Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cakephp Security

Tags:

security

xss

csrf

cakephp

xsl-fo

I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there.

I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and we cant hire a security consulant as of now. We are still developing the app and plan to release in by the end of the month. so wanna take care of the initial stuff that can help me stand un hacked ;)

like image 690
Harsha M V Avatar asked Oct 06 '10 07:10

Harsha M V

2 Answers

There is not (and cannot be) one tool you can deploy and then never have to think about security again. Deploying ‘anti-XSS’ hacks like CakePHP's Sanitize::clean will get in users' way by blocking valid input, whilst still not necessarily making the app secure. Input filtering hacks are at best an obfuscation measure, not a fix for security holes.

To have a secure web application, you must write a secure web application, from the ground up. That means, primarily, attention to detail when you are putting strings from one context into another. In particular:

  • any time you write a string to HTML text content or attribute value, HTML-escape it (htmlspecialchars()) to avoid HTML-injection leading to XSS. This isn't just a matter of user input that might contain attacks, it's the correct way to put plain text into HTML.

    Where you are using HTML helper methods, they should take care of HTML-escaping of those elements by default (unless you turn off escape); it is very unfortunate that the CakePHP tutorial includes the bad practice of echoing unescaped strings into HTML for text outside of HTML helpers.

  • any time you create SQL queries with string values, SQL-escape it (with an appropriate function for your database such as mysql_real_escape_string).

    If you are using CakePHP's ORM and not writing your own SQL you don't have to worry about this.

  • avoid using user input (eg file upload names) to name files on the filesystem (generate clean unique IDs instead) or as any part of a system() command.

  • include the Security component to add a form submission token scheme that will prevent XSRF on forms generated by CakePHP.

like image 152
bobince Avatar answered Oct 22 '22 06:10

bobince

Cake can be secured relatively easy (compared to self written php scripts): http://www.dereuromark.de/2010/10/05/cakephp-security/

like image 22
mark Avatar answered Oct 22 '22 07:10

mark
Sign in to Comment

Related questions

How to interpret hasPermission in spring security?
Difference between SonarQube and Fortify? [closed]
.NET Secure Memory Structures
Is it safe to store user object in a cookie?
Application shown as threat by AVG
Securely send a Plain Text password?
How to securely store a connection string in a WinForms application?
How to make my API private but usable by mobile application?
Severe security constraints while tomcat 8 startup with liferay
Simple way to hash password client side right before submitting form
What are best practices to implement security when using NHibernate?
Creating a webpage with user accounts, what do I need to keep in mind?
network communication encryption in java
How (if at all) does a predictable random number generator get more secure after SHA-1ing its output?
Encrypt the string In Typescript And Decrypt In C# using Advanced Encryption Standard Algorithm(AES)
Is hashing really a irreversible process?
How I do to force the browser to not store the HTML form field data?
SecurityException when using Registry.LocalMachine.OpenSubKey
Can JSF standard validation prevent code injection?
Is it possible to spoof your IP... is testing ip addresses secure?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!