Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP and web dev security

Overview of security for web dev

11:28 pm on Sep 19, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 27, 2005
votes: 0

Risks, Weaknesses & Attacks

Our tech team recently had a bit of a security review, not much more than a lunchtime sit-in over a few days to try and indentify the main security issues to be aware of in web development. We're looking to implement a security checklist for projects - mostly to keep the tech team on their toes during development and to keep security issues at the forefront when they tend to fall by the wayside sometimes.
I thought the list we brainstormed might be an interesting starting place for further discussion here and might help others become aware of certain things they might have overlooked or not been aware of.


  1. Implicit trust of tainted data
    • especially when used for commands/queries/includes/files/remote
    • Trusing the scope of data, not just the content
    • Be careful with eval()
    • [PHP] Be careful when using register_globals = ON

  2. Web folder permissions, .. traversal
  3. Caching of sensitive information
  4. Buffer overruns [bounds checking]
  5. Code injection – SQL, Javascript, File uploads
  6. Upload weaknessess – cookie poisoning
    • E.g. the myspace session hickaing cookie data ad posting code into other epoples pages

  7. Password Attacks – Dictionary, Brute force, Defaults
  8. Admin addresses – user management
  9. Protection of all sensitive pages, not just the gateway
  10. Remote code execution (e.g. php includes, JS ad-code)
  11. Common developer mistakes
  12. AJAX buggery (tween page exploits, API attacks)
  13. Cookie poisoning
  14. XSS
  15. Debug
  16. Error pages
  17. Email form hijacking, list theft
  18. Internal application warfare – ie. Users targetting each other.

Hardware / Hostring

  • Port Scans / firewall / VPNs
  • Web server and application lockdown/hardening (removal of demos)
  • Shared Hosting
  • Patching
  • Spam –relaying, list theft
  • Default config – server, hardware, devices

Awarenewss / Management / Policies
  • Security bootstrapping
  • Paswords – defaults/weak
  • Known Bug exploits – 3rd Party, Known virii/trojans etc targetting our apps/devices
  • 3rd Party Libraries (exploits, bug, and known locations)
  • Phishing (domain theft/spoofing)

Feel free to add to the list or to ask for expansion of a particular topic or area: someone with far greater security credentials than myself will hopefully drop their thoughts in :)


2:35 pm on Sept 20, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
votes: 0

That's a good start for you there. Here's some links to get your a little further in implementing those mentioned above:
php: [us3.php.net...]
Apache: [httpd.apache.org...]
mysql: [dev.mysql.com...]