Progamas
Páginas: 4 (851 palabras)
Publicado: 29 de julio de 2012
REV 2 / 2010-Apr-12
PHP Application Security Checklist
BASIC
FILE□UPLOADS
□□ PHP□streams□are□filtered.
□□ Access□to□files□is□not□
restricted□by□hiding□the□files.
□□Remote□files□not□included□
□□ Application□verifies□file□type.
□□ Strong□passwords□are□used.
□□ User-provided□mime□type□
□□ Passwords□stored□safely.
with□include().
value□is□ignored.
□□ register_globals□is□disabled.□□ Application□analyzes□
□□ Magic□quotes□is□disabled.
AUTHENTICATION
the□content□of□files□to□
□□ display_errors□is□disabled.
determine□their□type.
□□ Server(s)□are□physically□secure.
□□Bad□password□throttling.
□□ It□is□understood□that□a□
□□ CAPTCHA□is□used.
perfectly□valid□file□can□still□ □□ SSL□used□to□prevent□MITM.
INPUT
contain□arbritrary□data.
□□ Passwords□are□not□stored□in□a□
□□Input□from□$_GET,□$_POST,□ □□ Application□checks□the□file□
cookie.
$_COOKIE,□and□$_REQUEST□
size□of□uploaded□files.
□□ Passwords□are□hashed.
is□considered□tainted.
□□ MAX_FILE_SIZE□is□not□
□□Per-user□salts□are□used.
□□ Understood□that□only□some□
depended□upon.
□□ crypt()□is□used□with□
values□in□$_SERVER□and□
□□ File□uploads□cannot□
sufficient□number□of□
$_ENV□are□untainted.“overtake”□available□space.
rounds.
□□ $_SERVER[‘PHP_SELF’]□is□
□□ Content□is□checked□for□
□□ MD5□is□not□used.
escaped□where□used.
malicious□content.
□□ Users□are□warned□about□
□□Input□data□is□validated.
□□ Application□uses□a□
obvious□password□recovery□
□□ \0□(null)□is□discarded□in□input.
malware□scanner□(if□req.).
questions.
□□ Length□of□input□is□bounded.
□□ Uploaded□HTML□files□are□ □□Account□recovery□forms□do□
□□ Email□addresses□are□validated.
displayed□securely.
□□ Application□is□aware□of□small,□ □□ Uploaded□files□are□not□moved□ □□ not□reveal□email□existence.Pages□that□send□emails□are□
very□large,□zero,□and□negative□
to□a□web-accessible□directory.
throttled.
numbers.□Sci.□notation□too.
□□ Extensive□path□checks□are□
□□ Application□checks□for□...
PHP Application Security Checklist
BASIC
FILE□UPLOADS
□□ PHP□streams□are□filtered.
□□ Access□to□files□is□not□
restricted□by□hiding□the□files.
□□Remote□files□not□included□
□□ Application□verifies□file□type.
□□ Strong□passwords□are□used.
□□ User-provided□mime□type□
□□ Passwords□stored□safely.
with□include().
value□is□ignored.
□□ register_globals□is□disabled.□□ Application□analyzes□
□□ Magic□quotes□is□disabled.
AUTHENTICATION
the□content□of□files□to□
□□ display_errors□is□disabled.
determine□their□type.
□□ Server(s)□are□physically□secure.
□□Bad□password□throttling.
□□ It□is□understood□that□a□
□□ CAPTCHA□is□used.
perfectly□valid□file□can□still□ □□ SSL□used□to□prevent□MITM.
INPUT
contain□arbritrary□data.
□□ Passwords□are□not□stored□in□a□
□□Input□from□$_GET,□$_POST,□ □□ Application□checks□the□file□
cookie.
$_COOKIE,□and□$_REQUEST□
size□of□uploaded□files.
□□ Passwords□are□hashed.
is□considered□tainted.
□□ MAX_FILE_SIZE□is□not□
□□Per-user□salts□are□used.
□□ Understood□that□only□some□
depended□upon.
□□ crypt()□is□used□with□
values□in□$_SERVER□and□
□□ File□uploads□cannot□
sufficient□number□of□
$_ENV□are□untainted.“overtake”□available□space.
rounds.
□□ $_SERVER[‘PHP_SELF’]□is□
□□ Content□is□checked□for□
□□ MD5□is□not□used.
escaped□where□used.
malicious□content.
□□ Users□are□warned□about□
□□Input□data□is□validated.
□□ Application□uses□a□
obvious□password□recovery□
□□ \0□(null)□is□discarded□in□input.
malware□scanner□(if□req.).
questions.
□□ Length□of□input□is□bounded.
□□ Uploaded□HTML□files□are□ □□Account□recovery□forms□do□
□□ Email□addresses□are□validated.
displayed□securely.
□□ Application□is□aware□of□small,□ □□ Uploaded□files□are□not□moved□ □□ not□reveal□email□existence.Pages□that□send□emails□are□
very□large,□zero,□and□negative□
to□a□web-accessible□directory.
throttled.
numbers.□Sci.□notation□too.
□□ Extensive□path□checks□are□
□□ Application□checks□for□...
Leer documento completo
Regístrate para leer el documento completo.