BASIC FILE UPLOADS □□ PHP streams are filtered. □□ CSS files. □□ Access to files is not □□ Existence or ordering of □□ Strong passwords are used. □□ Application verifies file type. restricted by hiding the files. frames. □□ Passwords stored safely. □□ User-provided mime type □□ Remote files not included □□ Existence of a JS variable. □□ register_globals is disabled. value is ignored. with include(). □□ Detected visit of a URL. □□ Magic quotes is disabled. □□ Application analyzes □□ Inclusion of your website □□ display_errors is disabled. the content of files to AUTHENTICATION in an inline frame with JS □□ Server(s) are physically secure. determine their type. □□ Bad password throttling. disabled does not reveal a □□ It is understood that a □□ CAPTCHA is used. threat. INPUT perfectly valid file can still □□ SSL used to prevent MITM. □□ Application uses frame
□□ Input from $_GET, $_POST,
contain arbritrary data. □□ Passwords are not stored in a bursting code and sends the □□ Application checks the file cookie. X-Frame-Options header. $_COOKIE, and $_REQUEST size of uploaded files. □□ Passwords are hashed. is considered tainted. □□ MAX_FILE_SIZE is not □□ Per-user salts are used. MISCELLANEOUS □□ Understood that only some depended upon. □□ crypt() is used with □□ A cryptographically secure values in $_SERVER and □□ File uploads cannot sufficient number of PRNG is used for secret $_ENV are untainted. “overtake” available space. □□ $_SERVER[‘PHP_SELF’] is □□ Content is checked for □□ rounds. MD5 is not used. randomly-generated IDs (activation links, secret IDs, □□ escaped where used. malicious content. □□ Users are warned about etc.). Input data is validated. □□ Application uses a □□ □□ \0 (null) is discarded in input. malware scanner (if req.). obvious password recovery Suhosin is installed or you □□ Length of input is bounded. □□ Uploaded HTML files are □□ questions. are not using rand() or □□ Email addresses are validated. displayed securely. Account recovery forms do □□ mt_rand() for this. □□ Application is aware of small, □□ Uploaded files are not moved □□ not reveal email existence. Pages that send emails are Anything that consumes a lot of resources should be very large, zero, and negative to a web-accessible directory. throttled and limited. throttled. numbers. Sci. notation too. □□ Extensive path checks are □□ □□ Application checks for used when serving files. SESSIONS Pages that use 3rd-party APIs are throttled. invisible, look-alike, and □□ Uploaded files are not served □□ Sessions only use cookies. □□ You did not create your own combinining characters. with include(). □□ Unicode control characters □□ Uploaded files are served (session.use_only_cookies) □□ encryption algorithm. stripped out when required. as an attachment using the □□ On logout, session data is Arguments to external □□ Outputted data is sanitized. Content-Disposition header. destroyed. programs (i.e. exec()) are □□ User-inputted HTML is □□ Application sends the □□ Session is recreated on □□ validated. Generic internal and external santized with HTMLPurifier. authorization level change. □□ Sites on the same server use X-Content-Type-Options: □□ User-inputted CSS is nosniff header. □□ redirect pages are secured. Precautions taken against sanitized using a white-list. □□ Files are not served as different session storage dirs. □□ Abusable properties “application/octet-stream”, the source code of your PHP pages being shown due to (position, margin, etc.) are “application/unknown”, or 3RD-PARTIES misconfiguration. handled. “plain/text” unless necessary. □□ CSRF issues are prevented □□ □□ CSS escape sequences are with tokens/keys. Configuration and critical files are not in a web-accessible handled. DATABASE □□ Referrers are not relied □□ JavaScript in CSS is □□ Data inserted into the upon. directory. discarded (expressions, database is properly escaped □□ Pages that perform SHARED HOSTING behaviors, bindings). actions use POST. □□ URLs are sanitized and or parameterized/prepared statements are used. □□ Important pages (logout, □□ Using a secure shared host unknown and unwanted □□ addslashes() is not used. etc.) are protected. where users cannot access protocols are disallowed. □□ □□ Your pages are not written □□ the files of other users. □□ Embedded plugins are Application does not have more privileges to the in a way (i.e. JSON, JS-like) Aware that fellow shared restricted from executing JS. where they can be included hosting users: □□ Embedded plugin files (Flash □□ database than necessary. Remote connections to the and read on a remote website □□ Can, if on the same IP movies) are embedded in successfully. address, issue requests database are disabled if they a manner so that only the are unnecessary. □□ Aware that Flash can bypass against your site with XMLHttpRequest in IE6. intended plugin is loaded. referrer checks to load images □□ The application uses a safe SERVING FILES and sound files. □□ Can access your website
□□ User input is not directly used □□
encoding. The following things will not from 127.0.0.1 or ::1. □□ An encoding is specified reveal significant information □□ Can host a server on the using a HTTP header. in a pathname. same IP address. □□ Inputted data is verified to □□ Directory traversal is □□ if included remotely: Images. □□ Are not “remote” as far as be valid for your selected prevented. □□ Null (\0) in paths filtered. □□ Pages that take a longer □□ your DB is concerned. Session & file upload encoding if using an unsafe encoding. □□ Application is aware of “:” time to load. directories are not shared.
SK Find the annotated original at http://sk89q.com/phpsec/