Web Server Configuration
- Web Server and PHP Interpreter
- Handlers
- Superglobals
- Forced Browsing
- Forced Browsing: Storing Code Outside the Root
- Forced Browsing: Storing Everything in the Document Root
- Apache Caveat
- Directory Exceptions
- Run As Unprivileged User
PHP Configuration and Sandboxing
- Breaking Out of the PHP Sandbox
- OS Command Injection
- OS Command Injection: Example
- File System Access
- Path Traversal
- File System Manipulation
- disable_functions
- Handling Errors Safely
- Configuring Error Reporting
PHP Command Injection
- Dynamic Code Injection
- eval()
- Be Careful With Callbacks
- Remote and Local File Inclusion
- Injecting Code as Data
- Template Injection
- Serialization
- Using extract() in Views
- Malware Loves Dynamic Code
- The Darker Side of Magic
Using the Right Tool for the Job
- (CS)PRNG
- Native PRNGs in PHP
- Session Management
- Is Your Server-Side Check Really Server-Side?
- Don't Trust Your $_FILES
- Validate Your MIME Types Correctly
- Rename Your Uploads
- Store Your Uploads Securely
- Not Just $_FILES
- TimThumb Fiasco
SQL Injection
- SQL Injections
- Non-Malicious Input
- Malicious Input
- Parameterized Queries
- Prepared Statements
- Other Database Engines
- Validating Inputs
Mitigating Content Injection Attacks
- XSS
- Stored XSS
- Reflected XSS
- DOM-Based XSS
- Separation of Concerns
- Output Encoding
- URL Encoding
- How to Steal Credentials Using XSS
- XML Injection
- XML External Entity (XXE)
- XML Entity Expansion (XEE)
- PHP's XML Parsers
- Securing XML in PHP
- The Google Toolbar Attack
- LDAP
- LDAP Injection
- Escaping LDAP User Inputs
Password Storage
- Data Breaches
- Password Storage and Verification
- Simple Hash
- Simple Attacks
- Salted Hashes as Defense
- Adaptive One-Way Functions
- Selecting a One-Way Function
- Default Behavior and Calling Conventions
- Best Practice: Specifics of Argon2
Third-Party Components
- Problem Definition
- That Time Our Framework Didn't Protect Us
- Dependency Management 101
- To Fork or Not to Fork
- Coordinating Release
- Provenance and Distribution Integrity
- Cautionary Tale: left-pad
- Composer
- Composer Risks
- PHP's Native Extensions
- Risks of Native Extensions
- Bottom Line
- Open Source Is More Secure, Right?
Requests and Responses
- Requests and Responses
- What Triggers the Output?
- Responses and Structure
- Gotta Catch-All!
- Error Reporting Question
- Output Buffering
- Bear Traps Included!
- Redirection
- Authenticating Requests
- CSRF Tokens