{"ID":78539,"post_author":"9203512","post_date":"2019-01-04 17:51:53","post_date_gmt":"0000-00-00 00:00:00","post_content":"","post_title":"Web Application Security: A Comprehensive Overview","post_excerpt":"","post_status":"draft","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"","to_ping":"","pinged":"","post_modified":"2019-01-04 17:51:53","post_modified_gmt":"2019-01-04 22:51:53","post_content_filtered":"","post_parent":0,"guid":"https:\/\/www.limsforum.com\/?post_type=ebook&p=78539","menu_order":0,"post_type":"ebook","post_mime_type":"","comment_count":"0","filter":"","_ebook_metadata":{"enabled":"on","private":"0","guid":"A36D99A7-526E-4EC1-B236-230AE1004474","title":"Web Application Security: A Comprehensive Overview","subtitle":"","cover_theme":"nico_20","cover_image":"https:\/\/www.limsforum.com\/wp-content\/plugins\/rdp-ebook-builder\/pl\/cover.php?cover_style=nico_20&subtitle=&editor=Shawn+Douglas&title=Web+Application+Security%3A+A+Comprehensive+Overview&title_image=https%3A%2F%2Fwww.limsforum.com%2Fwp-content%2Fuploads%2FWebAppSec.png&publisher=LabLynx+Press","editor":"Shawn Douglas","publisher":"LabLynx Press","author_id":"26","image_url":"","items":{"d70283bb6c626678369e40b227bfe029_type":"article","d70283bb6c626678369e40b227bfe029_title":"Authors","d70283bb6c626678369e40b227bfe029_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors","d70283bb6c626678369e40b227bfe029_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Authors\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Notes \n\n\n\n\nThe initial version of the Web Application Security Guide was written in 2011 by Jan Schejbal.\nThe main contributors to the current version are:\n\n Jan Schejbal\nOther contributors who can be seen on the version tab of each page have helped to improve this guide.\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:48.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 220 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","d70283bb6c626678369e40b227bfe029_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Authors skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Authors<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<p>The initial version of the Web Application Security Guide was written in 2011 by Jan Schejbal.\n<\/p><p>The main contributors to the current version are:\n<\/p>\n<ul><li> <a href=\"https:\/\/en.wikibooks.org\/wiki\/User:Janschejbal\" class=\"extiw\" title=\"wikibooks:User:Janschejbal\" rel=\"external_link\" target=\"_blank\">Jan Schejbal<\/a><\/li><\/ul>\n<p>Other contributors who can be seen on the version tab of each page have helped to improve this guide.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Authors\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 11\/1000000\nPreprocessor generated node count: 70\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.098 1 - Template:TOC_right\n100.00% 3.098 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9038-0!*!*!*!en!*!* and timestamp 20190104225202 and revision id 26894\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","d70283bb6c626678369e40b227bfe029_images":[],"d70283bb6c626678369e40b227bfe029_timestamp":1546642322,"c34366918b1a832cc21cb64bb832bdbf_type":"article","c34366918b1a832cc21cb64bb832bdbf_title":"Further reading","c34366918b1a832cc21cb64bb832bdbf_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading","c34366918b1a832cc21cb64bb832bdbf_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Further reading\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Notes \n\n\n\n\nA similar guide can be found at https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines.\nOWASP provides good information about many web application security issues, with a large list of vulnerabilities to learn about and avoid.\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:46.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 273 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","c34366918b1a832cc21cb64bb832bdbf_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Further_reading skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Further reading<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<p>A similar guide can be found at <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines\" target=\"_blank\">https:\/\/wiki.mozilla.org\/WebAppSec\/Secure_Coding_Guidelines<\/a>.\n<\/p><p><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/Main_Page\" target=\"_blank\">OWASP<\/a> provides good information about many web application security issues, with a large list of <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/Category:Vulnerability\" target=\"_blank\">vulnerabilities<\/a> to learn about and avoid.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Further_reading\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 11\/1000000\nPreprocessor generated node count: 70\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.389 1 - Template:TOC_right\n100.00% 3.389 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9037-0!*!*!*!en!*!* and timestamp 20190104225202 and revision id 26893\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","c34366918b1a832cc21cb64bb832bdbf_images":[],"c34366918b1a832cc21cb64bb832bdbf_timestamp":1546642322,"bd543e49b7f540654591e0ff292b60c8_type":"article","bd543e49b7f540654591e0ff292b60c8_title":"SSL, TLS and HTTPS basics","bd543e49b7f540654591e0ff292b60c8_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics","bd543e49b7f540654591e0ff292b60c8_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/SSL, TLS and HTTPS basics\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 SSL, TLS and HTTPS basics \n\n1.1 For maximum security \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSSL, TLS and HTTPS basics \nSSL\/TLS provide encryption and authentication for HTTPS.\n\nFor maximum security \n Follow SSLLabs best practices including:\n Ensure SSLv2 is disabled.\n Generate private keys for certificates yourself, do not let your CA do it.\n Use an appropriate key length (usually 2048 bit in 2013).\n If possible, disable client-initiated renegotiation.\n Consider manually limiting\/setting cipher suites.\nRationale \nSSL is easy to do and hard to do right. SSLLabs provide good guidelines that are updated when new attacks are discovered.\nThe CA has no need-to-know for your private key. Depending on the cipher suite used, the private key can allow adversaries to decrypt passively eavesdropped communications. Thus, even if you trust the CA, it is better to avoid any risk. Generate a key and a CSR and provide only the CSR to the CA.\nIncreasing key length increases security, but also significantly increases the CPU load for connection establishment. 1024 bit keys will not be accepted by Mozilla Firefox anymore for certificates that expire after the year 2013. 2048 bit keys should be enough for all applications for quite a few years \u2013 using larger key sizes seems to be overkill. (All information based on 2013.) Note: The large CPU overhead of connection establishment can be used by (D)DoS attackers. Such DDoS attacks are harder to detect and defend against when client-initiated renegotiation is supported.\nSSL\/TLS supports a large set of \u201ccipher suites\u201d, each defining a set of cryptographic mechanisms used to secure the connection. Some of them do provide perfect forward secrecy, some do not. (Perfect forward secrecy means that if the private key becomes available to an attacker, he cannot decrypt data that was eavesdropped before he got the key). Usually, the client (browser) and server choose a cipher suite by first exchanging which suites are mutually supported, and the client\u2019s preferred suite is then chosen. Depending on setup, the server may choose the cipher suite, ignoring the client\u2019s preference. Most defaults are reasonably sane, but for either high-speed or high-security applications, you may want to consider restricting the supported\/preferred suites to fast or high-security suites. If you want to exclude clients that do not support sufficient security (e.g. ancient \u201cexport control\u201d limited clients), make sure to disable those cipher suites. When configuring cipher suites, carefully check the setup to make sure you do not allow \u201cADH\u201d suites that do not authenticate the server! If you are unsure, keep the default, and always verify the effects of your settings!\n\nFurther reading \n SSL and TLS security\n Transport Layer Security\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 23:01.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 304 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","bd543e49b7f540654591e0ff292b60c8_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_SSL_TLS_and_HTTPS_basics skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/SSL, TLS and HTTPS basics<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"SSL.2C_TLS_and_HTTPS_basics\">SSL, TLS and HTTPS basics<\/span><\/h2>\n<p>SSL\/TLS provide encryption and authentication for HTTPS.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"For_maximum_security\">For maximum security<\/span><\/h3>\n<ul><li> <b>Follow <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.ssllabs.com\/projects\/best-practices\/\" target=\"_blank\">SSLLabs best practices<\/a><\/b> including:\n<ul><li> Ensure SSLv2 is disabled.<\/li>\n<li> Generate private keys for certificates yourself, do not let your CA do it.<\/li>\n<li> Use an appropriate key length (usually 2048 bit in 2013).<\/li>\n<li> If possible, disable client-initiated renegotiation.<\/li>\n<li> Consider manually limiting\/setting cipher suites.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>SSL is easy to do and hard to do right. SSLLabs provide good guidelines that are updated when new attacks are discovered.\n<\/p><p>The CA has no need-to-know for your private key. Depending on the cipher suite used, the private key can allow adversaries to decrypt passively eavesdropped communications. Thus, even if you trust the CA, it is better to avoid any risk. Generate a key and a CSR and provide only the CSR to the CA.\n<\/p><p>Increasing key length increases security, but also significantly increases the CPU load for connection establishment. 1024 bit keys will not be accepted by Mozilla Firefox anymore for certificates that expire after the year 2013. 2048 bit keys should be enough for all applications for quite a few years \u2013 using larger key sizes seems to be overkill. (All information based on 2013.) Note: The large CPU overhead of connection establishment can be used by (D)DoS attackers. Such DDoS attacks are harder to detect and defend against when client-initiated renegotiation is supported.\n<\/p><p>SSL\/TLS supports a large set of \u201ccipher suites\u201d, each defining a set of cryptographic mechanisms used to secure the connection. Some of them do provide perfect forward secrecy, some do not. (Perfect forward secrecy means that if the private key becomes available to an attacker, he cannot decrypt data that was eavesdropped before he got the key). Usually, the client (browser) and server choose a cipher suite by first exchanging which suites are mutually supported, and the client\u2019s preferred suite is then chosen. Depending on setup, the server may choose the cipher suite, ignoring the client\u2019s preference. Most defaults are reasonably sane, but for either high-speed or high-security applications, you may want to consider restricting the supported\/preferred suites to fast or high-security suites. If you want to exclude clients that do not support sufficient security (e.g. ancient \u201cexport control\u201d limited clients), make sure to disable those cipher suites. When configuring cipher suites, carefully check the setup to make sure you do not allow \u201cADH\u201d suites that do not authenticate the server! If you are unsure, keep the default, and always verify the effects of your settings!\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security#Security\" class=\"extiw\" title=\"wikipedia:Transport Layer Security\" rel=\"external_link\" target=\"_blank\">SSL and TLS security<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" class=\"extiw\" title=\"wikipedia:Transport Layer Security\" rel=\"external_link\" target=\"_blank\">Transport Layer Security<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.272 1 - Template:TOC_right\n100.00% 3.272 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9036-0!*!*!!en!*!* and timestamp 20190104225202 and revision id 26919\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","bd543e49b7f540654591e0ff292b60c8_images":[],"bd543e49b7f540654591e0ff292b60c8_timestamp":1546642322,"403c661fad4d263579d34b8abfd41efd_type":"article","403c661fad4d263579d34b8abfd41efd_title":"Special files","403c661fad4d263579d34b8abfd41efd_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files","403c661fad4d263579d34b8abfd41efd_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Special files\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Special files \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSpecial files \nSpecial files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml have special meanings which has to be considered before deploying such files.\n\nTo prevent this type of attack \n Know the meaning of these files.\n Ensure robots.txt does not disclose \"secret\" paths.\n Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.\n If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.\n Prevent users from uploading\/changing special files (see file upload vulnerabilities section).\nRationale \nSpecial files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml define security relevant settings and rules. Knowing their meaning is necessary to use them securely.\n.htaccess influences the behaviour and security relevant settings of the web server (e.g. access rights, executable file types, ...).\nrobots.txt can be ignored by malicious or badly written robots. As this file is publicly available, an attacker can gain valuable information about \"interesting\" paths (like administration interfaces) if they are mentioned in the robots.txt file. Attackers do check this file for such content.\ncrossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting\/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.\n\nFurther reading \n .htaccess\n Cross-site request forgery\n robots.txt\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:57.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 296 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","403c661fad4d263579d34b8abfd41efd_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Special_files skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Special files<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Special_files\">Special files<\/span><\/h2>\n<p>Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml have special meanings which has to be considered before deploying such files.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Know the meaning of these files.<\/li>\n<li> Ensure robots.txt does not disclose \"secret\" paths.<\/li>\n<li> Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.<\/li>\n<li> If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.<\/li>\n<li> Prevent users from uploading\/changing special files (see <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities\" title=\"LII:Web Application Security Guide\/File upload vulnerabilities\" target=\"_blank\" class=\"wiki-link\" data-key=\"8b3708600c87ff3258de11ce293bf1a6\">file upload vulnerabilities section<\/a>).<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml define security relevant settings and rules. Knowing their meaning is necessary to use them securely.\n<\/p><p>.htaccess influences the behaviour and security relevant settings of the web server (e.g. access rights, executable file types, ...).\n<\/p><p>robots.txt can be ignored by malicious or badly written robots. As this file is publicly available, an attacker can gain valuable information about \"interesting\" paths (like administration interfaces) if they are mentioned in the robots.txt file. Attackers <b>do<\/b> check this file for such content.\n<\/p><p>crossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting\/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/.htaccess\" class=\"extiw\" title=\"wikipedia:.htaccess\" rel=\"external_link\" target=\"_blank\">.htaccess<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" class=\"extiw\" title=\"wikipedia:Cross-site request forgery\" rel=\"external_link\" target=\"_blank\">Cross-site request forgery<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Robots.txt\" class=\"extiw\" title=\"wikipedia:Robots.txt\" rel=\"external_link\" target=\"_blank\">robots.txt<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Special_files\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225202\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.017 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.353 1 - Template:TOC_right\n100.00% 3.353 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9035-0!*!0!!en!*!* and timestamp 20190104225202 and revision id 26918\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","403c661fad4d263579d34b8abfd41efd_images":[],"403c661fad4d263579d34b8abfd41efd_timestamp":1546642321,"b8012faef03edbe61efc3d62e8c99377_type":"article","b8012faef03edbe61efc3d62e8c99377_title":"Prefetching and spiders","b8012faef03edbe61efc3d62e8c99377_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders","b8012faef03edbe61efc3d62e8c99377_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Prefetching and spiders\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Prefetching and spiders \n\n1.1 To prevent this \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nPrefetching and spiders \nGET requests are not supposed\/expected to trigger actions\/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.\n\nTo prevent this \n Use POST requests instead of GETs for anything that triggers an action.\nRationale \nGET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of \u201cdelete\u201d buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.\n\nFurther reading \n GET\n Instruction prefetch\n POST\n Web crawler\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:54.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 287 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","b8012faef03edbe61efc3d62e8c99377_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Prefetching_and_spiders skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Prefetching and spiders<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Prefetching_and_spiders\">Prefetching and spiders<\/span><\/h2>\n<p>GET requests are not supposed\/expected to trigger actions\/changes and are happily followed by various browser mechanisms like Prefetching or Session Restore and by crawlers. This can cause unwanted actions to be triggered completely without user interaction and without the need for an attack.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this\">To prevent this<\/span><\/h3>\n<ul><li> Use POST requests instead of GETs for anything that triggers an action.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>GET requests can be automatically and unintentionally triggered, for example by crawlers. For example in cases of \u201cdelete\u201d buttons, this can cause a single user with aggressive Prefetching to accidentally delete everything just by opening a listing page. POST requests are expected to trigger actions and are handled accordingly by browsers.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/GET_(HTTP)\" class=\"extiw\" title=\"wikipedia:GET (HTTP)\" rel=\"external_link\" target=\"_blank\">GET<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Instruction_prefetch\" class=\"extiw\" title=\"wikipedia:Instruction prefetch\" rel=\"external_link\" target=\"_blank\">Instruction prefetch<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/POST_(HTTP)\" class=\"extiw\" title=\"wikipedia:POST (HTTP)\" rel=\"external_link\" target=\"_blank\">POST<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_crawler\" class=\"extiw\" title=\"wikipedia:Web crawler\" rel=\"external_link\" target=\"_blank\">Web crawler<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Prefetching_and_Spiders\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.123 1 - Template:TOC_right\n100.00% 3.123 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9034-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26917\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","b8012faef03edbe61efc3d62e8c99377_images":[],"b8012faef03edbe61efc3d62e8c99377_timestamp":1546642321,"818e02e81d1025e23a43f28126eb1791_type":"article","818e02e81d1025e23a43f28126eb1791_title":"PHP-specific issues","818e02e81d1025e23a43f28126eb1791_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues","818e02e81d1025e23a43f28126eb1791_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/PHP-specific issues\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 PHP-specific issues \n\n1.1 When using PHP... \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nPHP-specific issues \nWhen using the PHP language, several issues need to be considered.\n\nWhen using PHP... \n Do not use the short form \u201c<?\u201d, always use the full form \u201c<?php\u201d. \n When using the nginx web server, make sure to correctly follow the official installation instructions and pay attention to the \"Pitfalls\" page. Beware of tutorials that often contain working but insecure configuration examples.\n preg_replace can act as eval() in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.\n Use the Suhosin (including the patch, if possible) and configure it with strict rules.\n Enable suhosin.executor.disable_emodifier.\n Enable suhosin.executor.disable_eval if possible.\n Set suhosin.mail.protect to 2 if possible.\n When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.\nRationale \nPHP can support shortened PHP code start tags. If the option is enabled, both \"<?php\" and \"<?\" alone can start a PHP code block. However, if the option is disabled, \"<?\" will not be detected and the code will be delivered to the browser instead. This can lead to code disclosure. Using the full form ensures that the code will work correctly and won\u2019t disclose the code if the server does not support short tags.\nWhen using the nginx server, it is very easy to make critical configuration mistakes that allow users to pass image files to the PHP interpreter. See the \"Pitfalls\" page for mor information. It also provides valuable tips that will probably save you some time hunting down phantom issues, so you should read it if you use nginx.\npreg_replace evaluates the replacement text as PHP code if the non-standard \"e\" modifier is given in the search RegExp. If an attacker can influence the RegExp to add this modifier and provide a custom replacement text, preg_replace allows arbitrary code execution. Be extremely careful when using this function, use preg_quote with a correctly set delimiter parameter for escaping when possible. If you must accept RegExp code from the user, ensure it cannot contain the delimiter (also consider attacks using malformed UTF-8, null bytes etc.) - but if possible, avoid it completely.\nSuhosin can prevent certain attacks on web applications and disable insecure functions. The patch also protects internal memory structures against certain memory corruption attacks. (Also see the feature list for a complete list of features and the official explanation why Suhosin is useful.) Suhosin improves your security, but like Web Application Firewalls, it does not magically make all applications secure.\nDisabling the e modifier prevents the above-mentioned vulnerabilities in preg_replace from being used by an attacker even if an application is vulnerable. The e modifier should never be used, an application that does not work with the e modifier disabled is broken. Banning eval may break legitimate applications. Consider running Suhosin in simulation mode first to discover (badly coded) applications that use it. Setting suhosin.mail.protect can prevent attacks that use your mail forms to send spam. (Again, use simulation mode first to determine if your applications are compatible with it.)\nMagic quotes have been removed in PHP 5.4. An appliction that relies on them for security will become vulnerable if the update is installed. Note that this does not mean you should not update; instead, you should fix (i.e. rewrite or delete) the application. Magic quotes are not a suitable way to escape input and in most cases will not protect against all attack vectors. An application that relies on magic quotes is probably ancient and\/or written without security in mind. Simply adding code that will emulate magic quotes is a bad idea.\n\nFurther reading \n PHP\n PHP security\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:48.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 344 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","818e02e81d1025e23a43f28126eb1791_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_PHP-specific_issues skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/PHP-specific issues<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"PHP-specific_issues\">PHP-specific issues<\/span><\/h2>\n<p>When using the PHP language, several issues need to be considered.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"When_using_PHP...\">When using PHP...<\/span><\/h3>\n<ul><li> Do not use the short form \u201c<code><?<\/code>\u201d, always use the full form \u201c<code><?php<\/code>\u201d. <\/li>\n<li> When using the nginx web server, make sure to correctly follow the <b>official<\/b> installation instructions and pay attention to the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" target=\"_blank\">\"Pitfalls\" page<\/a>. Beware of tutorials that often contain working but insecure configuration examples.<\/li>\n<li> <code>preg_replace<\/code> can act as <code>eval()<\/code> in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.<\/li>\n<li> Use the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.hardened-php.net\/suhosin\/\" target=\"_blank\">Suhosin<\/a> (including the patch, if possible) and configure it with strict rules.\n<ul><li> Enable <code>suhosin.executor.disable_emodifier<\/code>.<\/li>\n<li> Enable <code>suhosin.executor.disable_eval<\/code> if possible.<\/li>\n<li> Set <code>suhosin.mail.protect<\/code> to 2 if possible.<\/li><\/ul><\/li>\n<li> When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>PHP can support shortened PHP code start tags. If the option is enabled, both \"<code><?php<\/code>\" and \"<code><?<\/code>\" alone can start a PHP code block. However, if the option is disabled, \"<code><?<\/code>\" will not be detected and the code will be delivered to the browser instead. This can lead to code disclosure. Using the full form ensures that the code will work correctly and won\u2019t disclose the code if the server does not support short tags.\n<\/p><p>When using the nginx server, it is very easy to make critical configuration mistakes that allow users to pass image files to the PHP interpreter. See the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" target=\"_blank\">\"Pitfalls\" page<\/a> for mor information. It also provides valuable tips that will probably save you some time hunting down phantom issues, so you should read it if you use nginx.\n<\/p><p><code>preg_replace<\/code> evaluates the replacement text as PHP code if the non-standard \"e\" modifier is given in the search RegExp. If an attacker can influence the RegExp to add this modifier and provide a custom replacement text, <code>preg_replace<\/code> allows arbitrary code execution. Be extremely careful when using this function, use <code>preg_quote<\/code> <i>with a correctly set delimiter parameter<\/i> for escaping when possible. If you must accept RegExp code from the user, ensure it cannot contain the delimiter (also consider attacks using malformed UTF-8, null bytes etc.) - but if possible, avoid it completely.\n<\/p><p><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.hardened-php.net\/suhosin\/\" target=\"_blank\">Suhosin<\/a> can prevent certain attacks on web applications and disable insecure functions. The patch also protects internal memory structures against certain memory corruption attacks. (Also see the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/feature-list.html\" target=\"_blank\">feature list<\/a> for a complete list of features and the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/index.html\" target=\"_blank\">official explanation why Suhosin is useful<\/a>.) <b>Suhosin improves your security, but like Web Application Firewalls, it does not magically make all applications secure.<\/b>\n<\/p><p>Disabling the e modifier prevents the above-mentioned vulnerabilities in preg_replace from being used by an attacker even if an application is vulnerable. The e modifier should never be used, an application that does not work with the e modifier disabled is broken. Banning eval may break legitimate applications. Consider running Suhosin in <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/configuration.html#suhosin-simulation\" target=\"_blank\">simulation mode<\/a> first to discover (badly coded) applications that use it. Setting <code>suhosin.mail.protect<\/code> can prevent attacks that use your mail forms to send spam. (Again, use <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/suhosin.org\/stories\/configuration.html#suhosin-simulation\" target=\"_blank\">simulation mode<\/a> first to determine if your applications are compatible with it.)\n<\/p><p>Magic quotes have been removed in PHP 5.4. An appliction that relies on them for security will become vulnerable if the update is installed. Note that this does not mean you should not update; instead, you should fix (i.e. rewrite or delete) the application. Magic quotes are not a suitable way to escape input and in most cases will not protect against all attack vectors. An application that relies on magic quotes is probably ancient and\/or written without security in mind. Simply adding code that will emulate magic quotes is a bad idea.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/PHP\" class=\"extiw\" title=\"wikipedia:PHP\" rel=\"external_link\" target=\"_blank\">PHP<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/PHP#Security\" class=\"extiw\" title=\"wikipedia:PHP\" rel=\"external_link\" target=\"_blank\">PHP security<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/PHP-specific_issues\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.015 seconds\nReal time usage: 0.019 seconds\nPreprocessor visited node count: 153\/1000000\nPreprocessor generated node count: 366\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.181 1 - Template:TOC_right\n100.00% 3.181 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9033-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26916\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","818e02e81d1025e23a43f28126eb1791_images":[],"818e02e81d1025e23a43f28126eb1791_timestamp":1546642321,"b4dba0a711c78dba0dbb84de5df9ccb2_type":"article","b4dba0a711c78dba0dbb84de5df9ccb2_title":"Comparison issues","b4dba0a711c78dba0dbb84de5df9ccb2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues","b4dba0a711c78dba0dbb84de5df9ccb2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Comparison issues\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Comparison issues \n\n1.1 To prevent comparison issues \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nComparison issues \nWhen comparing values, know the behavior of your programming language. For example in PHP, \"==\" is a loose comparison that ignores the type and may give you unexpected behaviour. \"===\" is used for exact comparison. Using the wrong type of comparison can lead to security issues.\n\nTo prevent comparison issues \n Know comparison types in your programming language and use the correct one.\n When in doubt (especially with PHP), use a strict comparison (PHP: \"===\").\n When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.\nRationale \nUsing a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to TRUE:\n\n "a97e8342f0" == 0\n\nThe hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.\nAccidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.\n\nFurther reading \n Comparison (computer programming)\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:46.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 288 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","b4dba0a711c78dba0dbb84de5df9ccb2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Comparison_issues skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Comparison issues<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Comparison_issues\">Comparison issues<\/span><\/h2>\n<p>When comparing values, know the behavior of your programming language. For example in PHP, \"<code>==<\/code>\" is a loose comparison that ignores the type and may give you unexpected behaviour. \"<code>===<\/code>\" is used for exact comparison. Using the wrong type of comparison can lead to security issues.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_comparison_issues\">To prevent comparison issues<\/span><\/h3>\n<ul><li> Know comparison types in your programming language and use the correct one.<\/li>\n<li> When in doubt (especially with PHP), use a strict comparison (PHP: \"<code>===<\/code>\").<\/li>\n<li> When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Using a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to <code>TRUE<\/code>:\n<\/p>\n<pre> <code>"a97e8342f0" == 0<\/code>\n<\/pre>\n<p>The hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.\n<\/p><p>Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Relational_operator\" class=\"extiw\" title=\"wikipedia:Relational operator\" rel=\"external_link\" target=\"_blank\">Comparison (computer programming)<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Comparison_issues\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225201\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.021 seconds\nPreprocessor visited node count: 63\/1000000\nPreprocessor generated node count: 166\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 4.064 1 - Template:TOC_right\n100.00% 4.064 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9032-0!*!*!!en!*!* and timestamp 20190104225201 and revision id 26915\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","b4dba0a711c78dba0dbb84de5df9ccb2_images":[],"b4dba0a711c78dba0dbb84de5df9ccb2_timestamp":1546642321,"c41630a44a94b431fbb84b36260b3bbe_type":"article","c41630a44a94b431fbb84b36260b3bbe_title":"Password security","c41630a44a94b431fbb84b36260b3bbe_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security","c41630a44a94b431fbb84b36260b3bbe_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Password security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Password security \n\n1.1 To keep password-based login mechanisms secure \n1.2 Rationale \n\n\n2 Further reading \n3 References \n4 Notes \n\n\n\n\nPassword security \nMost web applications use username\/password combinations to manage access.\n\nTo keep password-based login mechanisms secure \n Do not store plain-text passwords; store only hashes.\n Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".[1][2]\n Use a secure hashing algorithm (e.g. SHA-256 as of 2011).\n Use per-user salts.\n Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).\n Limit login attempts per IP (not per user account).\n Enforce reasonable, but not too strict, password policies.\n If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.\nRationale \nUsers re-use passwords for multiple services. If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. Therefore, only password hashes may be stored. Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted.\nAdding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with log in attempt limiting. A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more.\nLimiting log in attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. Without a limit, an attacker can try a very large number of passwords directly against the server. Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month!\nNot enforcing any password policies will lead to too many users choosing \u201c123456\u201d, \u201cqwerty\u201d or \u201cpassword\u201d as their password, opening the system up for attack. Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. Take this into account if you do not get a password policy to implement, but have to design your own.\nIf an attacker cannot obtain the password, he may try to reset it. Often, answers to password reset questions are easy to find or guess. Questions alone are no sufficient protection. Consider using a question together with e-mail verification by sending a new temporary password, for example.\n\nFurther reading \n Password policy\n Password strength\nReferences \n\n\u2191 Nielsen, P.M. (06 June 2012). \"Storing Passwords Securely\". Patrick on. https:\/\/patrickmn.com\/security\/storing-passwords-securely\/ . Retrieved 10 August 2016 .   \n\n\u2191 \"Cryptography\/Secure Passwords\". Cryptography. WikiBooks. 23 September 2015. https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords . Retrieved 10 August 2016 .   \n\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:44.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 258 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","c41630a44a94b431fbb84b36260b3bbe_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Password_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Password security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Password_security\">Password security<\/span><\/h2>\n<p>Most web applications use username\/password combinations to manage access.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_keep_password-based_login_mechanisms_secure\">To keep password-based login mechanisms secure<\/span><\/h3>\n<ul><li> Do not store plain-text passwords; store only hashes.<\/li>\n<li> Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".<sup id=\"rdp-ebb-cite_ref-NielsenStoring12_1-0\" class=\"reference\"><a href=\"#cite_note-NielsenStoring12-1\" rel=\"external_link\">[1]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-CryptWB_2-0\" class=\"reference\"><a href=\"#cite_note-CryptWB-2\" rel=\"external_link\">[2]<\/a><\/sup><\/li>\n<li> Use a secure hashing algorithm (e.g. <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-256\" class=\"extiw\" title=\"wikipedia:SHA-256\" rel=\"external_link\" target=\"_blank\">SHA-256<\/a> as of 2011).<\/li>\n<li> Use per-user salts.<\/li>\n<li> Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).<\/li>\n<li> Limit login attempts per IP (not per user account).<\/li>\n<li> Enforce reasonable, but not too strict, password policies.<\/li>\n<li> If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Users re-use passwords for multiple services. If an attacker gains access to one server and can gain a list of passwords, he may be able to use this password to attack other services. Therefore, only password hashes may be stored. Secure hashing algorithms are easy to use in most languages and ensure the original password cannot be easily recovered and that wrong passwords are not falsely accepted.\n<\/p><p>Adding salts to the password hashes prevents the use of rainbow tables and significantly slows down brute-force attempts. Strengthening slows both off-line brute-force attacks against stolen hashes and on-line brute-force in case the rate limiting fails. However, it increases CPU load on the server and would open a vector for DDoS attacks if not prevented with log in attempt limiting. A good strengthening can slow down off-line brute-force attacks down by a factor of 10000 or more.\n<\/p><p>Limiting log in attempts is necessary to prevent on-line brute-force attacks and DoS via the CPU usage of the password strengthening procedure. Without a limit, an attacker can try a very large number of passwords directly against the server. Assuming 100 attempts per second, which is reasonable for a normal web server, no significant strengthening and an attacker working with multiple threads, this would result in 259,200,000 passwords tried in a single month!\n<\/p><p>Not enforcing any password policies will lead to too many users choosing \u201c123456\u201d, \u201cqwerty\u201d or \u201cpassword\u201d as their password, opening the system up for attack. Enforcing too strict password policies will force users to save passwords or write them down, generally annoy them and foster re-using the same password for all services. Furthermore, users using secure passwords not matching the policies may be forced to use passwords which are harder to remember, but not necessarily secure. A password consisting of 5 concatenated, randomly (!) chosen lowercase dictionary words is significantly more secure than an eight-character password consisting of mixed case letters, numbers and punctuation. Take this into account if you do not get a password policy to implement, but have to design your own.\n<\/p><p>If an attacker cannot obtain the password, he may try to reset it. Often, answers to password reset questions are easy to find or guess. Questions alone are no sufficient protection. Consider using a question together with e-mail verification by sending a new temporary password, for example.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_policy\" class=\"extiw\" title=\"wikipedia:Password policy\" rel=\"external_link\" target=\"_blank\">Password policy<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_strength\" class=\"extiw\" title=\"wikipedia:Password strength\" rel=\"external_link\" target=\"_blank\">Password strength<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<ol class=\"references\">\n<li id=\"cite_note-NielsenStoring12-1\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-NielsenStoring12_1-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Nielsen, P.M. (06 June 2012). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">\"Storing Passwords Securely\"<\/a>. <i>Patrick on<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">https:\/\/patrickmn.com\/security\/storing-passwords-securely\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Storing+Passwords+Securely&rft.atitle=Patrick+on&rft.aulast=Nielsen%2C+P.M.&rft.au=Nielsen%2C+P.M.&rft.date=06+June+2012&rft_id=https%3A%2F%2Fpatrickmn.com%2Fsecurity%2Fstoring-passwords-securely%2F&rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Password_security\"><span style=\"display: none;\"> <\/span><\/span><\/span>\n<\/li>\n<li id=\"cite_note-CryptWB-2\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-CryptWB_2-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">\"Cryptography\/Secure Passwords\"<\/a>. <i>Cryptography<\/i>. WikiBooks. 23 September 2015<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cryptography%2FSecure+Passwords&rft.atitle=Cryptography&rft.date=23+September+2015&rft.pub=WikiBooks&rft_id=https%3A%2F%2Fen.wikibooks.org%2Fwiki%2FCryptography%2FSecure_Passwords&rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Password_security\"><span style=\"display: none;\"> <\/span><\/span><\/span>\n<\/li>\n<\/ol>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Password_security\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.068 seconds\nReal time usage: 0.079 seconds\nPreprocessor visited node count: 1251\/1000000\nPreprocessor generated node count: 11485\/1000000\nPost\u2010expand include size: 7273\/2097152 bytes\nTemplate argument size: 2571\/2097152 bytes\nHighest expansion depth: 11\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 67.144 1 - -total\n 79.43% 53.330 2 - Template:Cite_web\n 71.23% 47.825 2 - Template:Citation\/core\n 6.84% 4.590 4 - Template:Citation\/make_link\n 4.57% 3.071 1 - Template:TOC_right\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9031-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26914\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","c41630a44a94b431fbb84b36260b3bbe_images":[],"c41630a44a94b431fbb84b36260b3bbe_timestamp":1546642320,"e6b3471eef8a0699b4a146f6d9ddfeee_type":"article","e6b3471eef8a0699b4a146f6d9ddfeee_title":"Truncation attacks, trimming attacks","e6b3471eef8a0699b4a146f6d9ddfeee_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks","e6b3471eef8a0699b4a146f6d9ddfeee_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Truncation attacks, trimming attacks\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Truncation attacks, trimming attacks \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nTruncation attacks, trimming attacks \nTruncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a WHERE clause).\nStrings can also be automatically trimmed (leading\/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input \"eviluser\u2423\" against the blacklist, then logging in \"eviluser\"). SQL may do such trimming automatically.\n\nTo prevent this type of attack \n Avoid truncating input. Treat overlong input as an error instead.\n If truncation is necessary, ensure to check the value after truncation and use only the truncated value.\n Make sure trimming does not occur or checks are done consistently.\n Introduce length checks.\n Care about different lengths due to encoding.\n Make sure SQL treats truncated queries as errors by setting an appropriate SQL MODE.\nRationale \nAvoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.\n\nFurther reading \n Data truncation\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:42.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 401 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","e6b3471eef8a0699b4a146f6d9ddfeee_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Truncation_attacks_trimming_attacks skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Truncation attacks, trimming attacks<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Truncation_attacks.2C_trimming_attacks\">Truncation attacks, trimming attacks<\/span><\/h2>\n<p>Truncating input can be problematic if the truncation affects comparisons (e.g. checking users against a blacklist before truncation, and then truncating the name to perform the login). SQL queries can be truncated if they exceed a certain length. This can be used to execute a query with significantly different meaning (e.g. cutting of a part of a <code>WHERE<\/code> clause).\nStrings can also be automatically trimmed (leading\/trailing whitespace removed), leading to the same vulnerabilities (e.g. checking the input \"<tt>eviluser\u2423<\/tt>\" against the blacklist, then logging in \"<tt>eviluser<\/tt>\"). SQL may do such trimming automatically.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Avoid truncating input. Treat overlong input as an error instead.<\/li>\n<li> If truncation is necessary, ensure to check the value after truncation and use only the truncated value.<\/li>\n<li> Make sure trimming does not occur or checks are done consistently.<\/li>\n<li> Introduce length checks.\n<ul><li> Care about different lengths due to encoding.<\/li><\/ul><\/li>\n<li> Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE<\/tt>.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Avoiding truncation makes sure no issues can arise. If truncation is applied, performing all necessary checks after the truncation and using only the truncated value is equivalent to receiving the value in truncated condition. The same rules apply for trimming. Length checks prevent unexpected truncation due to length limits. Encoding needs to be taken into account because the byte-lengths and character-lengths of a UTF-8 string may be different. Setting the SQL MODE so that truncation causes errors ensures that truncation cannot be abused to modify queries. However, the resulting errors can still cause queries to fail unexpectedly, which should be handled in a secure manner.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Data_truncation\" class=\"extiw\" title=\"wikipedia:Data truncation\" rel=\"external_link\" target=\"_blank\">Data truncation<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.055 1 - Template:TOC_right\n100.00% 3.055 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9030-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26913\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","e6b3471eef8a0699b4a146f6d9ddfeee_images":[],"e6b3471eef8a0699b4a146f6d9ddfeee_timestamp":1546642320,"7c040f2ac67d7ff8ac0517c25531ccc2_type":"article","7c040f2ac67d7ff8ac0517c25531ccc2_title":"Session stealing","7c040f2ac67d7ff8ac0517c25531ccc2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing","7c040f2ac67d7ff8ac0517c25531ccc2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Session stealing\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Session stealing \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSession stealing \nAn attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.\n\nTo prevent this type of attack \n Set the \u201cHttpOnly\u201d attribute for session cookies.\n Generate random session IDs with secure randomness and sufficient length.\n Do not leak session IDs.\nRationale \nSetting the \u201cHttpOnly\u201d attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.\n\nFurther reading \n Session hijacking\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:39.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 358 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7c040f2ac67d7ff8ac0517c25531ccc2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Session_stealing skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Session stealing<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Session_stealing\">Session stealing<\/span><\/h2>\n<p>An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Set the \u201cHttpOnly\u201d attribute for session cookies.<\/li>\n<li> Generate random session IDs with secure randomness and sufficient length.<\/li>\n<li> Do not leak session IDs.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Setting the \u201cHttpOnly\u201d attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Session_hijacking\" class=\"extiw\" title=\"wikipedia:Session hijacking\" rel=\"external_link\" target=\"_blank\">Session hijacking<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Session_stealing\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.903 1 - Template:TOC_right\n100.00% 2.903 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9029-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26912\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","7c040f2ac67d7ff8ac0517c25531ccc2_images":[],"7c040f2ac67d7ff8ac0517c25531ccc2_timestamp":1546642320,"9fb164a42840c24a5ae22cf9d7f16827_type":"article","9fb164a42840c24a5ae22cf9d7f16827_title":"Session fixation","9fb164a42840c24a5ae22cf9d7f16827_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation","9fb164a42840c24a5ae22cf9d7f16827_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Session fixation\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Session fixation \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nSession fixation \nIn a session fixation attack, an attacker creates an unauthenticated session and then tricks a user to use and authenticate the session. As soon as the user has authenticated, the attacker can then use the session, as he knows the session id.\n\nTo prevent this type of attack \n Regenerate (change) the session ID as soon as the user logs in (destroying the old session).\n Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201csession.use_only_cookies\u201d).\nRationale \nRegenerating the ID makes the old session ID worthless to the attacker. Even if the attacker manages to fix a session, his session will never be authenticated. The second countermeasure is aimed at making it impossible to fix the session. However, XSS or similar issues with other applications on the same domain (not necessarily sub-domain!) may allow attackers to set false cookies.\n\nFurther reading \n Session fixation\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:38.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 294 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","9fb164a42840c24a5ae22cf9d7f16827_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Session_fixation skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Session fixation<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Session_fixation\">Session fixation<\/span><\/h2>\n<p>In a session fixation attack, an attacker creates an unauthenticated session and then tricks a user to use and authenticate the session. As soon as the user has authenticated, the attacker can then use the session, as he knows the session id.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Regenerate (change) the session ID as soon as the user logs in (destroying the old session).<\/li>\n<li> Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201c<tt>session.use_only_cookies<\/tt>\u201d).<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Regenerating the ID makes the old session ID worthless to the attacker. Even if the attacker manages to fix a session, his session will never be authenticated. The second countermeasure is aimed at making it impossible to fix the session. However, XSS or similar issues with other applications on the same domain (not necessarily sub-domain!) may allow attackers to set false cookies.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Session_fixation\" class=\"extiw\" title=\"wikipedia:Session fixation\" rel=\"external_link\" target=\"_blank\">Session fixation<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Session_fixation\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225200\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.009 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.164 1 - Template:TOC_right\n100.00% 3.164 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9028-0!*!*!!en!*!* and timestamp 20190104225200 and revision id 26911\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","9fb164a42840c24a5ae22cf9d7f16827_images":[],"9fb164a42840c24a5ae22cf9d7f16827_timestamp":1546642319,"08ea7349146b981be92d29df45ea3c22_type":"article","08ea7349146b981be92d29df45ea3c22_title":"Insecure data transfer","08ea7349146b981be92d29df45ea3c22_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer","08ea7349146b981be92d29df45ea3c22_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Insecure data transfer\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Insecure data transfer \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nInsecure data transfer \nData transferred unencrypted can be sniffed. This can not only give an attacker valuable information, but also the content of session cookies, allowing him to hijack a session. Additionally, non-secure communication can be modified by an attacker.\n\nTo prevent this type of attack \n Use SSL\/TLS (https) for any and all data transfer.\n Do not start communicating via http, only redirecting to https when \u201cneeded\u201d.\n Mark cookies with the \u201csecure\u201d attribute.\n Use the Strict-Transport-Security header where possible.\n Educate users to visit the https:\/\/ URL directly.\n If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n Consider limiting trusted CAs if connecting to internal servers.\nRationale \nUsing https ensures all data transfer is encrypted and the server is authenticated. Redirects sent on unencrypted pages can be removed or modified by the attacker. Thus, the transition from plain http to https can be sabotaged, making any plain http communication before switching to https dangerous. Marking the cookies secure-only ensures they are never transferred via unencrypted connections to prevent sniffing.\nThe STS header ensures that after the first visit, even if users visit the http:\/\/ URL, the request is performed via secure https. This prevents attacks like the SSLstrip attack on the unencrypted redirect. Educating the user to visit the https:\/\/ URL directly provides this protection for the first request and browsers that do not support STS and thus ignore the header. This education can be supported by serving nothing or only an information page without a clickable link on port 80 to force users to enter the correct URL and remove the incentive to be lazy and omit the \u201chttps:\/\/\u201d.\nIn some web applications, the web server performs HTTPS requests (for example when fetching or pushing data to APIs or running the OpenID or OAuth protocols). HTTPS is only secure if the software initiating the connection (i.e. your web application) correctly verifies the remote certificate:\n\n Checks if the certificate is still valid\n Checks if the certificate is signed by a trusted CA (a list of trusted CAs is needed)\n Checks if the hostname you are connecting to matches the name in the certificate (the wrapper performing the SSL handling needs access to the host name)\nSome libraries do not do this by default, making HTTPS connections insecure! Consider it suspicious if you are not required to provide a list of trusted CAs, or it looks like the SSL wrapper does not have access to the host name you are connecting to. To test for this isssue, attempt to connect to a host that uses a non-expired selfsigned certificate, then attempt to connect to a host that uses a valid certificate, but use a different hostname (e.g. address the host by its IP address) than the one specified in the certificate. If either of these connections succeed, your library\/configuration is insecure.\nIn PHP, both standard ways to perform HTTP(S) requests have issues: The cURL library doesn't check certificates by default if used with cURL below version 7.10. The Stream API always requires explicit configuration (affecting all functions using url_fopen, e.g. fopen(), file(), file_get_contents()). For cURL, set CURLOPT_SSL_VERIFYPEER and CURLOPT_CAINFO. For the Stream API, use a stream context with the verify_peer, CN_match and cafile SSL context options.\nIf you are connecting to internal servers, consider limiting the list of trusted CAs to the CA you are using. This reduces the risk from compromised\/malicious CAs. The default CA bundles often include CAs which you may not consider trustworthy, e.g. the Chinese internet authority CNNIC.\n\nFurther reading \n Encryption\n HTTPS\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:36.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 296 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","08ea7349146b981be92d29df45ea3c22_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Insecure_data_transfer skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Insecure data transfer<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Insecure_data_transfer\">Insecure data transfer<\/span><\/h2>\n<p>Data transferred unencrypted can be sniffed. This can not only give an attacker valuable information, but also the content of session cookies, allowing him to hijack a session. Additionally, non-secure communication can be modified by an attacker.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Use SSL\/TLS (https) for any and all data transfer.<\/li>\n<li> Do <b>not<\/b> start communicating via http, only redirecting to https when \u201cneeded\u201d.<\/li>\n<li> Mark cookies with the \u201csecure\u201d attribute.<\/li>\n<li> Use the Strict-Transport-Security header where possible.<\/li>\n<li> Educate users to visit the <tt>https:\/\/<\/tt> URL directly.<\/li>\n<li> If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n<ul><li> Consider limiting trusted CAs if connecting to internal servers.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Using https ensures all data transfer is encrypted and the server is authenticated. Redirects sent on unencrypted pages can be removed or modified by the attacker. Thus, the transition from plain http to https can be sabotaged, making any plain http communication before switching to https dangerous. Marking the cookies secure-only ensures they are never transferred via unencrypted connections to prevent sniffing.\n<\/p><p>The STS header ensures that after the first visit, even if users visit the <tt>http:\/\/<\/tt> URL, the request is performed via secure https. This prevents attacks like the SSLstrip attack on the unencrypted redirect. Educating the user to visit the <tt>https:\/\/<\/tt> URL directly provides this protection for the first request and browsers that do not support STS and thus ignore the header. This education can be supported by serving nothing or only an information page without a clickable link on port 80 to force users to enter the correct URL and remove the incentive to be lazy and omit the \u201c<tt>https:\/\/<\/tt>\u201d.\n<\/p><p>In some web applications, the web server performs HTTPS requests (for example when fetching or pushing data to APIs or running the OpenID or OAuth protocols). HTTPS is only secure if the software initiating the connection (i.e. your web application) correctly verifies the remote certificate:\n<\/p>\n<ul><li> Checks if the certificate is still valid<\/li>\n<li> Checks if the certificate is signed by a trusted CA (a list of trusted CAs is needed)<\/li>\n<li> Checks if the hostname you are connecting to matches the name in the certificate (the wrapper performing the SSL handling needs access to the host name)<\/li><\/ul>\n<p>Some libraries do not do this by default, making HTTPS connections insecure! Consider it suspicious if you are not required to provide a list of trusted CAs, or it looks like the SSL wrapper does not have access to the host name you are connecting to. To test for this isssue, attempt to connect to a host that uses a non-expired selfsigned certificate, then attempt to connect to a host that uses a valid certificate, but use a different hostname (e.g. address the host by its IP address) than the one specified in the certificate. If either of these connections succeed, your library\/configuration is insecure.\n<\/p><p>In PHP, both standard ways to perform HTTP(S) requests have issues: The cURL library doesn't check certificates by default if used with cURL below version 7.10. The Stream API always requires explicit configuration (affecting all functions using <code>url_fopen<\/code>, e.g. <code>fopen()<\/code>, <code>file()<\/code>, <code>file_get_contents()<\/code>). For cURL, set <code>CURLOPT_SSL_VERIFYPEER<\/code> and <code>CURLOPT_CAINFO<\/code>. For the Stream API, use a stream context with the <code>verify_peer<\/code>, <code>CN_match<\/code> and <code>cafile<\/code> <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/de2.php.net\/manual\/en\/context.ssl.php\" target=\"_blank\">SSL context options<\/a>.\n<\/p><p>If you are connecting to internal servers, consider limiting the list of trusted CAs to the CA you are using. This reduces the risk from compromised\/malicious CAs. The default CA bundles often include CAs which you may not consider trustworthy, e.g. the Chinese internet authority <a href=\"https:\/\/en.wikipedia.org\/wiki\/CNNIC\" class=\"extiw\" title=\"wikipedia:CNNIC\" rel=\"external_link\" target=\"_blank\">CNNIC<\/a>.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Encryption\" class=\"extiw\" title=\"wikipedia:Encryption\" rel=\"external_link\" target=\"_blank\">Encryption<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTPS\" class=\"extiw\" title=\"wikipedia:HTTPS\" rel=\"external_link\" target=\"_blank\">HTTPS<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Insecure_data_transfer\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.188 1 - Template:TOC_right\n100.00% 3.188 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9027-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26910\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","08ea7349146b981be92d29df45ea3c22_images":[],"08ea7349146b981be92d29df45ea3c22_timestamp":1546642319,"f052b1a9962cd409a0d68e10cc6d01b5_type":"article","f052b1a9962cd409a0d68e10cc6d01b5_title":"Clickjacking","f052b1a9962cd409a0d68e10cc6d01b5_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking","f052b1a9962cd409a0d68e10cc6d01b5_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Clickjacking\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Clickjacking \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nClickjacking \nIn clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.\n\nTo prevent this type of attack \n Prevent (i)framing of your application in current browsers by including the HTTP response header \u201cX-Frame-Options: deny\u201d.\n Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.\n For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.\nRationale \nThe X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.\n\nFurther reading \n Clickjacking\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:35.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 219 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","f052b1a9962cd409a0d68e10cc6d01b5_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Clickjacking skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Clickjacking<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Clickjacking\">Clickjacking<\/span><\/h2>\n<p>In clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Prevent (i)framing of your application in current browsers by including the HTTP response header \u201c<tt>X-Frame-Options: deny<\/tt>\u201d.<\/li>\n<li> Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.<\/li>\n<li> For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Clickjacking\" class=\"extiw\" title=\"wikipedia:Clickjacking\" rel=\"external_link\" target=\"_blank\">Clickjacking<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Clickjacking\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.013 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.942 1 - Template:TOC_right\n100.00% 2.942 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9026-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26909\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","f052b1a9962cd409a0d68e10cc6d01b5_images":[],"f052b1a9962cd409a0d68e10cc6d01b5_timestamp":1546642319,"57069b13cd4c6c205a34744f07e84805_type":"article","57069b13cd4c6c205a34744f07e84805_title":"Cross-site request forgery (CSRF)","57069b13cd4c6c205a34744f07e84805_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)","57069b13cd4c6c205a34744f07e84805_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Cross-site request forgery (CSRF)\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Cross-site request forgery (CSRF) \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nCross-site request forgery (CSRF) \nCross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.\n\nTo prevent this type of attack \n Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.\n Make sure the token is non-predictable and cannot be obtained by the attacker.\n Do not include it in files the attacker could load into his site using <script> tags.\n Referer checks are not secure, but can be used as an additional measure.\nRationale \nCSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.\nReferer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript. \n\nFurther reading \n Cross-site request forgery\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:33.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 253 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","57069b13cd4c6c205a34744f07e84805_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Cross-site_request_forgery_CSRF skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Cross-site request forgery (CSRF)<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Cross-site_request_forgery_.28CSRF.29\">Cross-site request forgery (CSRF)<\/span><\/h2>\n<p>Cross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.<\/li>\n<li> Make sure the token is non-predictable and cannot be obtained by the attacker.\n<ul><li> Do not include it in files the attacker could load into his site using <code><script><\/code> tags.<\/li><\/ul><\/li>\n<li> Referer checks are not secure, but can be used as an additional measure.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>CSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.\n<\/p><p>Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript. \n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" class=\"extiw\" title=\"wikipedia:Cross-site request forgery\" rel=\"external_link\" target=\"_blank\">Cross-site request forgery<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 36\/1000000\nPreprocessor generated node count: 106\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.015 1 - Template:TOC_right\n100.00% 3.015 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9025-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26908\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","57069b13cd4c6c205a34744f07e84805_images":[],"57069b13cd4c6c205a34744f07e84805_timestamp":1546642319,"5c97b0de3eebc89e348368871c44b0ec_type":"article","5c97b0de3eebc89e348368871c44b0ec_title":"(Un)trusted input","5c97b0de3eebc89e348368871c44b0ec_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input","5c97b0de3eebc89e348368871c44b0ec_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/(Un)trusted input\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 (Un)trusted input \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\n(Un)trusted input \nAll user input is to be considered untrusted. Seemingly \u201ctrusted\/safe\u201d input, like some $_SERVER variables in PHP, can be easily manipulated by attackers.\n\nTo prevent this type of attack \n Thoroughly filter\/escape any untrusted content.\n If the allowed character set for certain input fields is limited, check that the input is valid before using it.\n If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.\n If you are sure, but there is no real need to treat it as trusted, treat it as untrusted.\n The request URL (e.g. in environment variables) is untrusted.\n Data coming from HTTP headers is untrusted.\n Referer\n X-Forwarded-For\n Cookies\n Server name (!)\n All POST and GET data is untrusted.\n Includes non-user-modifiable input fields like select\n All content validation is to be done server side.\nRationale \nEscaping or filtering \u201ctrusted\u201d input that should not contain any characters that require escaping will only give you a negligible performance penalty, but you will be on the safe side if the input turns out to be untrusted.\nValidating input data using a character whitelist can avoid attacks using unexpected characters (null bytes, UTF-8, control characters used as delimiters in internal representations etc.). Ensure your validation is not too strict, for example you will need to allow both UTF-8 and characters like ' in person name fields.\nAn attacker is not constrained by the constraints a browser puts on him. Just because an input field is specified with maxlength=20 does not mean that an attacker cannot craft a request with 200 KB of data. The same goes for any JavaScript based constraints.\n\nFurther reading \n Secure input and output handling\n Trust boundary\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:32.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 232 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","5c97b0de3eebc89e348368871c44b0ec_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Un_trusted_input skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/(Un)trusted input<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\".28Un.29trusted_input\">(Un)trusted input<\/span><\/h2>\n<p>All user input is to be considered untrusted. Seemingly \u201ctrusted\/safe\u201d input, like some $_SERVER variables in PHP, can be easily manipulated by attackers.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Thoroughly filter\/escape any untrusted content.<\/li>\n<li> If the allowed character set for certain input fields is limited, check that the input is valid before using it.<\/li>\n<li> If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.<\/li>\n<li> If you are sure, but there is no <b>real<\/b> need to treat it as trusted, treat it as untrusted.<\/li>\n<li> The request URL (e.g. in environment variables) is untrusted.<\/li>\n<li> Data coming from HTTP headers is untrusted.\n<ul><li> Referer<\/li>\n<li> X-Forwarded-For<\/li>\n<li> Cookies<\/li>\n<li> Server name (!)<\/li><\/ul><\/li>\n<li> All POST and GET data is untrusted.\n<ul><li> Includes non-user-modifiable input fields like select<\/li><\/ul><\/li>\n<li> All content validation is to be done server side.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Escaping or filtering \u201ctrusted\u201d input that should not contain any characters that require escaping will only give you a negligible performance penalty, but you will be on the safe side if the input turns out to be untrusted.\n<\/p><p>Validating input data using a character whitelist can avoid attacks using unexpected characters (null bytes, UTF-8, control characters used as delimiters in internal representations etc.). Ensure your validation is not too strict, for example you will need to allow both UTF-8 and characters like ' in person name fields.\n<\/p><p>An attacker is not constrained by the constraints a browser puts on him. Just because an input field is specified with <code>maxlength=20<\/code> does not mean that an attacker cannot craft a request with 200 KB of data. The same goes for any JavaScript based constraints.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Secure_input_and_output_handling\" class=\"extiw\" title=\"wikipedia:Secure input and output handling\" rel=\"external_link\" target=\"_blank\">Secure input and output handling<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Trust_boundary\" class=\"extiw\" title=\"wikipedia:Trust boundary\" rel=\"external_link\" target=\"_blank\">Trust boundary<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/(Un)trusted_input\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225159\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 2.910 1 - Template:TOC_right\n100.00% 2.910 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9024-0!*!*!!en!*!* and timestamp 20190104225159 and revision id 26907\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","5c97b0de3eebc89e348368871c44b0ec_images":[],"5c97b0de3eebc89e348368871c44b0ec_timestamp":1546642318,"7da5a3e8c4ad0a05309ea9741494fec2_type":"article","7da5a3e8c4ad0a05309ea9741494fec2_title":"XML, JSON and general API security","7da5a3e8c4ad0a05309ea9741494fec2_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security","7da5a3e8c4ad0a05309ea9741494fec2_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/XML, JSON and general API security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 XML, JSON and general API security \n\n1.1 To prevent this type of attack \n1.2 Rationale \n1.3 Further reading \n\n\n2 Notes \n\n\n\n\nXML, JSON and general API security \nAPIs can provide additional security challenges. At the same time, basic security rules (like output escaping) must not be overlooked.\n\nTo prevent this type of attack \n Ensure proper access control to the API.\n Do not forget that you need to correctly escape all output to prevent XSS attacks, that data formats like XML require special consideration, and that protection against cross-site request forgery (CSRF) is needed in many cases.\n Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.\n Make sure browsers do not misinterpret your document or allow cross-site loading.\n Ensure your document is well-formed.\n Send the correct content type.\n Use the X-Content-Type-Options: nosniff header.\n For XML, provide a charset and ensure attackers cannot insert arbitrary tags.\n For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.\nRationale \nCertain actions are often restricted to users with appropriate privileges. However, some developers forget to properly restrict their API, thus allowing users without proper privileges to perform these actions. Ensure that the API properly enforces access controls. Remember that you still need CSRF protection! A separate client can easily fetch a token (but will need the user's credentials to do so), while a malicious JavaScript can't (due to the same-origin policy). \nEven if your application is not displaying the API output, the attacker may use it for XSS attacks by directly linking to it. For this reason, you must follow proper escaping rules and keep browsers from misinterpreting your output.\nIf you use standard data formats like JSON, you can use standard libraries which have been thoroughly checked by many professionals. This will make it easier for you to correctly escape content, and save you a lot of time (and potential security issues).\nCertain browsers love to interpret anything that looks like it may be HTML as HTML. This is especially true for XML documents (which may also represent other script-bearing formats like SVG). Sending a well-formed document and setting the correct content type makes it less probable that browsers will start guessing. The X-Content-Type-Options: nosniff header will stop browsers from attempting to guess the content type (most importantly, it will disable the aggressive guessing in Internet Explorer).\nProviding the correct charset in XML is important because different charsets can cause vastly different interpretations of the data. For example, what is harmless text in UTF-8 or other common charsets can turn into a script tag in UTF-7.\nJSON uses JavaScript syntax and could possibly be loaded across domain boundaries using <script> tags. Together with creative modification of the Array prototype, this can give access to the data (bypassing the same-origin policy) in outdated browsers. Passing an object instead of an array prevents this (as of 2013).\nEscaping special characters in JSON is recommended to avoid content sniffing. In PHP, it can be done by passing the JSON_HEX_TAG flag to json_encode.\n\nFurther reading \n API security\n JavaScript\/Handling JSON\n JSON\n XML\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:20.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 260 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","7da5a3e8c4ad0a05309ea9741494fec2_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_XML_JSON_and_general_API_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/XML, JSON and general API security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"XML.2C_JSON_and_general_API_security\">XML, JSON and general API security<\/span><\/h2>\n<p>APIs can provide additional security challenges. At the same time, basic security rules (like output escaping) must not be overlooked.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Ensure proper access control to the API.<\/li>\n<li> Do not forget that you need to <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\" title=\"LII:Web Application Security Guide\/Cross-site scripting (XSS)\" target=\"_blank\" class=\"wiki-link\" data-key=\"931b3464b3f12dc9e1b1803bd3190cb9\">correctly escape all output to prevent XSS attacks<\/a>, that data formats like XML require <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\" title=\"LII:Web Application Security Guide\/XML and internal data escaping\" target=\"_blank\" class=\"wiki-link\" data-key=\"9cae4e140675b1a1a21fe8753676d5ac\">special consideration<\/a>, and that protection against <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\" title=\"LII:Web Application Security Guide\/Cross-site request forgery (CSRF)\" target=\"_blank\" class=\"wiki-link\" data-key=\"57069b13cd4c6c205a34744f07e84805\">cross-site request forgery (CSRF)<\/a> is needed in many cases.<\/li>\n<li> Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.<\/li>\n<li> Make sure browsers do not misinterpret your document or allow cross-site loading.\n<ul><li> Ensure your document is well-formed.<\/li>\n<li> Send the correct content type.<\/li>\n<li> Use the <code>X-Content-Type-Options: nosniff<\/code> header.<\/li>\n<li> For XML, provide a charset and ensure attackers cannot insert arbitrary tags.<\/li>\n<li> For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.<\/li><\/ul><\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Certain actions are often restricted to users with appropriate privileges. However, some developers forget to properly restrict their API, thus allowing users without proper privileges to perform these actions. Ensure that the API properly enforces access controls. Remember that you still need CSRF protection! A separate client can easily fetch a token (but will need the user's credentials to do so), while a malicious JavaScript can't (due to the same-origin policy). \n<\/p><p>Even if your application is not displaying the API output, the attacker may use it for XSS attacks by directly linking to it. For this reason, you must follow proper escaping rules <i>and<\/i> keep browsers from misinterpreting your output.\n<\/p><p>If you use standard data formats like JSON, you can use standard libraries which have been thoroughly checked by many professionals. This will make it easier for you to correctly escape content, and save you a lot of time (and potential security issues).\n<\/p><p>Certain browsers love to interpret anything that looks like it may be HTML as HTML. This is especially true for XML documents (which may also represent other script-bearing formats like SVG). Sending a well-formed document and setting the correct content type makes it less probable that browsers will start guessing. The <code>X-Content-Type-Options: nosniff<\/code> header will stop browsers from attempting to guess the content type (most importantly, it will disable the aggressive guessing in Internet Explorer).\n<\/p><p>Providing the correct charset in XML is important because different charsets can cause vastly different interpretations of the data. For example, what is harmless text in UTF-8 or other common charsets can turn into a script tag in UTF-7.\n<\/p><p>JSON uses JavaScript syntax and could possibly be loaded across domain boundaries using <code><script><\/code> tags. Together with creative modification of the Array prototype, this can give access to the data (bypassing the same-origin policy) in outdated browsers. Passing an object instead of an array prevents this (as of 2013).\n<\/p><p>Escaping special characters in JSON is recommended to avoid content sniffing. In PHP, it can be done by passing the <code>JSON_HEX_TAG<\/code> flag to <code>json_encode<\/code>.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h3>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/API_Security\" class=\"extiw\" title=\"wikipedia:API Security\" rel=\"external_link\" target=\"_blank\">API security<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikibooks.org\/wiki\/JavaScript\/Handling_JSON\" class=\"extiw\" title=\"wikibooks:JavaScript\/Handling JSON\" rel=\"external_link\" target=\"_blank\">JavaScript\/Handling JSON<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/JSON\" class=\"extiw\" title=\"wikipedia:JSON\" rel=\"external_link\" target=\"_blank\">JSON<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/XML\" class=\"extiw\" title=\"wikipedia:XML\" rel=\"external_link\" target=\"_blank\">XML<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.013 seconds\nReal time usage: 0.019 seconds\nPreprocessor visited node count: 72\/1000000\nPreprocessor generated node count: 186\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.187 1 - Template:TOC_right\n100.00% 3.187 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9023-0!*!0!!en!*!* and timestamp 20190104225158 and revision id 26906\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","7da5a3e8c4ad0a05309ea9741494fec2_images":[],"7da5a3e8c4ad0a05309ea9741494fec2_timestamp":1546642318,"9cae4e140675b1a1a21fe8753676d5ac_type":"article","9cae4e140675b1a1a21fe8753676d5ac_title":"XML and internal data escaping","9cae4e140675b1a1a21fe8753676d5ac_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping","9cae4e140675b1a1a21fe8753676d5ac_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/XML and internal data escaping\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 XML and internal data escaping \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nXML and internal data escaping \nEscaping is required in internal data representations, too. For example, incorrectly escaped strings in XML could allow the attackers to close their including tag and inject arbitrary XML.\nXML is a very complex format which can bear many unpleasant surprises.\n\nTo prevent this type of attack \n Avoid XML if possible.\n For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.\n If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).\n For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.\n If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.\nRationale \nXML is a highly complex format with many surprising features - did you know that XML can load other content via HTTP? If you just want to store\/pass a few structured values, the powerful features of XML are often unnecessary. JSON is a less complex alternative, but requires its own safety measures (like avoiding arrays at top level and hex-encoding special characters that may be interpreted by broken browsers).\nXML is too complex to \u201cjust quickly\u201d write code that handles all possibilities correctly and safely. Do not rely on the security of \u201chome-made\u201d minimal libraries. Even some \u201cofficial\u201d XML libraries are known to have escaping issues in some functions or to explicitly allow content to be passed into the XML without escaping. (Notably the addChild method in PHP\u2019s SimpleXML does partial escaping, see comments for PHP bug 36795) Libraries can contain critical issues, too. Read the documentation of your library carefully and consider searching the internet for known issues. If you are not sure, quickly test at least some basic cases.\nXML has features that allow loading of external data like entities and DTDs. Some parsers enable this by default. If you parse untrusted XML files (remember, everything that comes from a user is untrusted), this may be used to read local files, make requests to internal systems not accessible from outside the firewall, and in some cases, even execute code. See OWASP article for details.\nDoing escaping manually is very difficult to do correctly, as all problematic cases (e.g. partial UTF8 characters or different charsets) need to be considered. Writing a solution that works correctly with regular input may be fast and easy, but writing a solution that works correctly with any intentionally malformed input is difficult. \n\nFurther reading \n Escape character\n XML\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:18.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 273 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","9cae4e140675b1a1a21fe8753676d5ac_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_XML_and_internal_data_escaping skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/XML and internal data escaping<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"XML_and_internal_data_escaping\">XML and internal data escaping<\/span><\/h2>\n<p>Escaping is required in internal data representations, too. For example, incorrectly escaped strings in XML could allow the attackers to close their including tag and inject arbitrary XML.\n<\/p><p>XML is a very complex format which can bear many unpleasant surprises.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Avoid XML if possible.<\/li>\n<li> For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.<\/li>\n<li> If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).<\/li>\n<li> For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.<\/li>\n<li> If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>XML is a highly complex format with many surprising features - did you know that XML can load other content via HTTP? If you just want to store\/pass a few structured values, the powerful features of XML are often unnecessary. JSON is a less complex alternative, but (like avoiding arrays at top level and hex-encoding special characters that may be interpreted by broken browsers).\n<\/p><p>XML is too complex to \u201cjust quickly\u201d write code that handles all possibilities correctly and safely. Do not rely on the security of \u201chome-made\u201d minimal libraries. Even some \u201cofficial\u201d XML libraries are known to have escaping issues in some functions or to explicitly allow content to be passed into the XML without escaping. (Notably the addChild method in PHP\u2019s SimpleXML does partial escaping, see comments for <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/bugs.php.net\/bug.php?id=36795\" target=\"_blank\">PHP bug 36795<\/a>) Libraries can contain critical issues, too. Read the documentation of your library carefully and consider searching the internet for known issues. If you are not sure, quickly test at least some basic cases.\n<\/p><p>XML has features that allow loading of external data like entities and DTDs. Some parsers enable this by default. If you parse untrusted XML files (remember, everything that comes from a user is untrusted), this may be used to read local files, make requests to internal systems not accessible from outside the firewall, and in some cases, even <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/lists.wikimedia.org\/pipermail\/mediawiki-announce\/2013-April\/000127.html\" target=\"_blank\">execute code<\/a>. See <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/index.php\/XML_External_Entity_%28XXE%29_Processing\" target=\"_blank\">OWASP article<\/a> for details.\n<\/p><p>Doing escaping manually is very difficult to do correctly, as all problematic cases (e.g. partial UTF8 characters or different charsets) need to be considered. Writing a solution that works correctly with regular input may be fast and easy, but writing a solution that works correctly with any intentionally malformed input is difficult. \n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Escape_character\" class=\"extiw\" title=\"wikipedia:Escape character\" rel=\"external_link\" target=\"_blank\">Escape character<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/XML\" class=\"extiw\" title=\"wikipedia:XML\" rel=\"external_link\" target=\"_blank\">XML<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/XML_and_internal_data_escaping\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.016 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.143 1 - Template:TOC_right\n100.00% 3.143 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9022-0!*!0!!en!*!* and timestamp 20190104225158 and revision id 26904\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","9cae4e140675b1a1a21fe8753676d5ac_images":[],"9cae4e140675b1a1a21fe8753676d5ac_timestamp":1546642318,"931b3464b3f12dc9e1b1803bd3190cb9_type":"article","931b3464b3f12dc9e1b1803bd3190cb9_title":"Cross-site scripting (XSS)","931b3464b3f12dc9e1b1803bd3190cb9_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)","931b3464b3f12dc9e1b1803bd3190cb9_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Cross-site scripting (XSS)\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Cross-site scripting (XSS) \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n1.2.1 Complex XSS example with JS inside HTML \n\n\n\n\n2 Further reading \n3 Notes \n\n\n\n\nCross-site scripting (XSS) \nXSS vulnerabilities occur if user input included in the output of a web application is not escaped correctly. This type of vulnerability allows attackers to inject content into the web application output. This can be used to inject a false login form (reporting the input to an attacker) or malicious JavaScript code which can steal cookies and information or execute actions using the user\u2019s permissions. XSS vulnerabilities are separated into two main categories, reflected (non-persistent) and persistent vulnerabilities.\nReflected XSS vulnerabilities include the user input only in the output directly following the request. Thus, the attacker needs the user to follow a malicious link or make a malicious POST request. The former can be done by including the link as an IFRAME; the latter can be done using JavaScript. Both vulnerabilities do require that the user visits a malicious\/compromised site, but they do not necessarily require user interaction.\nPersistent XSS vulnerabilities store the user input and include it later outputs (e.g. a posting in a forum). This means that the users do not need to visit a malicious\/compromised site.\n\nTo prevent this type of attack \n Escape anything that is not a constant before including it in a response as close to the output as possible (i.e. right in the line containing the \u201cecho\u201d or \u201cprint\u201d call).\n If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name.\n Consider the context when escaping: Escaping text inside HTML is different from escaping HTML attribute values, and very different from escaping values inside CSS or JavaScript, or inside HTTP headers.\n This may mean that you need to escape for multiple contexts and\/or multiple times. For example, when passing a HTML fragment as a JS constant for later includsion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document. (See rationale for examples.)\n The attacker must not be able to put anything where it is not supposed to be, even if you think it is not exploitable (e.g. because attempts to exploit it result in broken JavaScript).\n Explicitly set the correct character set at the beginning of the document (i.e. as early as possible) and\/or in the header.\n Ensure that URLs provided by the user start with an allowed scheme (whitelisting) to avoid dangerous schemes (e.g. javascript:-URLs).\n Don\u2019t forget URLs in redirector scripts.\n A content security policy may be used as an additional security measure, but is not sufficient by itself to prevent attacks.\nRationale \nEscaping data directly at the output location makes it easier to check that all outputs are escaped \u2013 each and every variable used as a parameter for an output method must either be marked as pre-escaped or be wrapped in a corresponding escape command.\nDifferent contexts require completely different escaping rules. A \u201c)\u201d character with no dangerous meaning in HTML and HTML attributes can signify the end of an URL path in CSS. See the example at the bottom for a complex but common case where HTML and JavaScript are used together and create countless opportunities for XSS. Note that many simple XSS attempts are \"accidentally\" blocked even by the wrong escaping (e.g. HTML escaping mangles quotes required for a JavaScript string injection, or newlines creating invalid JavaScript in case of injection attempts). Do NOT rely on this. The attacker may know a trick you are not thinking about. If it is possible to place anything in a place of the document structure where it is not supposed to go (e.g. outside a JavaScript string literal), it is a security issue that must be fixed. It might not be exploitable - or you may simply not be seeing the way to exploit it. Don't take that risk!\nNot setting the character set may lead to guessing by the browser. Such guessing can be exploited to pass a string that seems harmless in your intended encoding, but is interpreted as a script tag in the encoding assumed by the browser. For HTML5, use <meta charset="utf-8" \/> as the first element in the head section.\nURLs can be dangerous, too. User-provided links should be checked against a scheme whitelist, as the javascript scheme is not the only dangerous one. Other schemes can trigger possibly unwanted action. If only web links are to be allowed, require the URLs to start with \u201chttp:\/\/\u201d or \u201chttps:\/\/\u201d.\nA Content Security Policy can prevent certain kinds of injection. Only some browsers support it; others simply ignore it. It is a powerful secondary defense to limit the impact of security issues, but cannot be used as the primary way to prevent XSS - the primary way to prevent XSS is correct escaping, which will not only prevent XSS, but also ensure that your page displays correctly even in the presence of uncommon input. Implementing a CSP may require significant changes to your code. Notably, you cannot include any inline JavaScript (unless you explicitly allow inline JS in your CSP - which removes most of the protection CSPs provide).\n\nComplex XSS example with JS inside HTML \nOften overlooked issues include the complex interaction between HTML and JavaScript. A often-used construct is something like this:\n\n<script>\n var CURRENT_VALUE = 'test';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE; \/\/ INSECURE CODE - DO NOT USE.\n<\/script>\nThe content of CURRENT_VALUE (in this example, the word test) is inserted into the page source dynamically by the server according to e.g. user input or a value from a database. The second line, which actually writes the data to the document, is often part of a script included from a file. There are many different ways to perform XSS attacks against such a construct, unless proper escaping is used in every step. In our examples, the attacker wants to execute the code alert(1);.\nFirst, if proper escaping for JavaScript is missing, the attacker can simply provide the appropriate quote symbol to terminate the string, a semicolon, his code, and then comment out the rest of the line. For example, the attacker could provide the value ';alert(1);\/\/, resulting in the following HTML code, executing his code:\n\n<script>\n var CURRENT_VALUE = '';alert(1);\/\/';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script>\nNote that this will work even if the value is escaped using a HTML-escaping function like htmlspecialchars() if that function doesn't touch the single-quote used in this example.\nAssuming the attacker cannot use the appropriate quote, because it is filtered, he can use the value <\/script><script>alert(1);<\/script>. Inside a regular JavaScript file, the resulting line would not immediately cause a problem (though assigning it to innerHTML would), since the following is a perfectly safe variable assignment:\n\nvar CURRENT_VALUE = '<\/script><script>alert(1);<\/script>';\nSince, however, this appears in an inline script block, the HTML parser will interpret the \"script-end\" tag, resulting in a broken piece of JavaScript, followed by a second script block containing the attacker's code, some text, and a spurious script-end tag:\n\n<script>\n var CURRENT_VALUE = '<\/script><script>alert(1);<\/script>';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script>\nOr, reindented for clarity:\n\n<script>\n var CURRENT_VALUE = '\n<\/script>\n<script>alert(1);<\/script>\n'; document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script>\nThe attacker can also simply break the JavaScript by inserting a backslash at the end of the string, thus escaping the quote at the end:\n\nvar CURRENT_VALUE = 'text\\';\nA simple newline anywhere in the string will also cause a syntax error (unterminated string literal). While these attacks do not allow direct XSS in this example, they may break critical security features, render the site unusable (Denial of Service), or allow XSS if another value can be manipulated - here the attacker supplies text\\ and ;alert(1);' to a variant of this construct that passes two values:\n\nvar CURRENT_VALUE1 = 'text\\'; var CURRENT_VALUE2 = ';alert(1);'';\nSince the string-ending quote was escaped, the quote that is supposed to start the second string instead closes the first, turning the remaining content into JavaScript. This brings us to the statement above: If it is possible to place anything in a place of the document structure where it is not supposed to go (e.g. outside a JavaScript string literal), it is a security issue that must be fixed. It might not be exploitable - or you may simply not be seeing the way to exploit it. Don't take that risk!\nThese are only issues with the first line in our example. The second line directly inserts the value into the document as HTML, thus allowing XSS. To exploit this, the attacker must avoid the script end tag due to the issue mentioned above, so he uses a non-existing image with an error handler. His input <img src=1 onerror=alert(1)> results in:\n\n<script>\n var CURRENT_VALUE = '<img src=1 onerror=alert(1)>';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script>\nThe innerHTML assignment puts the image tag into the document, and since \"1\" is not a valid URL, the error handler is executed. Note that this is not perfectly valid HTML, since the quotes around the attributes are missing. It is still valid enough to work, and avoids the quotes being mangled due to escaping.\nSimply HTML escaping output value using functions like htmlspecialchars() on the server side (when writing it to the variable assignment line) will prevent some of these attacks and might make others unexploitable or harder to exploit. However, it is incorrect and dangerous and will leave other means of attack!\nMost notably, the attacker might decide to do what you should have done, and properly escape his attack sequence for you. This will leave the backslash \\ as the only special character, giving an input like \\u003Cimg src=1 onerror=alert(1)\\u003E (note that any remaining character, i.e. the spaces, braces, equals signs and letters could also be escaped). This will be unharmed by your escape function, resulting in the following code:\n\n<script>\n var CURRENT_VALUE = '\\u003Cimg src=1 onerror=alert(1)\\u003E';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script>\nThe JavaScript parser will interpret the escape sequeces and insert the XSS code into your document.\n\r\n\nThere are two correct ways to escape in this situation:\n\n Method 1 - JS escaping server side, HTML escaping client side (recommended)\n On the server, properly (see below) escape the value using JavaScript escape values.\n In the client-side JavaScript, ensure your code escapes the text before inserting it into the document, using e.g. the .text() setter of jQuery.\n Method 2 - HTML escaping server side, JS escaping client side (not recommended)\n On the server, first escape the value for HTML\n On the server, then properly (see below) escape the value using JavaScript escape values before inserting it into the document.\nMethod 2 allows you to deliver server-generated custom HTML to the client. You need to escape the HTML like any other HTML output (e.g. using htmlspecialchars in PHP). The escaped content then gets passed to the client side, which directly dumps it into the document. This means the client side cannot use the text for any non-HTML context, and attempting to do so may lead to a security issue. As you can see, the escaping is done in reverse order: The format that gets interpreted last (HTML, in this case) gets escaped first, then the entire string is \"wrapped\" by escaping in the outer format.\nThe recommended approach is to keep text unescaped until it is ready for output, then escape right before it is output (i.e. when the context is known). Consistently following this approach will also avoid double-encoding (i.e. showing your users HTML entities like & in the text).\nHow to properly escape for JavaScript inside HTML: Ensure that characters like < which have no special meaning in JavaScript but do have a special meaning in HTML also get escaped. Do not write your own escaping routines, you will most likely miss something. Use existing libraries. For current versions of PHP, you may want to consider using json_encode() with the additional flags set:\n\n...\n<script>\n var CURRENT_VALUE = <?php echo json_encode($text,\n JSON_HEX_QUOT | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS); ?>;\n $(\"#valueBox\").text(CURRENT_VALUE);\n<\/script>\n...\nThe text will now be correctly rendered, even if it includes weird special characters.\n\nFurther reading \n Cross-site scripting\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)<\/a>\n\t\t\t\t\tCategory: Pages with syntax highlighting errors\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:13.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 297 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","931b3464b3f12dc9e1b1803bd3190cb9_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Cross-site_scripting_XSS skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Cross-site scripting (XSS)<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Cross-site_scripting_.28XSS.29\">Cross-site scripting (XSS)<\/span><\/h2>\n<p>XSS vulnerabilities occur if user input included in the output of a web application is not escaped correctly. This type of vulnerability allows attackers to inject content into the web application output. This can be used to inject a false login form (reporting the input to an attacker) or malicious JavaScript code which can steal cookies and information or execute actions using the user\u2019s permissions. XSS vulnerabilities are separated into two main categories, <i>reflected<\/i> (non-persistent) and <i>persistent<\/i> vulnerabilities.\n<\/p><p><b>Reflected XSS vulnerabilities<\/b> include the user input only in the output directly following the request. Thus, the attacker needs the user to follow a malicious link or make a malicious POST request. The former can be done by including the link as an IFRAME; the latter can be done using JavaScript. Both vulnerabilities do require that the user visits a malicious\/compromised site, but they do not necessarily require user interaction.\n<\/p><p><b>Persistent XSS vulnerabilities<\/b> store the user input and include it later outputs (e.g. a posting in a forum). This means that the users do not need to visit a malicious\/compromised site.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Escape anything that is not a constant before including it in a response as close to the output as possible (i.e. right in the line containing the \u201cecho\u201d or \u201cprint\u201d call).<\/li>\n<li> If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name.<\/li>\n<li> Consider the context when escaping: Escaping text inside HTML is different from escaping HTML attribute values, and very different from escaping values inside CSS or JavaScript, or inside HTTP headers.\n<ul><li> This may mean that you need to escape for multiple contexts and\/or multiple times. For example, when passing a HTML fragment as a JS constant for later includsion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document. (See rationale for examples.)<\/li>\n<li> The attacker must not be able to put anything where it is not supposed to be, even if you think it is not exploitable (e.g. because attempts to exploit it result in broken JavaScript).<\/li><\/ul><\/li>\n<li> Explicitly set the correct character set at the beginning of the document (i.e. as early as possible) and\/or in the header.<\/li>\n<li> Ensure that URLs provided by the user start with an allowed scheme (whitelisting) to avoid dangerous schemes (e.g. javascript:-URLs).<\/li>\n<li> Don\u2019t forget URLs in redirector scripts.<\/li>\n<li> A <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.html5rocks.com\/en\/tutorials\/security\/content-security-policy\/\" target=\"_blank\">content security policy<\/a> may be used as an additional security measure, but is not sufficient by itself to prevent attacks.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Escaping data directly at the output location makes it easier to check that all outputs are escaped \u2013 each and every variable used as a parameter for an output method must either be marked as pre-escaped or be wrapped in a corresponding escape command.\n<\/p><p>Different contexts require completely different escaping rules. A \u201c<tt>)<\/tt>\u201d character with no dangerous meaning in HTML and HTML attributes can signify the end of an URL path in CSS. See the example at the bottom for a complex but common case where HTML and JavaScript are used together and create countless opportunities for XSS. Note that many simple XSS attempts are \"accidentally\" blocked even by the wrong escaping (e.g. HTML escaping mangles quotes required for a JavaScript string injection, or newlines creating invalid JavaScript in case of injection attempts). <b>Do NOT rely on this.<\/b> The attacker may know a trick you are not thinking about. If it is possible to place anything in a place of the document structure where it is not supposed to go (e.g. outside a JavaScript string literal), it is a security issue that <i>must<\/i> be fixed. It might not be exploitable - or you may simply not be seeing the way to exploit it. Don't take that risk!\n<\/p><p>Not setting the character set may lead to guessing by the browser. Such guessing can be exploited to pass a string that seems harmless in your intended encoding, but is interpreted as a script tag in the encoding assumed by the browser. For HTML5, use <code><meta charset="utf-8" \/><\/code> as the first element in the head section.\n<\/p><p>URLs can be dangerous, too. User-provided links should be checked against a scheme whitelist, as the javascript scheme is not the only dangerous one. Other schemes can trigger possibly unwanted action. If only web links are to be allowed, require the URLs to start with \u201c<tt>http:\/\/<\/tt>\u201d or \u201c<tt>https:\/\/<\/tt>\u201d.\n<\/p><p>A <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.html5rocks.com\/en\/tutorials\/security\/content-security-policy\/\" target=\"_blank\">Content Security Policy<\/a> can prevent certain kinds of injection. <b>Only some browsers support it; others simply ignore it.<\/b> It is a powerful secondary defense to limit the impact of security issues, but cannot be used as the primary way to prevent XSS - the primary way to prevent XSS is correct escaping, which will not only prevent XSS, but also ensure that your page displays correctly even in the presence of uncommon input. Implementing a CSP may require significant changes to your code. Notably, you cannot include any inline JavaScript (unless you explicitly allow inline JS in your CSP - which removes most of the protection CSPs provide).\n<\/p>\n<h4><span class=\"mw-headline\" id=\"Complex_XSS_example_with_JS_inside_HTML\">Complex XSS example with JS inside HTML<\/span><\/h4>\n<p>Often overlooked issues include the complex interaction between HTML and JavaScript. A often-used construct is something like this:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = 'test';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE; \/\/ INSECURE CODE - DO NOT USE.\n<\/script><\/pre><\/div>\n<p>The content of <code>CURRENT_VALUE<\/code> (in this example, the word <i>test<\/i>) is inserted into the page source dynamically by the server according to e.g. user input or a value from a database. The second line, which actually writes the data to the document, is often part of a script included from a file. There are many different ways to perform XSS attacks against such a construct, unless proper escaping is used in every step. In our examples, the attacker wants to execute the code <code>alert(1);<\/code>.\n<\/p><p>First, if proper escaping for JavaScript is missing, the attacker can simply provide the appropriate quote symbol to terminate the string, a semicolon, his code, and then comment out the rest of the line. For example, the attacker could provide the value <code>';alert(1);\/\/<\/code>, resulting in the following HTML code, executing his code:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = '';alert(1);\/\/';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script><\/pre><\/div>\n<p>Note that this will work even if the value is escaped using a HTML-escaping function like <code>htmlspecialchars()<\/code> if that function doesn't touch the single-quote used in this example.\n<\/p><p>Assuming the attacker cannot use the appropriate quote, because it is filtered, he can use the value <code><\/script><script>alert(1);<\/script><\/code>. Inside a regular JavaScript file, the resulting line would not immediately cause a problem (though assigning it to innerHTML would), since the following is a perfectly safe variable assignment:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre>var CURRENT_VALUE = '<\/script><script>alert(1);<\/script>';<\/pre><\/div>\n<p>Since, however, this appears in an inline script block, the HTML parser will interpret the \"script-end\" tag, resulting in a broken piece of JavaScript, followed by a second script block containing the attacker's code, some text, and a spurious script-end tag:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = '<\/script><script>alert(1);<\/script>';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script><\/pre><\/div>\n<p>Or, reindented for clarity:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = '\n<\/script>\n<script>alert(1);<\/script>\n'; document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script><\/pre><\/div>\n<p>The attacker can also simply break the JavaScript by inserting a backslash at the end of the string, thus escaping the quote at the end:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre>var CURRENT_VALUE = 'text\\';<\/pre><\/div>\n<p>A simple newline anywhere in the string will also cause a syntax error (unterminated string literal). While these attacks do not allow direct XSS in this example, they may break critical security features, render the site unusable (Denial of Service), or allow XSS if another value can be manipulated - here the attacker supplies <code>text\\<\/code> and <code>;alert(1);'<\/code> to a variant of this construct that passes two values:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre>var CURRENT_VALUE1 = 'text\\'; var CURRENT_VALUE2 = ';alert(1);'';<\/pre><\/div>\n<p>Since the string-ending quote was escaped, the quote that is supposed to start the second string instead closes the first, turning the remaining content into JavaScript. This brings us to the statement above: <b>If it is possible to place anything in a place of the document structure where it is not supposed to go (e.g. outside a JavaScript string literal), it is a security issue that <i>must<\/i> be fixed. It might not be exploitable - or you may simply not be seeing the way to exploit it. Don't take that risk!<\/b>\n<\/p><p>These are only issues with the first line in our example. The second line directly inserts the value into the document as HTML, thus allowing XSS. To exploit this, the attacker must avoid the script end tag due to the issue mentioned above, so he uses a non-existing image with an error handler. His input <code><img src=1 onerror=alert(1)><\/code> results in:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = '<img src=1 onerror=alert(1)>';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script><\/pre><\/div>\n<p>The innerHTML assignment puts the image tag into the document, and since \"1\" is not a valid URL, the error handler is executed. Note that this is not perfectly valid HTML, since the quotes around the attributes are missing. It is still valid enough to work, and avoids the quotes being mangled due to escaping.\n<\/p><p>Simply HTML escaping output value using functions like <code>htmlspecialchars()<\/code> on the server side (when writing it to the variable assignment line) will prevent <i>some<\/i> of these attacks and might make others unexploitable or harder to exploit. However, <b>it is incorrect and dangerous<\/b> and will leave other means of attack!\n<\/p><p>Most notably, the attacker might decide to do what you should have done, and properly escape his attack sequence for you. This will leave the backslash <code>\\<\/code> as the only special character, giving an input like <code>\\u003Cimg src=1 onerror=alert(1)\\u003E<\/code> (note that any remaining character, i.e. the spaces, braces, equals signs and letters could also be escaped). This will be unharmed by your escape function, resulting in the following code:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre><script>\n var CURRENT_VALUE = '\\u003Cimg src=1 onerror=alert(1)\\u003E';\n document.getElementById(\"valueBox\").innerHTML = CURRENT_VALUE;\n<\/script><\/pre><\/div>\n<p>The JavaScript parser will interpret the escape sequeces and insert the XSS code into your document.\n<\/p><p><br \/>\nThere are two correct ways to escape in this situation:\n<\/p>\n<ul><li> Method 1 - JS escaping server side, HTML escaping client side (recommended)\n<ul><li> On the server, <i>properly<\/i> (see below) escape the value using JavaScript escape values.<\/li>\n<li> In the client-side JavaScript, ensure your code escapes the text before inserting it into the document, using e.g. the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/api.jquery.com\/text\/#text2\" target=\"_blank\">.text() setter<\/a> of jQuery.<\/li><\/ul><\/li><\/ul>\n<ul><li> Method 2 - HTML escaping server side, JS escaping client side (not recommended)\n<ul><li> On the server, first escape the value for HTML<\/li>\n<li> On the server, then <i>properly<\/i> (see below) escape the value using JavaScript escape values before inserting it into the document.<\/li><\/ul><\/li><\/ul>\n<p>Method 2 allows you to deliver server-generated custom HTML to the client. You need to escape the HTML like any other HTML output (e.g. using <code>htmlspecialchars<\/code> in PHP). The escaped content then gets passed to the client side, which directly dumps it into the document. This means the client side cannot use the text for any non-HTML context, and attempting to do so may lead to a security issue. As you can see, the escaping is done in reverse order: The format that gets interpreted last (HTML, in this case) gets escaped first, then the entire string is \"wrapped\" by escaping in the outer format.\n<\/p><p>The recommended approach is to keep text unescaped until it is ready for output, then escape right before it is output (i.e. when the context is known). Consistently following this approach will also avoid double-encoding (i.e. showing your users HTML entities like <code>&<\/code> in the text).\n<\/p><p><b>How to properly escape for JavaScript inside HTML<\/b>: Ensure that characters like <code><<\/code> which have no special meaning in JavaScript but do have a special meaning in HTML also get escaped. Do not write your own escaping routines, you will most likely miss something. Use existing libraries. For current versions of PHP, you may want to consider using <code>json_encode()<\/code> with the additional flags set:\n<\/p>\n<div class=\"mw-highlight mw-content-ltr\" dir=\"ltr\"><pre>...\n<script>\n var CURRENT_VALUE = <?php echo json_encode($text,\n JSON_HEX_QUOT | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS); ?>;\n $(\"#valueBox\").text(CURRENT_VALUE);\n<\/script>\n...<\/pre><\/div>\n<p>The text will now be correctly rendered, even if it includes weird special characters.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" class=\"extiw\" title=\"wikipedia:Cross-site scripting\" rel=\"external_link\" target=\"_blank\">Cross-site scripting<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.040 seconds\nReal time usage: 0.070 seconds\nPreprocessor visited node count: 265\/1000000\nPreprocessor generated node count: 610\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.291 1 - Template:TOC_right\n100.00% 3.291 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9021-0!*!*!!en!*!* and timestamp 20190104225158 and revision id 26903\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","931b3464b3f12dc9e1b1803bd3190cb9_images":[],"931b3464b3f12dc9e1b1803bd3190cb9_timestamp":1546642318,"45f2f2fe35ed4742dbed9513ef9d505a_type":"article","45f2f2fe35ed4742dbed9513ef9d505a_title":"SQL injection","45f2f2fe35ed4742dbed9513ef9d505a_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection","45f2f2fe35ed4742dbed9513ef9d505a_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/SQL injection\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 SQL injection \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n1.2.1 Exploitation \n1.2.2 Example \n\n\n\n\n2 Further reading \n3 Notes \n\n\n\n\nSQL injection \nAn SQL injection vulnerability occurs if user input included in database queries is not escaped correctly. This type of vulnerability allows attackers to change database queries, which can allow them to obtain or modify database contents.\n\nTo prevent this type of attack \n Use prepared statements to access the database \u2013 or \u2013.\n Use stored procedures, accessed using appropriate language\/library methods or prepared statements.\n Always ensure the DB login used by the application has only the rights that are needed.\nRationale \nEscaping input manually is error-prone and can be forgotten. With prepared statements, the correct escaping is automatically applied. This also avoids issues with different input interpretation (charset, null byte handling etc.) which can lead to hard-to-find vulnerabilities.\nUsing a database login with limited access rights limits the impact of successful attacks.\n\nExploitation \nSQL injection can compromise any information in the database and even lead to full system compromise. It can be used to add PHP, HTML, and JavaScript code to web pages and create files. Arbitrary content added to the website can be used for malicious attacks against users and to gain shell access to the server.\n\nExample \nIf the input for the title of the page on this website were vulnerable to SQL injection then the URL that would be used for the attack is https:\/\/en.wikibooks.org\/w\/index.php?title=. A simple test to reveal if the input is vulnerable would be to add https:\/\/en.wikibooks.org\/w\/index.php?title=' because this SQL syntax would break the query and show an SQL error on the page. The next query could be to select usernames and hashed passwords with something like https:\/\/en.wikibooks.org\/w\/index.php?title=1%20UNION%20ALL%20SELECT%20user_pass%20FROM%20wiki_user;--. The ;-- on the end ends the query and makes the remaining query a comment. Files containing password salts could be dumped to allow an attacker to begin cracking passwords and gain access to administrator accounts using the select load_file() query. A query like this one could be used to gain shell access to the server: https:\/\/en.wikibooks.org\/w\/index.php?title=UNION%20SELECT%20<? system($_REQUEST['cmd']); ?>,2,3%20INTO%20OUTFILE%20\"shell.php\";--\n\nFurther reading \n SQL injection\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:12.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 408 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","45f2f2fe35ed4742dbed9513ef9d505a_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_SQL_injection skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/SQL injection<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"SQL_injection\">SQL injection<\/span><\/h2>\n<p>An SQL injection vulnerability occurs if user input included in database queries is not escaped correctly. This type of vulnerability allows attackers to change database queries, which can allow them to obtain or modify database contents.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Use prepared statements to access the database <i>\u2013 or \u2013<\/i>.<\/li>\n<li> Use stored procedures, accessed using appropriate language\/library methods or prepared statements.<\/li>\n<li> Always ensure the DB login used by the application has only the rights that are needed.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>Escaping input manually is error-prone and can be forgotten. With prepared statements, the correct escaping is automatically applied. This also avoids issues with different input interpretation (charset, null byte handling etc.) which can lead to hard-to-find vulnerabilities.\nUsing a database login with limited access rights limits the impact of successful attacks.\n<\/p>\n<h4><span class=\"mw-headline\" id=\"Exploitation\">Exploitation<\/span><\/h4>\n<p>SQL injection can compromise any information in the database and even lead to full system compromise. It can be used to add PHP, HTML, and JavaScript code to web pages and create files. Arbitrary content added to the website can be used for malicious attacks against users and to gain shell access to the server.\n<\/p>\n<h4><span class=\"mw-headline\" id=\"Example\">Example<\/span><\/h4>\n<p>If the input for the title of the page on this website were vulnerable to SQL injection then the URL that would be used for the attack is <b>https:\/\/en.wikibooks.org\/w\/index.php?title=<\/b>. A simple test to reveal if the input is vulnerable would be to add <i>https:\/\/en.wikibooks.org\/w\/index.php?title=<\/i><b>'<\/b> because this SQL syntax would break the query and show an SQL error on the page. The next query could be to select usernames and hashed passwords with something like <i>https:\/\/en.wikibooks.org\/w\/index.php?title=<\/i><b>1%20UNION%20ALL%20SELECT%20user_pass%20FROM%20wiki_user;--<\/b>. The ;-- on the end ends the query and makes the remaining query a comment. Files containing password salts could be dumped to allow an attacker to begin cracking passwords and gain access to administrator accounts using the <b>select load_file()<\/b> query. A query like this one could be used to gain shell access to the server: <i>https:\/\/en.wikibooks.org\/w\/index.php?title=<\/i><b>UNION%20SELECT%20<? system($_REQUEST['cmd']); ?>,2,3%20INTO%20OUTFILE%20\"shell.php\";--<\/b>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" class=\"extiw\" title=\"wikipedia:SQL injection\" rel=\"external_link\" target=\"_blank\">SQL injection<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/SQL_injection\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225158\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.017 seconds\nPreprocessor visited node count: 89\/1000000\nPreprocessor generated node count: 214\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.448 1 - Template:TOC_right\n100.00% 3.448 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9020-0!*!*!!en!*!* and timestamp 20190104225157 and revision id 26902\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","45f2f2fe35ed4742dbed9513ef9d505a_images":[],"45f2f2fe35ed4742dbed9513ef9d505a_timestamp":1546642317,"8b3708600c87ff3258de11ce293bf1a6_type":"article","8b3708600c87ff3258de11ce293bf1a6_title":"File upload vulnerabilities","8b3708600c87ff3258de11ce293bf1a6_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities","8b3708600c87ff3258de11ce293bf1a6_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/File upload vulnerabilities\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 File upload vulnerabilities \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nFile upload vulnerabilities \nWeb servers apply specific criteria (e.g. file extension) to decide how to process a file. If an application allows file uploads (e.g. for profile pictures, attached documents), ensure that the uploaded files cannot be interpreted as script files by the web server. Otherwise, the attacker may upload a script in your application\u2019s programming language and run the arbitrary code contained therein by requesting the uploaded file.\nAdditionally, an attacker could upload custom HTML or JavaScript files and direct a victim to them. Since they come from a directory inside your application, this can be used to subvert the same-origin policy protection by the victim\u2019s browser, for example to steal cookies. Some broken browsers (notably Internet Explorer) ignore the MIME type of files in some cases and detect the file type based on the file content.\n\nTo prevent this type of attack \n Avoid unnecessary file uploads.\n Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files).\n Ensure that files cannot be uploaded to unintended directories (directory traversal).\n Try to disable script execution in the upload directory.\n Ensure that the file extension matches the actual type of the file content.\n If only images are to be uploaded, consider re-compressing them using a secure library to ensure they are valid.\n Ensure that uploaded files are specified with the correct Content-type when delivered to the user.\n Prevent users from uploading problematic file types like HTML, CSS, JavaScript, XML, SVG and executables using a whitelist of allowed file types.\n Prevent users from uploading special files (e.g. .htaccess, web.config, robots.txt, crossdomain.xml, clientaccesspolicy.xml).\n Prevent users from overwriting application files.\n Consider delivering uploaded files with the \u201cContent-disposition: attachment\u201d header.\nRationale \nFile upload facilities are hard to protect correctly. If they are provided to support \u201cgimmick\u201d functions, they may not be worth the risk.\nIt is crucial that the web server will not attempt to interpret the uploaded files as scripts, as this could result in arbitrary code execution. Make sure to use the same method as your web server for deciding whether a file will be interpreted as a script or not.\nDirectory traversal attacks could allow an attacker to overwrite application or server files. Preventing these is also necessary to ensure that disabling script execution for the upload directory is actually effective.\nDisabling script execution ensures that if attackers manage to upload a script file, it will still not be executed. However, this should not be relied upon: If the application gets transferred to a different server, the setting could get lost.\nMismatched file names\/extensions can be used to upload forbidden data types (e.g. HTML, XML, SVG - see below). Even if the server sets the Content-type according to the extensions, some browsers may ignore this, analyze the file contents (MIME sniffing) and parse the file as HTML.\nRe-compressing images ensures that any malicious content is destroyed. However, the image processing library needs to be secure, as it is exposed to user content and could be attacked using e.g. buffer overflow exploits.\nSpecifying the correct Content-type when delivering the files ensures that the file will be handled correctly by most browsers. This is required for correct functionality, but also relevant for security as incorrect handling of the file could lead to MIME sniffing, resulting in security issues.\nUser-uploaded HTML, CSS, JavaScript and similar files can contain scripts that run in the origin of the web site and thus are allowed to access cookies or web site content. XML and SVG files are often overlooked, but can also execute scripts. This can lead to various attacks like session stealing, CSRF etc. Executables can be dangerous to the user and should therefore be blocked. A whitelist should be used as creating a reliable and complete list of dangerous extensions is not possible. ZIP files can be dangerous for outdated browsers (notably Firefox 2.x). Note that various files are technically also ZIP files, notably documents from OpenOffice (e.g. odt, ods) and Microsoft Office 2007 and newer (e.g. docx, xlsx).\nSpecial files like .htacces, web.config, robots.txt, crossdomain.xml and clientaccesspolicy.xml could allow attackers to change security settings (.htaccess, web.config), cause load (robots.txt) or allow cross-site scripting\/cross-site request forgery attacks using plugins (crossdomain.xml and clientaccesspolicy.xml). Note that crossdomain.xml files are also valid if they appear in subdirectories.\nAllowing the user to overwrite files belonging to the application can not only damage the application, but also allow other attacks, e.g. make code execution possible or enable the attacker to change critical settings.\nThe Content-disposition: attachment header forces browsers to save the file instead of immediately opening it, thus reducing the risk for some of the attacks. Note that this can significantly annoy the users and is not possible in all situations.\nThe following resources provide additional information on this topic:\n\n Guide about MIME sniffing: http:\/\/h-online.com\/-746229 \n MediaWiki resources about upload protection:\n Manual:$wgMimeTypeBlacklist\n Manual:$wgFileBlacklist\n Manual:Mime type detection\nFurther reading \n Media type\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:10.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 282 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","8b3708600c87ff3258de11ce293bf1a6_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_File_upload_vulnerabilities skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/File upload vulnerabilities<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"File_upload_vulnerabilities\">File upload vulnerabilities<\/span><\/h2>\n<p>Web servers apply specific criteria (e.g. file extension) to decide how to process a file. If an application allows file uploads (e.g. for profile pictures, attached documents), ensure that the uploaded files cannot be interpreted as script files by the web server. Otherwise, the attacker may upload a script in your application\u2019s programming language and run the arbitrary code contained therein by requesting the uploaded file.\n<\/p><p>Additionally, an attacker could upload custom HTML or JavaScript files and direct a victim to them. Since they come from a directory inside your application, this can be used to subvert the same-origin policy protection by the victim\u2019s browser, for example to steal cookies. Some broken browsers (notably Internet Explorer) ignore the MIME type of files in some cases and detect the file type based on the file content.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Avoid unnecessary file uploads.<\/li>\n<li> Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files).<\/li>\n<li> Ensure that files cannot be uploaded to unintended directories (directory traversal).<\/li>\n<li> Try to disable script execution in the upload directory.<\/li>\n<li> Ensure that the file extension matches the actual type of the file content.<\/li>\n<li> If only images are to be uploaded, consider re-compressing them using a secure library to ensure they are valid.<\/li>\n<li> Ensure that uploaded files are specified with the correct Content-type when delivered to the user.<\/li>\n<li> Prevent users from uploading problematic file types like HTML, CSS, JavaScript, XML, SVG and executables using a whitelist of allowed file types.<\/li>\n<li> Prevent users from uploading special files (e.g. .htaccess, web.config, robots.txt, crossdomain.xml, clientaccesspolicy.xml).<\/li>\n<li> Prevent users from overwriting application files.<\/li>\n<li> Consider delivering uploaded files with the \u201cContent-disposition: attachment\u201d header.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>File upload facilities are hard to protect correctly. If they are provided to support \u201cgimmick\u201d functions, they may not be worth the risk.\n<\/p><p>It is crucial that the web server will not attempt to interpret the uploaded files as scripts, as this could result in arbitrary code execution. Make sure to use the same method as your web server for deciding whether a file will be interpreted as a script or not.\n<\/p><p>Directory traversal attacks could allow an attacker to overwrite application or server files. Preventing these is also necessary to ensure that disabling script execution for the upload directory is actually effective.\n<\/p><p>Disabling script execution ensures that if attackers manage to upload a script file, it will still not be executed. However, this should not be relied upon: If the application gets transferred to a different server, the setting could get lost.\n<\/p><p>Mismatched file names\/extensions can be used to upload forbidden data types (e.g. HTML, XML, SVG - see below). Even if the server sets the Content-type according to the extensions, some browsers may ignore this, analyze the file contents (MIME sniffing) and parse the file as HTML.\n<\/p><p>Re-compressing images ensures that any malicious content is destroyed. However, the image processing library needs to be secure, as it is exposed to user content and could be attacked using e.g. buffer overflow exploits.\n<\/p><p>Specifying the correct Content-type when delivering the files ensures that the file will be handled correctly by most browsers. This is required for correct functionality, but also relevant for security as incorrect handling of the file could lead to MIME sniffing, resulting in security issues.\n<\/p><p>User-uploaded HTML, CSS, JavaScript and similar files can contain scripts that run in the origin of the web site and thus are allowed to access cookies or web site content. XML and SVG files are often overlooked, but can also execute scripts. This can lead to various attacks like session stealing, CSRF etc. Executables can be dangerous to the user and should therefore be blocked. A whitelist should be used as creating a reliable and complete list of dangerous extensions is not possible. ZIP files can be dangerous for outdated browsers (notably Firefox 2.x). Note that various files are technically also ZIP files, notably documents from OpenOffice (e.g. odt, ods) and Microsoft Office 2007 and newer (e.g. docx, xlsx).\n<\/p><p>Special files like .htacces, web.config, robots.txt, crossdomain.xml and clientaccesspolicy.xml could allow attackers to change security settings (.htaccess, web.config), cause load (robots.txt) or allow cross-site scripting\/cross-site request forgery attacks using plugins (crossdomain.xml and clientaccesspolicy.xml). Note that crossdomain.xml files are also valid if they appear in subdirectories.\n<\/p><p>Allowing the user to overwrite files belonging to the application can not only damage the application, but also allow other attacks, e.g. make code execution possible or enable the attacker to change critical settings.\n<\/p><p>The Content-disposition: attachment header forces browsers to save the file instead of immediately opening it, thus reducing the risk for some of the attacks. Note that this can significantly annoy the users and is not possible in all situations.\n<\/p><p>The following resources provide additional information on this topic:\n<\/p>\n<ul><li> Guide about MIME sniffing: <a rel=\"external_link\" class=\"external free\" href=\"http:\/\/h-online.com\/-746229\" target=\"_blank\">http:\/\/h-online.com\/-746229<\/a> <\/li>\n<li> MediaWiki resources about upload protection:\n<ul><li> <a href=\"http:\/\/www.mediawiki.org\/wiki\/Manual:$wgMimeTypeBlacklist\" class=\"extiw\" title=\"mediawikiwiki:Manual:$wgMimeTypeBlacklist\" rel=\"external_link\" target=\"_blank\">Manual:$wgMimeTypeBlacklist<\/a><\/li>\n<li> <a href=\"http:\/\/www.mediawiki.org\/wiki\/Manual:$wgFileBlacklist\" class=\"extiw\" title=\"mediawikiwiki:Manual:$wgFileBlacklist\" rel=\"external_link\" target=\"_blank\">Manual:$wgFileBlacklist<\/a><\/li>\n<li> <a href=\"http:\/\/www.mediawiki.org\/wiki\/Manual:Mime_type_detection\" class=\"extiw\" title=\"mediawikiwiki:Manual:Mime type detection\" rel=\"external_link\" target=\"_blank\">Manual:Mime type detection<\/a><\/li><\/ul><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Media_type\" class=\"extiw\" title=\"wikipedia:Media type\" rel=\"external_link\" target=\"_blank\">Media type<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/File_upload_vulnerabilities\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225157\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.012 seconds\nReal time usage: 0.016 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.288 1 - Template:TOC_right\n100.00% 3.288 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9019-0!*!*!!en!*!* and timestamp 20190104225157 and revision id 26901\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","8b3708600c87ff3258de11ce293bf1a6_images":[],"8b3708600c87ff3258de11ce293bf1a6_timestamp":1546642317,"cf92deedb27142566924da1ef27529f9_type":"article","cf92deedb27142566924da1ef27529f9_title":"File inclusion and disclosure","cf92deedb27142566924da1ef27529f9_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure","cf92deedb27142566924da1ef27529f9_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/File inclusion and disclosure\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 File inclusion and disclosure \n\n1.1 To prevent this type of attack \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nFile inclusion and disclosure \nIf the names of files that are to be included or sent in response to a request are coming from user input (e.g. in menu systems or download scripts), attackers may be able to request files that they are not supposed to. If user-supplied names are used for inclusions, this can even lead to code execution on the server.\n\nTo prevent this type of attack \n Do not take file names for inclusions from user input, only from trusted lists or constants.\n If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient.\n Avoid having scripts read and pass through files if possible.\n If you read and deliver files using user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.\n Ensure the application runs with no more privileges than required.\nRationale \nIf the attacker is able to upload a script file and get a part of the application to include it, he can execute arbitrary code. As this poses an extremely great risk, it has to be carefully avoided. Thus, only the strictest kind of verification (checking against a whitelist) is appropriate for this task.\nIf files are to be offered for download, simply putting them in a directory and letting the web server handle the rest is often the best choice: Not only is it faster than having a script read the file; it also avoids risky interpretation of user-supplied file names. In some cases, this is unavoidable, e.g. if a script is needed to enforce that only logged-in users can download files or to set special headers (see next section).\nIn that case, make sure you correctly perform the access checks that make the script-based approach necessary and that you thoroughly validate the file names to stop the attacker from downloading files he is not supposed to download. You especially need to make sure that the attacker cannot specify other files than intended, especially not outside of the intended directory, e.g. by using the \u201c..\u201d pseudo-directory name. (Note that a \u201c..\/\u201d can be encoded in many ways!)\nRunning the application with limited privileges (usually done by limiting the privileges of the web server or script interpreter) limits the impact of such (and other) issues.\n\nFurther reading \n File inclusion vulnerability\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:55.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 235 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","cf92deedb27142566924da1ef27529f9_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_File_inclusion_and_disclosure skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/File inclusion and disclosure<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"File_inclusion_and_disclosure\">File inclusion and disclosure<\/span><\/h2>\n<p>If the names of files that are to be included or sent in response to a request are coming from user input (e.g. in menu systems or download scripts), attackers may be able to request files that they are not supposed to. If user-supplied names are used for inclusions, this can even lead to code execution on the server.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"To_prevent_this_type_of_attack\">To prevent this type of attack<\/span><\/h3>\n<ul><li> Do not take file names for inclusions from user input, only from trusted lists or constants.\n<ul><li> If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient.<\/li><\/ul><\/li>\n<li> Avoid having scripts read and pass through files if possible.<\/li>\n<li> If you read and deliver files using user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.<\/li>\n<li> Ensure the application runs with no more privileges than required.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>If the attacker is able to upload a script file and get a part of the application to include it, he can execute arbitrary code. As this poses an extremely great risk, it has to be carefully avoided. Thus, only the strictest kind of verification (checking against a whitelist) is appropriate for this task.\nIf files are to be offered for download, simply putting them in a directory and letting the web server handle the rest is often the best choice: Not only is it faster than having a script read the file; it also avoids risky interpretation of user-supplied file names. In some cases, this is unavoidable, e.g. if a script is needed to enforce that only logged-in users can download files or to set special headers (see next section).\n<\/p><p>In that case, make sure you correctly perform the access checks that make the script-based approach necessary and that you thoroughly validate the file names to stop the attacker from downloading files he is not supposed to download. You especially need to make sure that the attacker cannot specify other files than intended, especially not outside of the intended directory, e.g. by using the \u201c<tt>..<\/tt>\u201d pseudo-directory name. (Note that a \u201c<tt>..\/<\/tt>\u201d can be encoded in many ways!)\n<\/p><p>Running the application with limited privileges (usually done by limiting the privileges of the web server or script interpreter) limits the impact of such (and other) issues.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/File_inclusion_vulnerability\" class=\"extiw\" title=\"wikipedia:File inclusion vulnerability\" rel=\"external_link\" target=\"_blank\">File inclusion vulnerability<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/File_inclusion_and_disclosure\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225157\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.140 1 - Template:TOC_right\n100.00% 3.140 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9018-0!*!*!!en!*!* and timestamp 20190104225157 and revision id 26898\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","cf92deedb27142566924da1ef27529f9_images":[],"cf92deedb27142566924da1ef27529f9_timestamp":1546642317,"b234b155784fd3a4a7929a3781136a5b_type":"article","b234b155784fd3a4a7929a3781136a5b_title":"Miscellaneous points","b234b155784fd3a4a7929a3781136a5b_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points","b234b155784fd3a4a7929a3781136a5b_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Miscellaneous points\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Miscellaneous points \n\n1.1 Always remember \n1.2 Rationale \n\n\n2 Further reading \n3 Notes \n\n\n\n\nMiscellaneous points \nThis section contains some general security hints for web applications.\n\nAlways remember \n Do not rely on web application firewalls (WAFs) for security (however, consider using them to improve security).\n If external libraries (e.g. for database access, XML parsing) are used, always use current versions.\n If you need random numbers, obtain them from a secure\/cryptographic random number generator.\n For every action or retrieval of data, always check access rights.\n Do not, under any circumstances, attempt to implement cryptographic algorithms yourself. Use high-level libraries for cryptography.\n Ensure debug output and error messages do not leak sensitive information.\n Mark problematic debug output in your code (e.g. \/\/TODO DEBUG REMOVE) even if you intend to remove it after just one test.\n Do not use \u201ceval()\u201d and similar functions.\n Avoid \u201csystem()\u201d and similar functions if possible.\n Ensure database servers are not directly reachable from the outside.\n Consider blocking old browsers from using your application.\nRationale \nWAFs can prevent existing security holes from being abused. They will make attacking your web application significantly harder and more annoying for the attacker, increasing the probability that a non-determined attacker will move on to a different target. However, they can usually be bypassed by a determined attacker. Your actual defense is to secure your applications. The WAF is there to provide some additional protection against mistakes in doing so. Having a Web Application Firewall does not allow you to skimp on securing your applications. A WAF that is not precisely tuned to an application will often block legitimate requests and pass attacks through\/allow bypassing. This is especially true of the often-used free Core Rule Set of mod_security.\nOutdated library versions may contain security issues.\nIf low-quality random numbers are used, for example for the generation of password reset tokens, attackers may be able to guess the value and circumvent security measures.\nNot checking access rights at every step leads to significant vulnerabilities, for example users being able to look at data for which they have no permission (e.g. membership database supposed to show a logged-in member his information \u2013 changing the ID in the URL gives information about other members due to missing check).\nCryptography is extremely complicated and mistakes are hard to avoid or discover even for cryptography experts. Secure ciphers are developed over months of work by multiple experts and reviewed by hundreds of them. Do not try to invent a secure cipher. Do not attempt to implement existing ciphers, either, mistakes can go unnoticed and make your result insecure. Use existing, reliable libraries.\nDebug output and error messages can give attackers valuable information. Notably, there have been multiple instances where debug output of the following form compromised security: \u201cProvided token 1234 was invalid, expected value 5678\u201d (the attacker gets the correct answer which he just needs to supply in his next attempt). For production versions, displaying of error messages should usually be suppressed. Consider replacing HTTP error pages to hide even basic information like paths.\nMarking any debug output that is supposed to be removed ensures that you cannot forget removing it \u2013 just search for \u201cTODO\u201d and \u201cREMOVE\u201d before release. Make it a habit to mark it always, even if you intend to remove it \u201cimmediately\u201d. You can always get distracted and forget.\nUsing dynamic code via \u201ceval()\u201d and similar functions is usually unnecessary and small mistakes tend to cause code injection issues. Therefore, these dangerous functions are to be avoided. The same is valid for \u201csystem()\u201d, however, this cannot be always avoided. If used, input to \u201csystem()\u201d has to be correctly escaped, of course \u2014 using existing shell-escape functions or a function that automatically escapes the parameters.\nKeeping database servers unreachable from the outside, e.g. by binding them to 127.0.0.1 if they run on the same machine as the web application or by using firewalls with IP white lists, prevents attackers from using stolen database passwords to actually access the database.\nBrowsers that are no longer supported by the vendor tend to have critical security issues. They are a sign of a badly maintained client that is very prone to malware attack and they often lack security features relevant to web applications. Blocking can be done using the User-Agent header or for IE using conditional comments. Blocking outdated browsers can force clients to use a secure browser; however, it can prevent people who can\u2019t update their browser from using the application. Unless you know that all clients should be having IE8 or newer, blocking anything newer than IE6 is not advised. Note that the Mozilla Firefox 3.6.x branch is still supported (as of September 2011), while the Firefox 4 branch is not. Obviously, intentional blocking of older browsers is mainly relevant to web applications that require very high security.\n\nFurther reading \n Encryption\n Web application firewall\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 21:59.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 233 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","b234b155784fd3a4a7929a3781136a5b_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Miscellaneous_points skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Miscellaneous points<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Miscellaneous_points\">Miscellaneous points<\/span><\/h2>\n<p>This section contains some general security hints for web applications.\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Always_remember\">Always remember<\/span><\/h3>\n<ul><li> Do <b>not<\/b> rely on web application firewalls (WAFs) for security (however, consider using them to improve security).<\/li>\n<li> If external libraries (e.g. for database access, XML parsing) are used, always use current versions.<\/li>\n<li> If you need random numbers, obtain them from a secure\/cryptographic random number generator.<\/li>\n<li> For every action or retrieval of data, always check access rights.<\/li>\n<li> Do <b>not<\/b>, under any circumstances, attempt to implement cryptographic algorithms yourself. Use high-level libraries for cryptography.<\/li>\n<li> Ensure debug output and error messages do not leak sensitive information.<\/li>\n<li> Mark problematic debug output in your code (e.g. <code>\/\/TODO DEBUG REMOVE<\/code>) even if you intend to remove it after just one test.<\/li>\n<li> Do not use \u201c<code>eval()<\/code>\u201d and similar functions.\n<ul><li> Avoid \u201c<code>system()<\/code>\u201d and similar functions if possible.<\/li><\/ul><\/li>\n<li> Ensure database servers are not directly reachable from the outside.<\/li>\n<li> Consider blocking old browsers from using your application.<\/li><\/ul>\n<h3><span class=\"mw-headline\" id=\"Rationale\">Rationale<\/span><\/h3>\n<p>WAFs can prevent existing security holes from being abused. They will make attacking your web application significantly harder and more annoying for the attacker, increasing the probability that a non-determined attacker will move on to a different target. However, they can usually be bypassed by a determined attacker. Your actual defense is to secure your applications. The WAF is there to provide some additional protection against mistakes in doing so. <b>Having a Web Application Firewall does <u>not<\/u> allow you to skimp on securing your applications.<\/b> A WAF that is not precisely tuned to an application will often block legitimate requests <i>and<\/i> pass attacks through\/allow bypassing. This is especially true of the often-used free Core Rule Set of mod_security.\n<\/p><p>Outdated library versions may contain security issues.\n<\/p><p>If low-quality random numbers are used, for example for the generation of password reset tokens, attackers may be able to guess the value and circumvent security measures.\n<\/p><p>Not checking access rights at every step leads to significant vulnerabilities, for example users being able to look at data for which they have no permission (e.g. membership database supposed to show a logged-in member his information \u2013 changing the ID in the URL gives information about other members due to missing check).\n<\/p><p>Cryptography is extremely complicated and mistakes are hard to avoid or discover even for cryptography experts. Secure ciphers are developed over months of work by multiple experts and reviewed by hundreds of them. Do not try to invent a secure cipher. Do not attempt to implement existing ciphers, either, mistakes can go unnoticed and make your result insecure. Use existing, reliable libraries.\n<\/p><p>Debug output and error messages can give attackers valuable information. Notably, there have been multiple instances where debug output of the following form compromised security: \u201cProvided token 1234 was invalid, expected value 5678\u201d (the attacker gets the correct answer which he just needs to supply in his next attempt). For production versions, displaying of error messages should usually be suppressed. Consider replacing HTTP error pages to hide even basic information like paths.\n<\/p><p>Marking any debug output that is supposed to be removed ensures that you cannot forget removing it \u2013 just search for \u201cTODO\u201d and \u201cREMOVE\u201d before release. Make it a habit to mark it always, even if you intend to remove it \u201cimmediately\u201d. You can always get distracted and forget.\n<\/p><p>Using dynamic code via \u201c<code>eval()<\/code>\u201d and similar functions is usually unnecessary and small mistakes tend to cause code injection issues. Therefore, these dangerous functions are to be avoided. The same is valid for \u201c<code>system()<\/code>\u201d, however, this cannot be always avoided. If used, input to \u201c<code>system()<\/code>\u201d has to be correctly escaped, of course \u2014 using existing shell-escape functions or a function that automatically escapes the parameters.\n<\/p><p>Keeping database servers unreachable from the outside, e.g. by binding them to 127.0.0.1 if they run on the same machine as the web application or by using firewalls with IP white lists, prevents attackers from using stolen database passwords to actually access the database.\n<\/p><p>Browsers that are no longer supported by the vendor tend to have critical security issues. They are a sign of a badly maintained client that is very prone to malware attack and they often lack security features relevant to web applications. Blocking can be done using the User-Agent header or for IE using conditional comments. Blocking outdated browsers can force clients to use a secure browser; however, it can prevent people who can\u2019t update their browser from using the application. Unless you know that all clients should be having IE8 or newer, blocking anything newer than IE6 is not advised. Note that the Mozilla Firefox 3.6.x branch is still supported (as of September 2011), while the Firefox 4 branch is not. Obviously, intentional blocking of older browsers is mainly relevant to web applications that require very high security.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Further_reading\">Further reading<\/span><\/h2>\n<ul><li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Encryption\" class=\"extiw\" title=\"wikipedia:Encryption\" rel=\"external_link\" target=\"_blank\">Encryption<\/a><\/li>\n<li> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_firewall\" class=\"extiw\" title=\"wikipedia:Web application firewall\" rel=\"external_link\" target=\"_blank\">Web application firewall<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Miscellaneous_points\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225157\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.011 seconds\nReal time usage: 0.015 seconds\nPreprocessor visited node count: 27\/1000000\nPreprocessor generated node count: 86\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.203 1 - Template:TOC_right\n100.00% 3.203 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9017-0!*!*!!en!*!* and timestamp 20190104225157 and revision id 26899\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","b234b155784fd3a4a7929a3781136a5b_images":[],"b234b155784fd3a4a7929a3781136a5b_timestamp":1546642317,"6f2595601193133d52c8090c585f6c8c_type":"article","6f2595601193133d52c8090c585f6c8c_title":"Checklist","6f2595601193133d52c8090c585f6c8c_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist","6f2595601193133d52c8090c585f6c8c_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Checklist\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Miscellaneous points \n2 File inclusion and disclosure \n3 File upload vulnerabilities \n4 SQL injection \n5 Cross-site scripting (XSS) \n6 XML and internal data escaping \n7 XML, JSON and general API security \n8 (Un)trusted input \n9 Cross-site request forgery (CSRF) \n10 Clickjacking \n11 Insecure data transfer \n12 Session fixation \n13 Session stealing \n14 Truncation attacks, trimming attacks \n15 Password security \n16 Comparison issues \n17 PHP-specific issues \n18 Prefetching and spiders \n19 Special files \n20 SSL, TLS and HTTPS basics \n21 References \n22 Notes \n\n\n\n\nMiscellaneous points \n Do not rely on web application firewalls (WAFs) for security (however, consider using them to improve security).\n If external libraries (e.g. for database access, XML parsing) are used, always use current versions.\n If you need random numbers, obtain them from a secure\/cryptographic random number generator.\n For every action or retrieval of data, always check access rights.\n Do not, under any circumstances, attempt to implement cryptographic algorithms yourself. Use high-level libraries for cryptography.\n Ensure debug output and error messages do not leak sensitive information.\n Mark problematic debug output in your code (e.g. \/\/TODO DEBUG REMOVE) even if you intend to remove it after just one test.\n Do not use \u201ceval()\u201d and similar functions.\n Avoid \u201csystem()\u201d and similar functions if possible.\n Ensure database servers are not directly reachable from the outside.\n Consider to block old browsers from using your application.\nFile inclusion and disclosure \n Do not take file names for inclusions from user input, only from trusted lists or constants.\n If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient.\n Avoid having scripts read and pass through files if possible.\n If you read and deliver files using user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.\n Ensure the application runs with no more privileges than required.\nFile upload vulnerabilities \n Avoid unnecessary file uploads.\n Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files).\n Ensure that files cannot be uploaded to unintended directories (directory traversal).\n Try to disable script execution in the upload directory.\n Ensure that the file extension matches the actual type of the file content.\n If only images are to be uploaded, consider re-compressing them using a secure library to ensure they are valid.\n Ensure that uploaded files are specified with the correct Content-type when delivered to the user.\n Prevent users from uploading problematic file types like HTML, CSS, JavaScript, XML, SVG and executables using a whitelist of allowed file types.\n Prevent users from uploading special files (e.g. .htaccess, web.config, robots.txt, crossdomain.xml, clientaccesspolicy.xml).\n Prevent users from overwriting application files.\n Consider delivering uploaded files with the \u201cContent-disposition: attachment\u201d header.\nSQL injection \n Use prepared statements to access the database \u2013 or \u2013.\n Use stored procedures, accessed using appropriate language\/library methods or prepared statements.\n Always ensure the DB login used by the application has only the rights that are needed.\nCross-site scripting (XSS) \n Escape anything that is not a constant before including it in a response as close to the output as possible (i.e. right in the line containing the \u201cecho\u201d or \u201cprint\u201d call).\n If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name.\n Consider the context when escaping: Escaping text inside HTML is different from escaping HTML attribute values, and very different from escaping values inside CSS or JavaScript, or inside HTTP headers.\n This may mean that you need to escape for multiple contexts and\/or multiple times. For example, when passing a HTML fragment as a JS constant for later includsion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document. (See rationale for examples.)\n The attacker must not be able to put anything where it is not supposed to be, even if you think it is not exploitable (e.g. because attempts to exploit it result in broken JavaScript).\n Explicitly set the correct character set at the beginning of the document (i.e. as early as possible) and\/or in the header.\n Ensure that URLs provided by the user start with an allowed scheme (whitelisting) to avoid dangerous schemes (e.g. javascript:-URLs).\n Don\u2019t forget URLs in redirector scripts.\n A content security policy may be used as an additional security measure, but is not sufficient by itself to prevent attacks.\nXML and internal data escaping \n Avoid XML if possible.\n For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.\n If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).\n For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.\n If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.\nXML, JSON and general API security \n Ensure proper access control to the API.\n Do not forget that you need to correctly escape all output to prevent XSS attacks, that data formats like XML require special consideration, and that protection against cross-site request forgery (CSRF) is needed in many cases.\n Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.\n Make sure browsers do not misinterpret your document or allow cross-site loading.\n Ensure your document is well-formed.\n Send the correct content type.\n Use the X-Content-Type-Options: nosniff header.\n For XML, provide a charset and ensure attackers cannot insert arbitrary tags.\n For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.\n(Un)trusted input \n Thoroughly filter\/escape any untrusted content.\n If the allowed character set for certain input fields is limited, check that the input is valid before using it.\n If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.\n If you are sure, but there is no real need to treat it as trusted, treat it as untrusted.\n The request URL (e.g. in environment variables) is untrusted.\n Data coming from HTTP headers is untrusted.\n Referer\n X-Forwarded-For\n Cookies\n Server name (!)\n All POST and GET data is untrusted.\n Includes non-user-modifiable input fields like select\n All content validation is to be done server side.\nCross-site request forgery (CSRF) \n Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.\n Make sure the token is non-predictable and cannot be obtained by the attacker.\n Do not include it in files the attacker could load into his site using <script> tags.\n Referer checks are not secure, but can be used as an additional measure.\nClickjacking \n Prevent (i)framing of your application in current browsers by including the HTTP response header \u201cX-Frame-Options: deny\u201d.\n Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.\n For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.\nInsecure data transfer \n Use SSL\/TLS (https) for any and all data transfer.\n Do not start communicating via http, only redirecting to https when \u201cneeded\u201d.\n Mark cookies with the \u201csecure\u201d attribute.\n Use the Strict-Transport-Security header where possible.\n Educate users to visit the https:\/\/ URL directly.\n If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n Consider limiting trusted CAs if connecting to internal servers.\nSession fixation \n Regenerate (change) the session ID as soon as the user logs in (destroying the old session).\n Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201csession.use_only_cookies\u201d).\nSession stealing \n Set the \u201cHttpOnly\u201d attribute for session cookies.\n Generate random session IDs with secure randomness and sufficient length.\n Do not leak session IDs.\nTruncation attacks, trimming attacks \n Avoid truncating input. Treat overlong input as an error instead.\n If truncation is necessary, ensure to check the value after truncation and use only the truncated value.\n Make sure trimming does not occur or checks are done consistently.\n Introduce length checks.\n Care about different lengths due to encoding.\n Make sure SQL treats truncated queries as errors by setting an appropriate SQL MODE.\nPassword security \n Do not store plain-text passwords; store only hashes.\n Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".[1][2]\n Use a secure hashing algorithm (e.g. SHA-256 as of 2011).\n Use per-user salts.\n Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).\n Limit login attempts per IP (not per user account).\n Enforce reasonable, but not too strict, password policies.\n If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.\nComparison issues \n Know comparison types in your programming language and use the correct one.\n When in doubt (especially with PHP), use a strict comparison (PHP: \"===\").\n When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.\nPHP-specific issues \n Do not use the short form \u201c<?\u201d, always use the full form \u201c<?php\u201d. \n When using the nginx web server, make sure to correctly follow the official installation instructions and pay attention to the \"Pitfalls\" page. Beware of tutorials that often contain working but insecure configuration examples.\n preg_replace can act as eval() in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.\n Use the Suhosin (including the patch, if possible) and configure it with strict rules.\n Enable suhosin.executor.disable_emodifier.\n Enable suhosin.executor.disable_eval if possible.\n Set suhosin.mail.protect to 2 if possible.\n When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.\nPrefetching and spiders \n Use POST requests instead of GETs for anything that triggers an action.\nSpecial files \n Know the meaning of these files.\n Ensure robots.txt does not disclose \"secret\" paths.\n Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.\n If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.\n Prevent users from uploading\/changing special files (see file upload vulnerabilities section).\nSSL, TLS and HTTPS basics \n Follow SSLLabs best practices including:\n Ensure SSLv2 is disabled.\n Generate private keys for certificates yourself, do not let your CA do it.\n Use an appropriate key length (usually 2048 bit in 2013).\n If possible, disable client-initiated renegotiation.\n Consider manually limiting\/setting cipher suites.\nReferences \n\n\u2191 Nielsen, P.M. (06 June 2012). \"Storing Passwords Securely\". Patrick on. https:\/\/patrickmn.com\/security\/storing-passwords-securely\/ . Retrieved 10 August 2016 .   \n\n\u2191 \"Cryptography\/Secure Passwords\". Cryptography. WikiBooks. 23 September 2015. https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords . Retrieved 10 August 2016 .   \n\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 22:06.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 461 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","6f2595601193133d52c8090c585f6c8c_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Checklist skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Checklist<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<h2><span class=\"mw-headline\" id=\"Miscellaneous_points\">Miscellaneous points<\/span><\/h2>\n<ul><li> Do <b>not<\/b> rely on web application firewalls (WAFs) for security (however, consider using them to improve security).<\/li>\n<li> If external libraries (e.g. for database access, XML parsing) are used, always use current versions.<\/li>\n<li> If you need random numbers, obtain them from a secure\/cryptographic random number generator.<\/li>\n<li> For every action or retrieval of data, always check access rights.<\/li>\n<li> Do <b>not<\/b>, under any circumstances, attempt to implement cryptographic algorithms yourself. Use high-level libraries for cryptography.<\/li>\n<li> Ensure debug output and error messages do not leak sensitive information.<\/li>\n<li> Mark problematic debug output in your code (e.g. <code>\/\/TODO DEBUG REMOVE<\/code>) even if you intend to remove it after just one test.<\/li>\n<li> Do not use \u201c<code>eval()<\/code>\u201d and similar functions.\n<ul><li> Avoid \u201c<code>system()<\/code>\u201d and similar functions if possible.<\/li><\/ul><\/li>\n<li> Ensure database servers are not directly reachable from the outside.<\/li>\n<li> Consider to block old browsers from using your application.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"File_inclusion_and_disclosure\">File inclusion and disclosure<\/span><\/h2>\n<ul><li> Do not take file names for inclusions from user input, only from trusted lists or constants.\n<ul><li> If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient.<\/li><\/ul><\/li>\n<li> Avoid having scripts read and pass through files if possible.<\/li>\n<li> If you read and deliver files using user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.<\/li>\n<li> Ensure the application runs with no more privileges than required.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"File_upload_vulnerabilities\">File upload vulnerabilities<\/span><\/h2>\n<ul><li> Avoid unnecessary file uploads.<\/li>\n<li> Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files).<\/li>\n<li> Ensure that files cannot be uploaded to unintended directories (directory traversal).<\/li>\n<li> Try to disable script execution in the upload directory.<\/li>\n<li> Ensure that the file extension matches the actual type of the file content.<\/li>\n<li> If only images are to be uploaded, consider re-compressing them using a secure library to ensure they are valid.<\/li>\n<li> Ensure that uploaded files are specified with the correct Content-type when delivered to the user.<\/li>\n<li> Prevent users from uploading problematic file types like HTML, CSS, JavaScript, XML, SVG and executables using a whitelist of allowed file types.<\/li>\n<li> Prevent users from uploading special files (e.g. .htaccess, web.config, robots.txt, crossdomain.xml, clientaccesspolicy.xml).<\/li>\n<li> Prevent users from overwriting application files.<\/li>\n<li> Consider delivering uploaded files with the \u201cContent-disposition: attachment\u201d header.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"SQL_injection\">SQL injection<\/span><\/h2>\n<ul><li> Use prepared statements to access the database <i>\u2013 or \u2013<\/i>.<\/li>\n<li> Use stored procedures, accessed using appropriate language\/library methods or prepared statements.<\/li>\n<li> Always ensure the DB login used by the application has only the rights that are needed.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Cross-site_scripting_.28XSS.29\">Cross-site scripting (XSS)<\/span><\/h2>\n<ul><li> Escape anything that is not a constant before including it in a response as close to the output as possible (i.e. right in the line containing the \u201cecho\u201d or \u201cprint\u201d call).<\/li>\n<li> If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name.<\/li>\n<li> Consider the context when escaping: Escaping text inside HTML is different from escaping HTML attribute values, and very different from escaping values inside CSS or JavaScript, or inside HTTP headers.\n<ul><li> This may mean that you need to escape for multiple contexts and\/or multiple times. For example, when passing a HTML fragment as a JS constant for later includsion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document. (See rationale for examples.)<\/li>\n<li> The attacker must not be able to put anything where it is not supposed to be, even if you think it is not exploitable (e.g. because attempts to exploit it result in broken JavaScript).<\/li><\/ul><\/li>\n<li> Explicitly set the correct character set at the beginning of the document (i.e. as early as possible) and\/or in the header.<\/li>\n<li> Ensure that URLs provided by the user start with an allowed scheme (whitelisting) to avoid dangerous schemes (e.g. javascript:-URLs).<\/li>\n<li> Don\u2019t forget URLs in redirector scripts.<\/li>\n<li> A <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.html5rocks.com\/en\/tutorials\/security\/content-security-policy\/\" target=\"_blank\">content security policy<\/a> may be used as an additional security measure, but is not sufficient by itself to prevent attacks.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"XML_and_internal_data_escaping\">XML and internal data escaping<\/span><\/h2>\n<ul><li> Avoid XML if possible.<\/li>\n<li> For XML, use well-tested, high-quality libraries, and pay close attention to the documentation. Know your library \u2013 some libraries have functions that allow you to bypass escaping without knowing it.<\/li>\n<li> If you parse (read) XML, ensure your parser does not attempt to load external references (e.g. entities and DTDs).<\/li>\n<li> For other internal representations of data, make sure correct escaping or filtering is applied. Try to use well-tested, high-quality libraries if available, even if it seems to be more difficult.<\/li>\n<li> If escaping is done manually, ensure that it handles null bytes, unexpected charsets, invalid UTF-8 characters etc. in a secure manner.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"XML.2C_JSON_and_general_API_security\">XML, JSON and general API security<\/span><\/h2>\n<ul><li> Ensure proper access control to the API.<\/li>\n<li> Do not forget that you need to <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)\" title=\"LII:Web Application Security Guide\/Cross-site scripting (XSS)\" target=\"_blank\" class=\"wiki-link\" data-key=\"931b3464b3f12dc9e1b1803bd3190cb9\">correctly escape all output to prevent XSS attacks<\/a>, that data formats like XML require <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping\" title=\"LII:Web Application Security Guide\/XML and internal data escaping\" target=\"_blank\" class=\"wiki-link\" data-key=\"9cae4e140675b1a1a21fe8753676d5ac\">special consideration<\/a>, and that protection against <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)\" title=\"LII:Web Application Security Guide\/Cross-site request forgery (CSRF)\" target=\"_blank\" class=\"wiki-link\" data-key=\"57069b13cd4c6c205a34744f07e84805\">cross-site request forgery (CSRF)<\/a> is needed in many cases.<\/li>\n<li> Use standard data formats like JSON with proven libraries, and use them correctly. This will probably take care of all your escaping needs.<\/li>\n<li> Make sure browsers do not misinterpret your document or allow cross-site loading.\n<ul><li> Ensure your document is well-formed.<\/li>\n<li> Send the correct content type.<\/li>\n<li> Use the <code>X-Content-Type-Options: nosniff<\/code> header.<\/li>\n<li> For XML, provide a charset and ensure attackers cannot insert arbitrary tags.<\/li>\n<li> For JSON, ensure the top-level data structure is an object and all characters with special meaning in HTML are escaped.<\/li><\/ul><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\".28Un.29trusted_input\">(Un)trusted input<\/span><\/h2>\n<ul><li> Thoroughly filter\/escape any untrusted content.<\/li>\n<li> If the allowed character set for certain input fields is limited, check that the input is valid before using it.<\/li>\n<li> If in doubt about a certain kind of data (e.g. server variable), treat it as untrusted.<\/li>\n<li> If you are sure, but there is no <b>real<\/b> need to treat it as trusted, treat it as untrusted.<\/li>\n<li> The request URL (e.g. in environment variables) is untrusted.<\/li>\n<li> Data coming from HTTP headers is untrusted.\n<ul><li> Referer<\/li>\n<li> X-Forwarded-For<\/li>\n<li> Cookies<\/li>\n<li> Server name (!)<\/li><\/ul><\/li>\n<li> All POST and GET data is untrusted.\n<ul><li> Includes non-user-modifiable input fields like select<\/li><\/ul><\/li>\n<li> All content validation is to be done server side.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Cross-site_request_forgery_.28CSRF.29\">Cross-site request forgery (CSRF)<\/span><\/h2>\n<ul><li> Include a hidden form field with a random token bound to the user\u2019s session (and preferably the action to be performed), and check this token in the response.<\/li>\n<li> Make sure the token is non-predictable and cannot be obtained by the attacker.\n<ul><li> Do not include it in files the attacker could load into his site using <code><script><\/code> tags.<\/li><\/ul><\/li>\n<li> Referer checks are not secure, but can be used as an additional measure.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Clickjacking\">Clickjacking<\/span><\/h2>\n<ul><li> Prevent (i)framing of your application in current browsers by including the HTTP response header \u201c<tt>X-Frame-Options: deny<\/tt>\u201d.<\/li>\n<li> Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.<\/li>\n<li> For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Insecure_data_transfer\">Insecure data transfer<\/span><\/h2>\n<ul><li> Use SSL\/TLS (https) for any and all data transfer.<\/li>\n<li> Do <b>not<\/b> start communicating via http, only redirecting to https when \u201cneeded\u201d.<\/li>\n<li> Mark cookies with the \u201csecure\u201d attribute.<\/li>\n<li> Use the Strict-Transport-Security header where possible.<\/li>\n<li> Educate users to visit the <tt>https:\/\/<\/tt> URL directly.<\/li>\n<li> If your web application performs HTTPS requests, make sure it verifies the certificate and host name.\n<ul><li> Consider limiting trusted CAs if connecting to internal servers.<\/li><\/ul><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Session_fixation\">Session fixation<\/span><\/h2>\n<ul><li> Regenerate (change) the session ID as soon as the user logs in (destroying the old session).<\/li>\n<li> Prevent the attacker from making the user use his session by accepting session IDs only from cookies, not from GET or POST parameters (PHP: php.ini setting \u201c<tt>session.use_only_cookies<\/tt>\u201d).<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Session_stealing\">Session stealing<\/span><\/h2>\n<ul><li> Set the \u201cHttpOnly\u201d attribute for session cookies.<\/li>\n<li> Generate random session IDs with secure randomness and sufficient length.<\/li>\n<li> Do not leak session IDs.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Truncation_attacks.2C_trimming_attacks\">Truncation attacks, trimming attacks<\/span><\/h2>\n<ul><li> Avoid truncating input. Treat overlong input as an error instead.<\/li>\n<li> If truncation is necessary, ensure to check the value after truncation and use only the truncated value.<\/li>\n<li> Make sure trimming does not occur or checks are done consistently.<\/li>\n<li> Introduce length checks.\n<ul><li> Care about different lengths due to encoding.<\/li><\/ul><\/li>\n<li> Make sure SQL treats truncated queries as errors by setting an appropriate <tt>SQL MODE<\/tt>.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Password_security\">Password security<\/span><\/h2>\n<ul><li> Do not store plain-text passwords; store only hashes.<\/li>\n<li> Use scrypt, bcrypt, or some other hashing algorithm specifically designed for secure password \"storage\".<sup id=\"rdp-ebb-cite_ref-NielsenStoring12_1-0\" class=\"reference\"><a href=\"#cite_note-NielsenStoring12-1\" rel=\"external_link\">[1]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-CryptWB_2-0\" class=\"reference\"><a href=\"#cite_note-CryptWB-2\" rel=\"external_link\">[2]<\/a><\/sup><\/li>\n<li> Use a secure hashing algorithm (e.g. <a href=\"https:\/\/en.wikipedia.org\/wiki\/SHA-256\" class=\"extiw\" title=\"wikipedia:SHA-256\" rel=\"external_link\" target=\"_blank\">SHA-256<\/a> as of 2011).<\/li>\n<li> Use per-user salts.<\/li>\n<li> Use strengthening (i.e. multi-iteration hashing to slow down brute force attempts).<\/li>\n<li> Limit login attempts per IP (not per user account).<\/li>\n<li> Enforce reasonable, but not too strict, password policies.<\/li>\n<li> If a password reset process is implemented, make sure it has adequate security. Questions like \u201cmother\u2019s maiden name\u201d can often be guessed by attackers and are not sufficient.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Comparison_issues\">Comparison issues<\/span><\/h2>\n<ul><li> Know comparison types in your programming language and use the correct one.<\/li>\n<li> When in doubt (especially with PHP), use a strict comparison (PHP: \"<code>===<\/code>\").<\/li>\n<li> When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"PHP-specific_issues\">PHP-specific issues<\/span><\/h2>\n<ul><li> Do not use the short form \u201c<code><?<\/code>\u201d, always use the full form \u201c<code><?php<\/code>\u201d. <\/li>\n<li> When using the nginx web server, make sure to correctly follow the <b>official<\/b> installation instructions and pay attention to the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/wiki.nginx.org\/Pitfalls#Passing_Uncontrolled_Requests_to_PHP\" target=\"_blank\">\"Pitfalls\" page<\/a>. Beware of tutorials that often contain working but insecure configuration examples.<\/li>\n<li> <code>preg_replace<\/code> can act as <code>eval()<\/code> in certain cases. Avoid passing user input to it. If you must, correctly filter and escape it.<\/li>\n<li> Use the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.hardened-php.net\/suhosin\/\" target=\"_blank\">Suhosin<\/a> (including the patch, if possible) and configure it with strict rules.\n<ul><li> Enable <code>suhosin.executor.disable_emodifier<\/code>.<\/li>\n<li> Enable <code>suhosin.executor.disable_eval<\/code> if possible.<\/li>\n<li> Set <code>suhosin.mail.protect<\/code> to 2 if possible.<\/li><\/ul><\/li>\n<li> When updating PHP to PHP 5.4 from an older version, ensure legacy applications do not rely on magic quotes for security.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Prefetching_and_spiders\">Prefetching and spiders<\/span><\/h2>\n<ul><li> Use POST requests instead of GETs for anything that triggers an action.<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"Special_files\">Special files<\/span><\/h2>\n<ul><li> Know the meaning of these files.<\/li>\n<li> Ensure robots.txt does not disclose \"secret\" paths.<\/li>\n<li> Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.<\/li>\n<li> If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.<\/li>\n<li> Prevent users from uploading\/changing special files (see <a href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities\" title=\"LII:Web Application Security Guide\/File upload vulnerabilities\" target=\"_blank\" class=\"wiki-link\" data-key=\"8b3708600c87ff3258de11ce293bf1a6\">file upload vulnerabilities section<\/a>).<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"SSL.2C_TLS_and_HTTPS_basics\">SSL, TLS and HTTPS basics<\/span><\/h2>\n<ul><li> <b>Follow <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.ssllabs.com\/projects\/best-practices\/\" target=\"_blank\">SSLLabs best practices<\/a><\/b> including:\n<ul><li> Ensure SSLv2 is disabled.<\/li>\n<li> Generate private keys for certificates yourself, do not let your CA do it.<\/li>\n<li> Use an appropriate key length (usually 2048 bit in 2013).<\/li>\n<li> If possible, disable client-initiated renegotiation.<\/li>\n<li> Consider manually limiting\/setting cipher suites.<\/li><\/ul><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<ol class=\"references\">\n<li id=\"cite_note-NielsenStoring12-1\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-NielsenStoring12_1-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Nielsen, P.M. (06 June 2012). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">\"Storing Passwords Securely\"<\/a>. <i>Patrick on<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/patrickmn.com\/security\/storing-passwords-securely\/\" target=\"_blank\">https:\/\/patrickmn.com\/security\/storing-passwords-securely\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Storing+Passwords+Securely&rft.atitle=Patrick+on&rft.aulast=Nielsen%2C+P.M.&rft.au=Nielsen%2C+P.M.&rft.date=06+June+2012&rft_id=https%3A%2F%2Fpatrickmn.com%2Fsecurity%2Fstoring-passwords-securely%2F&rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Checklist\"><span style=\"display: none;\"> <\/span><\/span><\/span>\n<\/li>\n<li id=\"cite_note-CryptWB-2\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-CryptWB_2-0\" rel=\"external_link\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">\"Cryptography\/Secure Passwords\"<\/a>. <i>Cryptography<\/i>. WikiBooks. 23 September 2015<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords\" target=\"_blank\">https:\/\/en.wikibooks.org\/wiki\/Cryptography\/Secure_Passwords<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 10 August 2016<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cryptography%2FSecure+Passwords&rft.atitle=Cryptography&rft.date=23+September+2015&rft.pub=WikiBooks&rft_id=https%3A%2F%2Fen.wikibooks.org%2Fwiki%2FCryptography%2FSecure_Passwords&rfr_id=info:sid\/en.wikipedia.org:LII:Web_Application_Security_Guide\/Checklist\"><span style=\"display: none;\"> <\/span><\/span><\/span>\n<\/li>\n<\/ol>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Checklist\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225156\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.077 seconds\nReal time usage: 0.089 seconds\nPreprocessor visited node count: 1405\/1000000\nPreprocessor generated node count: 11749\/1000000\nPost\u2010expand include size: 7225\/2097152 bytes\nTemplate argument size: 2571\/2097152 bytes\nHighest expansion depth: 11\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 70.437 1 - -total\n 77.30% 54.445 2 - Template:Cite_web\n 69.19% 48.734 2 - Template:Citation\/core\n 7.04% 4.958 4 - Template:Citation\/make_link\n 4.78% 3.369 1 - Template:TOC_right\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9016-0!*!0!!en!*!* and timestamp 20190104225156 and revision id 26900\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","6f2595601193133d52c8090c585f6c8c_images":[],"6f2595601193133d52c8090c585f6c8c_timestamp":1546642316,"1976acf065ac97ac0435e29709bd2078_type":"article","1976acf065ac97ac0435e29709bd2078_title":"Opening comments","1976acf065ac97ac0435e29709bd2078_url":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro","1976acf065ac97ac0435e29709bd2078_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tLII:Web Application Security Guide\/Intro\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\t\n\n Contents\n\n1 Notes \n\n\n\n\nThis guide attempts to provide a comprehensive overview of web application security. Common web application security issues and methods how to prevent them are explained. Web server and operating system security are not covered. The guide is intended mainly for web application developers, but can also provide useful information for web application reviewers.\nThe checklist gives a short summary containing only the individual guidelines. It is recommended to take the time and read the full version, where the guidelines are explained in detail, especially if any questions arise.\nMost web application developers probably (hopefully) already know some or even most of the points mentioned in this guide. However, there will probably be something new for every developer. Remember, as a developer it is your responsibility to develop your application securely, and a single mistake may be enough to allow an attack.\n\nNotes \nThe original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro<\/a>\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tLII\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 20:30.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 174 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","1976acf065ac97ac0435e29709bd2078_html":"<body class=\"mediawiki ltr sitedir-ltr ns-202 ns-subject page-LII_Web_Application_Security_Guide_Intro skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">LII:Web Application Security Guide\/Intro<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><table cellspacing=\"0\" cellpadding=\"0\" style=\"clear: right; margin-bottom: .5em; float: right; padding: .5em 0 .8em 1.4em; background: none; width: auto;\">\n<tr>\n<td> \n\n<\/td><\/tr><\/table>\n<p>This guide attempts to provide a comprehensive overview of web application security. Common web application security issues and methods how to prevent them are explained. Web server and operating system security are not covered. The guide is intended mainly for web application developers, but can also provide useful information for web application reviewers.\n<\/p><p>The checklist gives a short summary containing only the individual guidelines. It is recommended to take the time and read the full version, where the guidelines are explained in detail, especially if any questions arise.\n<\/p><p>Most web application developers probably (hopefully) already know some or even most of the points mentioned in this guide. However, there will probably be something new for every developer. Remember, as a developer it is your responsibility to develop your application securely, and a single mistake may be enough to allow an attack.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>The original source for this page is <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikibooks.org\/wiki\/Web_Application_Security_Guide\/Intro\" target=\"_blank\">the associated Wikibooks article<\/a> and is shared here under the <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\" target=\"_blank\">CC BY-SA 3.0<\/a> license.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225156\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.010 seconds\nReal time usage: 0.014 seconds\nPreprocessor visited node count: 11\/1000000\nPreprocessor generated node count: 70\/1000000\nPost\u2010expand include size: 165\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 3.943 1 - Template:TOC_right\n100.00% 3.943 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9015-0!*!*!*!en!*!* and timestamp 20190104225156 and revision id 26871\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro\">https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","1976acf065ac97ac0435e29709bd2078_images":[],"1976acf065ac97ac0435e29709bd2078_timestamp":1546642316,"5d5150b04547e963d28d3ce7ffdae9c6_type":"article","5d5150b04547e963d28d3ce7ffdae9c6_title":"Introducing web application security","5d5150b04547e963d28d3ce7ffdae9c6_url":"https:\/\/www.limswiki.org\/index.php\/Web_application_security","5d5150b04547e963d28d3ce7ffdae9c6_plaintext":"\n\n\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\n\t\t\t\tWeb application security\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\tFrom LIMSWiki\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\tJump to: navigation, search\n\n\t\t\t\t\t\n\t\t\t\t\tThis article is part of a series onInformation security\nRelated security categories\nInternet security\nCyberwarfare\nComputer security\nMobile security\nNetwork security\n\nThreats\nComputer crime\nVulnerability\nEavesdropping\nMalware\nSpyware\nRansomware\nTrojans\nViruses\nWorms\nRootkits\nBootkits\nKeyloggers\nScreen scrapers\nExploits\nBackdoors\nLogic bombs\nPayloads\nDenial of service\n\nDefenses\nComputer access control\nApplication security\nAntivirus software\nSecure coding\nSecure by default\nSecure by design\nSecure operating systems\nAuthentication\nMulti-factor authentication\nAuthorization\nData-centric security\nEncryption\nFirewall\nIntrusion detection system\nMobile secure gateway\nRuntime application self-protection (RASP)\nvte\nWeb application security is a branch of information security that deals specifically with security of websites, web applications and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.[1]\n\nContents \n\n1 Security threats \n2 Best practices recommendation \n3 Security standards \n4 Security technology \n5 See also \n6 References \n\n\nSecurity threats \nThe majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks[2] which typically are made possible by flawed coding and failure to sanitize application inputs and outputs. These attacks are ranked in the 2009 CWE\/SANS Top 25 Most Dangerous Programming Errors.[3]\nAccording to the security vendor Cenzic, the top vulnerabilities in March 2012 include:[4]\n\n\n\n\n37%\nCross-site scripting\n\n\n16%\nSQL injection\n\n\n5%\nPath disclosure\n\n\n5%\nDenial-of-service attack\n\n\n4%\nArbitrary code execution\n\n\n4%\nMemory corruption\n\n\n4%\nCross-site request forgery\n\n\n3%\nData breach (information disclosure)\n\n\n3%\nArbitrary file inclusion\n\n\n2%\nLocal file inclusion\n\n\n1%\nRemote file inclusion\n\n\n1%\nBuffer overflow\n\n\n15%\nOther, including code injection (PHP\/JavaScript), etc.\n The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications.[5] According to the OWASP Top 10 - 2017, the ten most critical web application security risks include:[6]<\/dd>\nSQL injection\nBroken Authentication\nSensitive Data Exposure\nXML External Entities (XXE)\nInsecure Direct Object References\nSecurity Misconfiguration\nCross-Site Scripting (XSS)\nInsecure Deserialization\nUsing Components with Known Vulnerabilities\nInsufficient Logging and Monitoring\nBest practices recommendation \nSecure web application development should be enhanced by applying security checkpoints and techniques at early stages of development as well as throughout the software development lifecycle. Special emphasis should be applied to the coding phase of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.[7]\n\nSecurity standards \nOWASP is the emerging standards body for web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database (WHID) and also produced open source best practice documents on web application security. The WHID became an OWASP project in February 2014.[8]\n\nSecurity technology \nWhile security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:\n\nBlack box testing tools such as Web application security scanners,[9] vulnerability scanners and penetration testing software\nWhite box testing tools such as static source code analyzers[10]\nFuzzing[11] Tools used for input testing\nWeb application security scanner (vulnerability scanner)\nWeb application firewalls (WAF)[12] used to provide firewall-type protection at the web application layer\nPassword cracking tools for testing password strength and implementation\nSee also \nApplication service architecture (ASA)\nw3af a free open-source web application security scanner\nOWASP Open Web Application Security Project\nWeb application security scanner\nRuntime Application Self-Protection\nReferences \n\n^ \"Web Application Security Overview\". 2015-10-23. \n\n^ \"Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks\". Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007. \n\n^ \"CWE\/SANS Top 25 Most Dangerous Programming Errors\". CWE\/SANS. May 2009. \n\n^ \"2012 Trends Report: Application Security Risks\". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012 . \n\n^ Korolov, Maria (Apr 27, 2017). \"Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs\". CSO – via ProQuest. \n\n^ \"OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks\" (PDF) . Open Web Application Security Project. 2017. Retrieved June 30, 2018 . \n\n^ Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). \"Systematic review of web application security development model\". Artificial Intelligence Review. 43 (2): 259\u2013276. doi:10.1007\/s10462-012-9375-6. ISSN 0269-2821. \n\n^ \"WHID Project is now a Joint WASC\/OWASP Project\". WASC. 18 February 2014. \n\n^ \"Web Application Vulnerability Scanners\". NIST. \n\n^ \"Source Code Security Analyzers\". NIST. \n\n^ \"Fuzzing\". OWASP. \n\n^ \"Web application firewalls for security and regulatory compliance\". TestingXperts Blog. March 2017. \n\n\n\n\n\n<\/pre>\n\nNotes \nThis article is a direct transclusion of the Wikipedia article and therefore may not meet the same editing standards as LIMSwiki.\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Web_application_security\">https:\/\/www.limswiki.org\/index.php\/Web_application_security<\/a>\n\t\t\t\t\tCategories: Computer securityData securitySoftware and hardware termsHidden category: Articles transcluded from other wikis\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\n\t\t\n\t\t\tNavigation menu\n\t\t\t\t\t\n\t\t\tViews\n\n\t\t\t\n\t\t\t\t\n\t\t\t\tPage\n\t\t\t\tDiscussion\n\t\t\t\tView source\n\t\t\t\tHistory\n\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\t\n\t\t\t\tPersonal tools\n\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\tLog in\n\t\t\t\t\t\t\t\t\t\t\t\t\tRequest account\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\t\n\t\t\t\n\t\t\t\t\n\t\tNavigation\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tMain page\n\t\t\t\t\t\t\t\t\t\t\tRecent changes\n\t\t\t\t\t\t\t\t\t\t\tRandom page\n\t\t\t\t\t\t\t\t\t\t\tHelp\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tSearch\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t \n\t\t\t\t\t\t\n\t\t\t\t\n\n\t\t\t\t\t\t\t\n\t\t\n\t\t\t\n\t\t\tTools\n\n\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tWhat links here\n\t\t\t\t\t\t\t\t\t\t\tRelated changes\n\t\t\t\t\t\t\t\t\t\t\tSpecial pages\n\t\t\t\t\t\t\t\t\t\t\tPermanent link\n\t\t\t\t\t\t\t\t\t\t\tPage information\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\tPrint\/export\n\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\tCreate a book\n\t\t\t\t\t\t\t\t\t\t\tDownload as PDF\n\t\t\t\t\t\t\t\t\t\t\tDownload as Plain text\n\t\t\t\t\t\t\t\t\t\t\tPrintable version\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\n\t\t\n\t\tSponsors\n\t\t\n\t\t\t \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n \r\n\n\t\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\t\t\n\t\t\n\t\t\t\n\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t This page was last modified on 10 August 2016, at 17:43.\n\t\t\t\t\t\t\t\t\tThis page has been accessed 424 times.\n\t\t\t\t\t\t\t\t\tContent is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.\n\t\t\t\t\t\t\t\t\tPrivacy policy\n\t\t\t\t\t\t\t\t\tAbout LIMSWiki\n\t\t\t\t\t\t\t\t\tDisclaimers\n\t\t\t\t\t\t\t\n\t\t\n\t\t\n\t\t\n\n","5d5150b04547e963d28d3ce7ffdae9c6_html":"<body class=\"mediawiki ltr sitedir-ltr ns-0 ns-subject page-Web_application_security skin-monobook action-view\">\n<div id=\"rdp-ebb-globalWrapper\">\n\t\t<div id=\"rdp-ebb-column-content\">\n\t\t\t<div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\">\n\t\t\t\t<a id=\"rdp-ebb-top\"><\/a>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Web application security<\/h1>\n\t\t\t\t\n\t\t\t\t<div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\">\n\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\n\n\t\t\t\t\t<!-- start content -->\n\t\t\t\t\t<div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n<p><b>Web application security<\/b> is a branch of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Information_security\" title=\"Information security\" rel=\"external_link\" target=\"_blank\">information security<\/a> that deals specifically with security of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Website\" title=\"Website\" rel=\"external_link\" target=\"_blank\">websites<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application\" title=\"Web application\" rel=\"external_link\" target=\"_blank\">web applications<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_service\" title=\"Web service\" rel=\"external_link\" target=\"_blank\">web services<\/a>. At a high level, web application security draws on the principles of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Application_security\" title=\"Application security\" rel=\"external_link\" target=\"_blank\">application security<\/a> but applies them specifically to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet\" title=\"Internet\" rel=\"external_link\" target=\"_blank\">internet<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/World_Wide_Web\" title=\"World Wide Web\" rel=\"external_link\" target=\"_blank\">web<\/a> systems.<sup id=\"rdp-ebb-cite_ref-1\" class=\"reference\"><a href=\"#cite_note-1\" rel=\"external_link\">[1]<\/a><\/sup>\n<\/p>\n\n<h2><span class=\"mw-headline\" id=\"Security_threats\">Security threats<\/span><\/h2>\n<p>The majority of web application attacks occur through <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" title=\"Cross-site scripting\" rel=\"external_link\" target=\"_blank\">cross-site scripting (XSS)<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" title=\"SQL injection\" rel=\"external_link\" target=\"_blank\">SQL injection<\/a> attacks<sup id=\"rdp-ebb-cite_ref-2\" class=\"reference\"><a href=\"#cite_note-2\" rel=\"external_link\">[2]<\/a><\/sup> which typically are made possible by flawed coding and failure to sanitize application inputs and outputs. These attacks are ranked in the 2009 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Mitre_Corporation\" title=\"Mitre Corporation\" rel=\"external_link\" target=\"_blank\">CWE<\/a>\/<a href=\"https:\/\/en.wikipedia.org\/wiki\/SANS_Institute\" title=\"SANS Institute\" rel=\"external_link\" target=\"_blank\">SANS<\/a> Top 25 Most Dangerous Programming Errors.<sup id=\"rdp-ebb-cite_ref-3\" class=\"reference\"><a href=\"#cite_note-3\" rel=\"external_link\">[3]<\/a><\/sup>\n<\/p><p>According to the security vendor Cenzic, the top vulnerabilities in March 2012 include:<sup id=\"rdp-ebb-cite_ref-4\" class=\"reference\"><a href=\"#cite_note-4\" rel=\"external_link\">[4]<\/a><\/sup>\n<\/p>\n<dl><dd><dl><dd><table class=\"wikitable\" style=\"\">\n\n<tbody><tr>\n<td>37%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" title=\"Cross-site scripting\" rel=\"external_link\" target=\"_blank\">Cross-site scripting<\/a>\n<\/td><\/tr>\n<tr>\n<td>16%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" title=\"SQL injection\" rel=\"external_link\" target=\"_blank\">SQL injection<\/a>\n<\/td><\/tr>\n<tr>\n<td>5%<\/td>\n<td>Path disclosure\n<\/td><\/tr>\n<tr>\n<td>5%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Denial-of-service_attack\" title=\"Denial-of-service attack\" rel=\"external_link\" target=\"_blank\">Denial-of-service attack<\/a>\n<\/td><\/tr>\n<tr>\n<td>4%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Arbitrary_code_execution\" title=\"Arbitrary code execution\" rel=\"external_link\" target=\"_blank\">Arbitrary code execution<\/a>\n<\/td><\/tr>\n<tr>\n<td>4%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Memory_corruption\" title=\"Memory corruption\" rel=\"external_link\" target=\"_blank\">Memory corruption<\/a>\n<\/td><\/tr>\n<tr>\n<td>4%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\" title=\"Cross-site request forgery\" rel=\"external_link\" target=\"_blank\">Cross-site request forgery<\/a>\n<\/td><\/tr>\n<tr>\n<td>3%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Data_breach\" title=\"Data breach\" rel=\"external_link\" target=\"_blank\">Data breach<\/a> (information disclosure)\n<\/td><\/tr>\n<tr>\n<td>3%<\/td>\n<td>Arbitrary <a href=\"https:\/\/en.wikipedia.org\/wiki\/File_inclusion_vulnerability\" title=\"File inclusion vulnerability\" rel=\"external_link\" target=\"_blank\">file inclusion<\/a>\n<\/td><\/tr>\n<tr>\n<td>2%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/File_inclusion_vulnerability\" title=\"File inclusion vulnerability\" rel=\"external_link\" target=\"_blank\">Local file inclusion<\/a>\n<\/td><\/tr>\n<tr>\n<td>1%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/File_inclusion_vulnerability\" title=\"File inclusion vulnerability\" rel=\"external_link\" target=\"_blank\">Remote file inclusion<\/a>\n<\/td><\/tr>\n<tr>\n<td>1%<\/td>\n<td><a href=\"https:\/\/en.wikipedia.org\/wiki\/Buffer_overflow\" title=\"Buffer overflow\" rel=\"external_link\" target=\"_blank\">Buffer overflow<\/a>\n<\/td><\/tr>\n<tr>\n<td>15%<\/td>\n<td>Other, including <a href=\"https:\/\/en.wikipedia.org\/wiki\/Code_injection\" title=\"Code injection\" rel=\"external_link\" target=\"_blank\">code injection<\/a> (PHP\/JavaScript), etc.\n<\/td><\/tr><\/tbody><\/table> The Open Web Application Security Project (<a href=\"https:\/\/en.wikipedia.org\/wiki\/OWASP\" title=\"OWASP\" rel=\"external_link\" target=\"_blank\">OWASP<\/a>) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications.<sup id=\"rdp-ebb-cite_ref-5\" class=\"reference\"><a href=\"#cite_note-5\" rel=\"external_link\">[5]<\/a><\/sup> According to the OWASP Top 10 - 2017, the ten most critical web application security risks include:<sup id=\"rdp-ebb-cite_ref-6\" class=\"reference\"><a href=\"#cite_note-6\" rel=\"external_link\">[6]<\/a><\/sup><\/dd><\/dl><\/dd><\/dl>\n<dl><dd><ol><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" title=\"SQL injection\" rel=\"external_link\" target=\"_blank\">SQL injection<\/a><\/li>\n<li>Broken Authentication<\/li>\n<li>Sensitive Data Exposure<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/XML_external_entity_attack\" title=\"XML external entity attack\" rel=\"external_link\" target=\"_blank\">XML External Entities (XXE)<\/a><\/li>\n<li>Insecure Direct Object References<\/li>\n<li>Security Misconfiguration<\/li>\n<li>Cross-Site Scripting (XSS)<\/li>\n<li>Insecure Deserialization<\/li>\n<li>Using Components with Known Vulnerabilities<\/li>\n<li>Insufficient Logging and Monitoring<\/li><\/ol><\/dd><\/dl>\n<h2><span class=\"mw-headline\" id=\"Best_practices_recommendation\">Best practices recommendation<\/span><\/h2>\n<p>Secure web application development should be enhanced by applying security checkpoints and techniques at early stages of development as well as throughout the software development lifecycle. Special emphasis should be applied to the coding phase of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.<sup id=\"rdp-ebb-cite_ref-7\" class=\"reference\"><a href=\"#cite_note-7\" rel=\"external_link\">[7]<\/a><\/sup>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Security_standards\">Security standards<\/span><\/h2>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/OWASP\" title=\"OWASP\" rel=\"external_link\" target=\"_blank\">OWASP<\/a> is the emerging standards body for web application security. In particular they have published the <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.owasp.org\/index.php\/OWASP_Top_Ten_Project\" target=\"_blank\">OWASP Top 10<\/a> which describes in detail the major threats against web applications. The (WASC) has created the Web Hacking Incident Database (WHID) and also produced open source best practice documents on web application security. The WHID became an OWASP project in February 2014.<sup id=\"rdp-ebb-cite_ref-8\" class=\"reference\"><a href=\"#cite_note-8\" rel=\"external_link\">[8]<\/a><\/sup>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Security_technology\">Security technology<\/span><\/h2>\n<p>While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:\n<\/p>\n<ul><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Application_security#Security_testing_for_applications\" title=\"Application security\" rel=\"external_link\" target=\"_blank\">Black box<\/a> testing tools such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_security_scanner\" class=\"mw-redirect\" title=\"Web application security scanner\" rel=\"external_link\" target=\"_blank\">Web application security scanners<\/a>,<sup id=\"rdp-ebb-cite_ref-9\" class=\"reference\"><a href=\"#cite_note-9\" rel=\"external_link\">[9]<\/a><\/sup> <a href=\"https:\/\/en.wikipedia.org\/wiki\/Vulnerability_scanner\" title=\"Vulnerability scanner\" rel=\"external_link\" target=\"_blank\">vulnerability scanners<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Penetration_testing#Web_application_penetration_testing\" class=\"mw-redirect\" title=\"Penetration testing\" rel=\"external_link\" target=\"_blank\">penetration testing<\/a> software<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Application_security#Security_testing_for_applications\" title=\"Application security\" rel=\"external_link\" target=\"_blank\">White box<\/a> testing tools such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Static_code_analysis\" class=\"mw-redirect\" title=\"Static code analysis\" rel=\"external_link\" target=\"_blank\">static source code analyzers<\/a><sup id=\"rdp-ebb-cite_ref-10\" class=\"reference\"><a href=\"#cite_note-10\" rel=\"external_link\">[10]<\/a><\/sup><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Fuzz_testing\" class=\"mw-redirect\" title=\"Fuzz testing\" rel=\"external_link\" target=\"_blank\">Fuzzing<\/a><sup id=\"rdp-ebb-cite_ref-11\" class=\"reference\"><a href=\"#cite_note-11\" rel=\"external_link\">[11]<\/a><\/sup> Tools used for input testing<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_security_scanner\" class=\"mw-redirect\" title=\"Web application security scanner\" rel=\"external_link\" target=\"_blank\">Web application security scanner<\/a> (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Vulnerability_scanner\" title=\"Vulnerability scanner\" rel=\"external_link\" target=\"_blank\">vulnerability scanner<\/a>)<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_firewall\" title=\"Web application firewall\" rel=\"external_link\" target=\"_blank\">Web application firewalls<\/a> (WAF)<sup id=\"rdp-ebb-cite_ref-12\" class=\"reference\"><a href=\"#cite_note-12\" rel=\"external_link\">[12]<\/a><\/sup> used to provide <a href=\"https:\/\/en.wikipedia.org\/wiki\/Firewall_(computing)\" title=\"Firewall (computing)\" rel=\"external_link\" target=\"_blank\">firewall<\/a>-type protection at the web application layer<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_cracking\" title=\"Password cracking\" rel=\"external_link\" target=\"_blank\">Password cracking<\/a> tools for testing <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_strength\" title=\"Password strength\" rel=\"external_link\" target=\"_blank\">password strength<\/a> and implementation<\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"See_also\">See also<\/span><\/h2>\n<ul><li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Application_service_architecture\" title=\"Application service architecture\" rel=\"external_link\" target=\"_blank\">Application service architecture<\/a> (ASA)<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/W3af\" title=\"W3af\" rel=\"external_link\" target=\"_blank\">w3af<\/a> a free open-source web application security scanner<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/OWASP\" title=\"OWASP\" rel=\"external_link\" target=\"_blank\">OWASP<\/a> Open Web Application Security Project<\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_security_scanner\" class=\"mw-redirect\" title=\"Web application security scanner\" rel=\"external_link\" target=\"_blank\">Web application security scanner<\/a><\/li>\n<li><a class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Runtime_application_self-protection\" rel=\"external_link\" target=\"_blank\">Runtime Application Self-Protection<\/a><\/li><\/ul>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"mw-references-wrap mw-references-columns\"><ol class=\"references\">\n<li id=\"cite_note-1\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-1\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/ff648636.aspx\" target=\"_blank\">\"Web Application Security Overview\"<\/a>. 2015-10-23.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Web+Application+Security+Overview&rft.date=2015-10-23&rft_id=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fff648636.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><\/span>\n<\/li>\n<li id=\"cite_note-2\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-2\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/ieeexplore.ieee.org\/Xplore\/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4459624%2F4459625%2F04459684.pdf%3Farnumber%3D4459684&authDecision=-203\" target=\"_blank\">\"Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks\"<\/a>. Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Testing+and+Comparing+Web+Vulnerability+Scanning+Tools+for+SQL+Injection+and+XSS+Attacks&rft.date=2007-12&rft_id=http%3A%2F%2Fieeexplore.ieee.org%2FXplore%2Flogin.jsp%3Furl%3Dhttp%253A%252F%252Fieeexplore.ieee.org%252Fiel5%252F4459624%252F4459625%252F04459684.pdf%253Farnumber%253D4459684%26authDecision%3D-203&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-3\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-3\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/cwe.mitre.org\/top25\/\" target=\"_blank\">\"CWE\/SANS Top 25 Most Dangerous Programming Errors\"<\/a>. CWE\/SANS. May 2009.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=CWE%2FSANS+Top+25+Most+Dangerous+Programming+Errors&rft.date=2009-05&rft_id=http%3A%2F%2Fcwe.mitre.org%2Ftop25%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-4\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-4\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/info.cenzic.com\/Trend-Report-Application-Security.html\" target=\"_blank\">\"2012 Trends Report: Application Security Risks\"<\/a>. Cenzic, Inc. 11 March 2012<span class=\"reference-accessdate\">. Retrieved <span class=\"nowrap\">9 July<\/span> 2012<\/span>.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=2012+Trends+Report%3A+Application+Security+Risks&rft.pub=Cenzic%2C+Inc.&rft.date=2012-03-11&rft_id=https%3A%2F%2Finfo.cenzic.com%2FTrend-Report-Application-Security.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-5\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-5\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation journal\">Korolov, Maria (Apr 27, 2017). <a rel=\"external_link\" class=\"external text\" href=\"http:\/\/ezaccess.libraries.psu.edu\/login?url=https:\/\/search-proquest-com.ezaccess.libraries.psu.edu\/docview\/1892694046?accountid=13158\" target=\"_blank\">\"Latest OWASP Top 10 looks at APIs, web apps: The new OWASP Top 10 list is out, and while most of it remains the same, there are new additions focusing on web applications and APIs\"<\/a>. <i>CSO<\/i> – via ProQuest.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=CSO&rft.atitle=Latest+OWASP+Top+10+looks+at+APIs%2C+web+apps%3A+The+new+OWASP+Top+10+list+is+out%2C+and+while+most+of+it+remains+the+same%2C+there+are+new+additions+focusing+on+web+applications+and+APIs&rft.date=2017-04-27&rft.aulast=Korolov&rft.aufirst=Maria&rft_id=http%3A%2F%2Fezaccess.libraries.psu.edu%2Flogin%3Furl%3Dhttps%3A%2F%2Fsearch-proquest-com.ezaccess.libraries.psu.edu%2Fdocview%2F1892694046%3Faccountid%3D13158&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-6\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-6\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.owasp.org\/images\/7\/72\/OWASP_Top_10-2017_%28en%29.pdf.pdf\" target=\"_blank\">\"OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks\"<\/a> <span class=\"cs1-format\">(PDF)<\/span>. <i>Open Web Application Security Project<\/i>. 2017<span class=\"reference-accessdate\">. Retrieved <span class=\"nowrap\">June 30,<\/span> 2018<\/span>.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Open+Web+Application+Security+Project&rft.atitle=OWASP+Top+10+-+2017%3A+The+Ten+Most+Critical+Web+Application+Security+Risks&rft.date=2017&rft_id=https%3A%2F%2Fwww.owasp.org%2Fimages%2F7%2F72%2FOWASP_Top_10-2017_%2528en%2529.pdf.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-7\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-7\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation journal\">Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/link.springer.com\/article\/10.1007\/s10462-012-9375-6\" target=\"_blank\">\"Systematic review of web application security development model\"<\/a>. <i>Artificial Intelligence Review<\/i>. <b>43<\/b> (2): 259\u2013276. <a href=\"https:\/\/en.wikipedia.org\/wiki\/Digital_object_identifier\" title=\"Digital object identifier\" rel=\"external_link\" target=\"_blank\">doi<\/a>:<a rel=\"external_link\" class=\"external text\" href=\"https:\/\/doi.org\/10.1007%2Fs10462-012-9375-6\" target=\"_blank\">10.1007\/s10462-012-9375-6<\/a>. <a href=\"https:\/\/en.wikipedia.org\/wiki\/International_Standard_Serial_Number\" title=\"International Standard Serial Number\" rel=\"external_link\" target=\"_blank\">ISSN<\/a> <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.worldcat.org\/issn\/0269-2821\" target=\"_blank\">0269-2821<\/a>.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Artificial+Intelligence+Review&rft.atitle=Systematic+review+of+web+application+security+development+model&rft.volume=43&rft.issue=2&rft.pages=259-276&rft.date=2013-01-17&rft_id=info%3Adoi%2F10.1007%2Fs10462-012-9375-6&rft.issn=0269-2821&rft.aulast=Shuaibu&rft.aufirst=Bala+Musa&rft.au=Norwawi%2C+Norita+Md&rft.au=Selamat%2C+Mohd+Hasan&rft.au=Al-Alwani%2C+Abdulkareem&rft_id=https%3A%2F%2Flink.springer.com%2Farticle%2F10.1007%2Fs10462-012-9375-6&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-8\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-8\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/lists.webappsec.org\/pipermail\/wasc-whid_lists.webappsec.org\/2014-February\/000100.html\" target=\"_blank\">\"WHID Project is now a Joint WASC\/OWASP Project\"<\/a>. WASC. 18 February 2014.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=WHID+Project+is+now+a+Joint+WASC%2FOWASP+Project&rft.pub=WASC&rft.date=2014-02-18&rft_id=http%3A%2F%2Flists.webappsec.org%2Fpipermail%2Fwasc-whid_lists.webappsec.org%2F2014-February%2F000100.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-9\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-9\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/samate.nist.gov\/index.php\/Web_Application_Vulnerability_Scanners.html\" target=\"_blank\">\"Web Application Vulnerability Scanners\"<\/a>. NIST.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Web+Application+Vulnerability+Scanners&rft_id=http%3A%2F%2Fsamate.nist.gov%2Findex.php%2FWeb_Application_Vulnerability_Scanners.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-10\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-10\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/samate.nist.gov\/index.php\/Source_Code_Security_Analyzers.html\" target=\"_blank\">\"Source Code Security Analyzers\"<\/a>. NIST.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Source+Code+Security+Analyzers&rft_id=http%3A%2F%2Fsamate.nist.gov%2Findex.php%2FSource_Code_Security_Analyzers.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-11\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-11\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"http:\/\/www.owasp.org\/index.php\/Fuzzing\" target=\"_blank\">\"Fuzzing\"<\/a>. OWASP.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Fuzzing&rft_id=http%3A%2F%2Fwww.owasp.org%2Findex.php%2FFuzzing&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<li id=\"cite_note-12\"><span class=\"mw-cite-backlink\"><b><a href=\"#cite_ref-12\" rel=\"external_link\">^<\/a><\/b><\/span> <span class=\"reference-text\"><cite class=\"citation news\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.testingxperts.com\/blog\/7-Crucial-Activities-to-Test-the-Security-of-your-Mobile-Applications\/\" target=\"_blank\">\"Web application firewalls for security and regulatory compliance\"<\/a>. TestingXperts Blog. March 2017.<\/cite><span title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Web+application+firewalls+for+security+and+regulatory+compliance&rft.date=2017-03&rft_id=https%3A%2F%2Fwww.testingxperts.com%2Fblog%2F7-Crucial-Activities-to-Test-the-Security-of-your-Mobile-Applications%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3AWeb+application+security\" class=\"Z3988\"><\/span><link rel=\"mw-deduplicated-inline-style\" href=\"mw-data:TemplateStyles:r861714446\"\/><\/span>\n<\/li>\n<\/ol><\/div>\n<p><!-- \nNewPP limit report\nParsed by mw1244\nCached time: 20190102142146\nCache expiry: 1900800\nDynamic content: false\nCPU time usage: 0.188 seconds\nReal time usage: 0.230 seconds\nPreprocessor visited node count: 514\/1000000\nPreprocessor generated node count: 0\/1500000\nPost\u2010expand include size: 24455\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 3\/40\nExpensive parser function count: 2\/500\nUnstrip recursion depth: 1\/20\nUnstrip post\u2010expand size: 30820\/5000000 bytes\nNumber of Wikibase entities loaded: 2\/400\nLua time usage: 0.114\/10.000 seconds\nLua memory usage: 3.23 MB\/50 MB\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 177.144 1 -total\n<\/p>\n<pre>40.57% 71.865 4 Template:Cite_web\n21.72% 38.472 2 Template:Cite_journal\n16.24% 28.766 1 Template:Information_security\n15.96% 28.267 6 Template:Cite_news\n14.09% 24.968 1 Template:Sidebar\n<\/pre>\n<p>-->\n<\/p><p><!-- Saved in parser cache with key enwiki:pcache:idhash:23261748-1!canonical and timestamp 20190102142146 and revision id 876456280\n<\/p>\n<pre>-->\n<\/pre>\n<\/div>\n<h2><span class=\"mw-headline\" id=\"Notes\">Notes<\/span><\/h2>\n<p>This article is a direct transclusion of <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Web_application_security\" target=\"_blank\">the Wikipedia article<\/a> and therefore may not meet the same editing standards as LIMSwiki.\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20190104225156\nCache expiry: 86400\nDynamic content: false\nCPU time usage: 0.019 seconds\nReal time usage: 0.105 seconds\nPreprocessor visited node count: 5\/1000000\nPreprocessor generated node count: 20\/1000000\nPost\u2010expand include size: 20\/2097152 bytes\nTemplate argument size: 0\/2097152 bytes\nHighest expansion depth: 2\/40\nExpensive parser function count: 0\/100\n-->\n\n<!-- \nTransclusion expansion time report (%,ms,calls,template)\n100.00% 95.223 1 - wikipedia:Web_application_security\n100.00% 95.223 1 - -total\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:9014-0!*!*!*!*!*!* and timestamp 20190104225156 and revision id 26856\n -->\n<\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Web_application_security\">https:\/\/www.limswiki.org\/index.php\/Web_application_security<\/a><\/div>\n\t\t\t\t\t\t\t\t\t\t<!-- end content -->\n\t\t\t\t\t\t\t\t\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t\t<!-- end of the left (by default at least) column -->\n\t\t<div class=\"visualClear\"><\/div>\n\t\t\t\t\t\n\t\t<\/div>\n\t\t\n\n<\/body>","5d5150b04547e963d28d3ce7ffdae9c6_images":[],"5d5150b04547e963d28d3ce7ffdae9c6_timestamp":1546642316},"link":"https:\/\/www.limswiki.org\/index.php\/Book:Web_Application_Security:_A_Comprehensive_Overview","price_currency":"","price_amount":"","book_size":"","download_url":"https:\/\/www.limsforum.com?ebb_action=book_download&book_id=78539","language":"","cta_button_content":"","toc":[{"type":"article","name":"Introducing web application security","id":"5d5150b04547e963d28d3ce7ffdae9c6","pageUrl":"https:\/\/www.limswiki.org\/index.php\/Web_application_security"},{"type":"article","name":"Opening comments","id":"1976acf065ac97ac0435e29709bd2078","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Intro"},{"type":"article","name":"Checklist","id":"6f2595601193133d52c8090c585f6c8c","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Checklist"},{"type":"article","name":"Miscellaneous points","id":"b234b155784fd3a4a7929a3781136a5b","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Miscellaneous_points"},{"type":"article","name":"File inclusion and disclosure","id":"cf92deedb27142566924da1ef27529f9","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_inclusion_and_disclosure"},{"type":"article","name":"File upload vulnerabilities","id":"8b3708600c87ff3258de11ce293bf1a6","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/File_upload_vulnerabilities"},{"type":"article","name":"SQL injection","id":"45f2f2fe35ed4742dbed9513ef9d505a","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SQL_injection"},{"type":"article","name":"Cross-site scripting (XSS)","id":"931b3464b3f12dc9e1b1803bd3190cb9","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_scripting_(XSS)"},{"type":"article","name":"XML and internal data escaping","id":"9cae4e140675b1a1a21fe8753676d5ac","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML_and_internal_data_escaping"},{"type":"article","name":"XML, JSON and general API security","id":"7da5a3e8c4ad0a05309ea9741494fec2","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/XML,_JSON_and_general_API_security"},{"type":"article","name":"(Un)trusted input","id":"5c97b0de3eebc89e348368871c44b0ec","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/(Un)trusted_input"},{"type":"article","name":"Cross-site request forgery (CSRF)","id":"57069b13cd4c6c205a34744f07e84805","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Cross-site_request_forgery_(CSRF)"},{"type":"article","name":"Clickjacking","id":"f052b1a9962cd409a0d68e10cc6d01b5","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Clickjacking"},{"type":"article","name":"Insecure data transfer","id":"08ea7349146b981be92d29df45ea3c22","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Insecure_data_transfer"},{"type":"article","name":"Session fixation","id":"9fb164a42840c24a5ae22cf9d7f16827","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_fixation"},{"type":"article","name":"Session stealing","id":"7c040f2ac67d7ff8ac0517c25531ccc2","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Session_stealing"},{"type":"article","name":"Truncation attacks, trimming attacks","id":"e6b3471eef8a0699b4a146f6d9ddfeee","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Truncation_attacks,_trimming_attacks"},{"type":"article","name":"Password security","id":"c41630a44a94b431fbb84b36260b3bbe","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Password_security"},{"type":"article","name":"Comparison issues","id":"b4dba0a711c78dba0dbb84de5df9ccb2","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Comparison_issues"},{"type":"article","name":"PHP-specific issues","id":"818e02e81d1025e23a43f28126eb1791","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/PHP-specific_issues"},{"type":"article","name":"Prefetching and spiders","id":"b8012faef03edbe61efc3d62e8c99377","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Prefetching_and_spiders"},{"type":"article","name":"Special files","id":"403c661fad4d263579d34b8abfd41efd","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Special_files"},{"type":"article","name":"SSL, TLS and HTTPS basics","id":"bd543e49b7f540654591e0ff292b60c8","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/SSL,_TLS_and_HTTPS_basics"},{"type":"article","name":"Further reading","id":"c34366918b1a832cc21cb64bb832bdbf","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Further_reading"},{"type":"article","name":"Authors","id":"d70283bb6c626678369e40b227bfe029","pageUrl":"https:\/\/www.limswiki.org\/index.php\/LII:Web_Application_Security_Guide\/Authors"}],"settings":{"show_cover":"1","show_title":"1","show_subtitle":"0","show_full_title":"1","show_editor":"1","show_editor_pic":"1","show_publisher":"1","show_language":"1","show_size":"1","show_toc":"1","show_content_beneath_cover":"1","cta_button":"1","content_location":"1","toc_links":"disabled","log_in_msg":"<span><\/span> Please log in to read online.","cover_size":"medium"},"title_image":"https:\/\/www.limsforum.com\/wp-content\/uploads\/WebAppSec.png"}}
Web Application Security: A Comprehensive Overview
Editor: Shawn Douglas
Publisher: LabLynx Press
Copyright LabLynx Inc. All rights reserved.