| |
Summary | |
| |
| |
| |
Taking Advantage of Peer Review | |
| |
| |
The Bazaar Model for Software Development | |
| |
| |
Security Benefits of Open Source Code | |
| |
| |
Open Source Practicalities | |
| |
| |
Effective Bug Reporting | |
| |
| |
Applying Open Source Principles to This Book | |
| |
| |
Index | |